Active Directory Linkage Overview
On-premise CAMServer Enterprise makes ID authentication very easy by providing Active Directory linkage. The following can be achieved
- Web App VersionActive Directory Authentication ID is initially displayed during login authentication when using
- Passwordless authentication and OS passwords can be used for ID authentication.
- CAMServer uses Active Directory's LDAP protocol to determine if identity authentication is successful.
Active Directory ID Linkage
When Active Directory ID Linkage is enabled, the login ID is automatically set if the user is Active Directory authenticated.
The login ID can be set automatically by Web App Version only.
Authentication method
Before saving this setting, be sure to complete the LDAP settings first and perform "Test LDAP Settings".
After enabling Active Directory ID linkage, you can optionally select "Passwordless Authentication" or "OS Password Authentication".
*If you want to strengthen authentication, select "OS password authentication".
Passwordless Authentication
When you are logged in to AD, the information that can be obtained is encrypted and used as an authentication token, making it possible to log in to the service without a password.Before enabling this setting, you must configure the "AD user to perform proxy authentication" and "Test LDAP settings".
interpoint (interword separation)If this setting is activated, access will only be available in the Web App version.
・If there is a setting mistake, no one will be able to log in, but you can disable the "Passwordless authentication" setting by setting cam.disableADPasswordless=true in the CAMServer/cam.ini file and starting CAMServer. After disabling and starting, review the various settings and be sure to perform a "Test LDAP settings" before enabling "Passwordless authentication". After enabling, delete cam.disableADPasswordless from the cam.ini file and then restart CAMServer.
OS Password Authentication
User authentication is performed using the OS password. When registering a new user, please set a suitable temporary password and register. Authentication will be performed using the following flow.
- If "OS password authentication" is successful, the authentication is considered OK and the registered password on C&M is also overwritten.
- If "OS password authentication" fails, authentication will be performed using the password used at the time of C&M registration.
LDAP Settings
LDAPUrl
ActiveDirectory サーバへ ldap で検索するための Url です。必要に応じて LDAPUrl にアドレス、ポートを指定してください。ブランクの場合 ldap://localhost:389 でアクセスを行います。389 ポートは ldap のデフォルトです。
LDAPBaseDN
LDAPBaseDN is a value that indicates where on the object tree of the LDAP server the user search will be performed.
If left blank, the domain will be referenced from the user ID and set automatically. If you want to change it, you can enter multiple entries by entering a line break. Also, even if set, the default "CN=Users, DC=yourdomain, DC=com" will be added automatically.
For example, when searching for a user named user1@camtest.com, the LDAPBaseDN is "CN=Users, DC=camtest, DC=com", which is the default search target, so there is no need to specify it. If you have created a folder other than Users and added a user there, specify the LDAPBaseDN if you want to use it as the search target.
代理認証を行うADユーザとLDAP設定のテスト
IISを使ったシングルサインオンやパスワードレス認証を行う場合は、代理認証を行うADユーザを設定し「LDAP設定のテスト」を実施してください。
上記認証処理では、代理認証を行うADユーザが内部でLDAP検索を行い正規ADユーザかどうかを検証致します。
Active Directory synchronization settings
When Active Directory synchronization settings are enabled, information will be retrieved from Active Directory at the specified time and user information in Chat&Messenger will be updated.
The information to be updated is below.
- Username...AD displayName attribute
- Group name...AD department attribute
- Email・・・AD email attribute
FAQ
Can I create a user that does not exist in Active Directory?
If you do not select "Passwordless" as the authentication method, you can create an account on the Chat&Messenger user management screen and log in even if the user does not exist in Active Directory.
Can I synchronize with Active Directory to automate user addition?
Currently, Chat&Messenger does not automatically add or delete users based on Active Directory users. Therefore, even if Active Directory linkage is enabled, the administrator must create Chat&Messenger users using the user registration screen on the management screen or by uploading CSV.
 |  *CSV upload only adds/changes Chat&Messenger users and does not delete them. Please delete one item at a time from the management screen. |
I want to get a list of Active Directory users and create a CSV.
You can obtain a list of Active Directory users using PowerShell's Get-ADUser. of this list UserPrincipalName Please create a CSV file using the User ID (work email address) on Chat&Messenger.
> Get-ADUser -Filter {objectClass -eq "user"} -Properties info
DistinguishedName : CN=user1,CN=Users,DC=***,DC=com
GivenName : ユーザ1
Name : user1
ObjectClass : user
ObjectGUID : bf84cdab-2c21-44cf-aaca-afe493d97f2a
SamAccountName : user1
SID : S-1-5-21-3698402442-2374923176-*****-1104
Surname : ユーザ1
UserPrincipalName : user1@***.com
DistinguishedName : CN=user2,CN=Users,DC=***,DC=com
GivenName : user2
Name : user2
ObjectClass : user
ObjectGUID : 482450a4-482a-40ac-b89b-434605f45571
SamAccountName : user2
SID : S-1-5-21-3698402442-2374923176-*****-1105
Surname : テスト
UserPrincipalName : user2@***.com
# AD users のリストを CSVで出力
> $users = Get-ADUser -Filter {objectClass -eq "user"} -Properties UserPrincipalName, GivenName
> $selectedUsers = $users | Select-Object UserPrincipalName, GivenName
> $selectedUsers | Export-Csv -Path "C:\path\to\output\users.csv" -NoTypeInformation