title: Explicit Authentication with Active Directory | abcdesktop.io description: Configure abcdesktop.io explicit authentication against Microsoft Active Directory: LDAP bind, UPN, service account credentials, and subnet discovery via AD Sites and Services. keywords: Active Directory, LDAP, explicit authentication, AD, Windows domain, UPN, service account, abcdesktop, Kubernetes tags: - authentication - Active Directory - LDAP
Authentication explicit for Microsoft Active Directory Services
authmanagers explicit Object
The explicit authentication configuration is defined as a dictionary object that contains one or more named provider entries, each corresponding to a Windows domain.
For example:
'explicit': {
'show_domains': True,
'default_domain': 'AD',
'providers': {
'AD': {
'config_ref': 'adconfig',
'enabled': True
}
}
| Variable name | Type | Description |
|---|---|---|
show_domains |
boolean | Controls whether the domain name is listed in the API getclientdata response. The default value is False. |
default_domain |
string | The default domain name prefix applied when the user's login format does not include a domain prefix (e.g., DOMAIN\USER). If the user logs in as USER, the login is prefixed as default_domain\USER. |
providers |
dictionary | { 'AD': { 'config_ref': 'adconfig', 'enabled': True }} |
Providers Configuration
The provider authentication configuration is defined as a dictionary object that must include a key name. The key name must match the USERDOMAIN value and must correspond exactly to the key used in the config_ref dictionary.
Providers:
The provider is formatted as a dictionary:
{ 'AD': {
'config_ref': 'adconfig',
'enabled': True
}
}
| Variable name | Type | Description |
|---|---|---|
| config_ref | string | For increased readability, the USERDOMAIN configuration is defined in a dedicated dictionary using the key-value pair 'config_ref': 'adconfig', where the key is config_ref and the value is the name of the dictionary variable. |
| enable | boolean | Enables or disables the domain entry. |
In this example, the Microsoft Active Directory environment variables are configured as follows:
| Variable name | Value for example |
|---|---|
USERDOMAIN |
AD |
USERDNSDOMAIN |
AD.DOMAIN.LOCAL |
The adconfig is a dictionary. For example:
adconfig : {
'AD': {
'default': True,
'reduce_roles_for_jwt': 'cn',
'ldap_timeout': 5,
'ldap_connect_timeout': 2,
'ldap_basedn': 'DC=ad,DC=domain,DC=local',
'ldap_fqdn': '_ldap._tcp.ad.domain.local',
'domain': 'AD',
'domain_fqdn': 'AD.DOMAIN.LOCAL',
'kerberos_realm': 'AD.DOMAIN.LOCAL',
'auth_type': 'NTLM',
'krb5_conf': '/etc/krb5.conf',
'users_ou': 'DC=ad,DC=domain,DC=local',
'auth_protocol' : { 'ntlm': False, 'cntlm': False, 'kerberos' : True, 'ldif': False },
'servers': [ 'ldaps://srv1.domain.local', 'ldaps://srv2.domain.local','ldaps://srv3.domain.local' ]
# 'serviceaccount': { 'login': 'SVCACCOUNT', 'password': 'SVCACCOUNTPASSWORD' }
} }
Replace each variable value with settings specific to your Active Directory environment.
| Variable name | Type | Description | Example |
|---|---|---|---|
default |
boolean | Use this domain as the default domain | True |
ldap_basedn |
string | LDAP Base Distinguished Name | DC=ad,DC=domain,DC=local |
ldap_fqdn |
string | LDAP SRV record for the domain | _ldap._tcp.ad.domain.local |
domain_fqdn |
string | Domain fully qualified domain name (FQDN) | AD.DOMAIN.LOCAL |
servers |
list of string | List of Active Directory server addresses | [ '192.168.1.12', '192.168.1.13' ] |
kerberos_realm |
string | Kerberos realm name (must be in UPPER CASE) | AD.DOMAIN.LOCAL |
reduce_roles_for_jwt |
string or None | Defines the role representation in the user's JWT | 'cn', 'raw' or None |
servers |
list | List of LDAP server URIs | [ 'ldaps://srv1.domain.local', 'ldap://192.168.1.2'] |
Service Account
'serviceaccount': { 'login': 'SVCACCOUNT', 'password': 'SVCACCOUNTPASSWORD' }
serviceaccount is an optional credential configuration. When provided, it allows pyos to query the Active Directory service and retrieve subnet and site location information from the sites container at 'CN=Subnets,CN=Sites,CN=Configuration,' + BASE_DN (for example, CN=Subnets,CN=Sites,CN=Configuration,DC=example,DC=com).