Add LDAP users and groups
Use one of the following methods to add LDAP users:
Create an LDAP user—Applicable to scenarios where a single user or a few number of users will be added.
Import LDAP users—Applicable to scenarios where a large number of users will be added in a short time. For example, use this method to import all user information to a newly deployed VDI environment.
Synchronize users from a third-party server—Applicable to scenarios where users need to be manually synchronized from third-party account authentication platforms (such as JIT, IDLINK, and China Bank's identity management platform) to the management platform.
Import third-party system accounts—Applicable to scenarios where third-party system accounts (such as WeCom and DingTalk accounts) are imported into the management platform. Third-party system account import is supported only in scenarios other than the education scenario.
Create an LDAP user
Procedure
From the left navigation pane, select Users > LDAP Users or Users > LDAP Users > User group name.
Click Create User .
Select Add New User, and then click Next.
Configure basic parameters and extension parameters for the user, and then click Next.
Configure third-party login, phone number, DingTalk account, WeCom account,
QuantumCTek authentication, and Google authenticator as needed, and then click NextVerify that the configuration is correct.
Click OK.
Parameters
Basic information
LDAP Server: Select a common LDAP authentication server. The user account information of the LDAP user will be synchronized to the selected server.
User Type: Select a user type. Options include Common, Student, and Faculty. This parameter is available only in an office-education hybrid scenario. You can create common users in an office scenario, and student users and faculty users in an education scenario. Student users can log in to the student desktop client and faculty users can log in to the teacher desktop client.
Login Name: Account used by the user to log in to the desktop client. The value is a string of up to 20 characters.
User Name: Name of the local user. In an education scenario, the value is the name of a student if the user type is student and the name of a teacher if the user type is faculty.
Login Password: Password used by the user to log in to the client. The password must be longer than six characters. As a best practice to enhance password security, enter a password that contains a minimum of three character types from uppercase letters, lowercase letter, digits, and special characters.
Confirm: Enter the login password again to confirm it.
User Group: User group to which the user belongs. A student user can belong only to one user group of the class type. Other types of users each can belong to multiple user groups.
Access Policies: Access policies used to restrict the time when the user can access a cloud desktop or course desktop and the IP address used by the user to access the desktop. Configure this parameter if a user account is required for login.
Status: Enabled by default. If this option is disabled, the user cannot log in to the client or the user self-service system.
OU: Organization unit to which the LDAP user belongs on the general LDAP authentication server. You can view users and user groups under a child OU directly in a parent OU.
Private Disk: Whether to enable private disk for the user. If you enable private disk, you must set the private disk size. You cannot disable the private disk once it is enabled. For more information about private disk configuration, see private disk settings in "Configure system parameters." With private disk enabled, the user can attach its private disk to its cloud desktop regardless if its endpoint. After the user logs in to the desktop, it can open the private disk tray in the lower-right corner of the desktop to attach its private disk to the desktop. Data in the private disk can survive a desktop reboot or power off. Only Windows and Kylin operating system VDI cloud desktops support private disks.
Samba Sharing: Before enabling this feature, you must configure Samba shared server parameters on the System > External Services > Third-Party System Collaboration page. With this feature enabled, you can use Samba sharing services. For more information about the Samba shared server configuration, see Advanced Parameters.
Samba Sharing Path: Specify the path of shared files on the Samba shared server, which contains the user login name and user ID.
Extension information
Gender: Select the user gender, male or female. This parameter is available for a student user or a faculty user.
Age: Specify the age of the user.
Organization: Specify the organization of the user.
Department: Specify the department of the user.
Date of Hire: Specify the date when the user was hired.
Identity Number: Identity number of the user. For example, you can enter the identity number on the user's identity card or passport. The identity number is a string of up to 32 characters.
Email: Email address of the user, which is a string of up to 256 characters. The value must be in standard format, for example, [email protected].
Address: Contact address of the user.
Bind Endpoint IP Address: Specify the endpoint IP addresses that can be used by the user to connect to the cloud desktop. You can enter an IP address or a hyphenated IP address range in each line. If you do not specify an IP address or IP address range, the user can use any endpoint IP address to connect to the cloud desktop.
Bind Endpoint MAC Address: Select whether to bind endpoint MAC addresses to the user. The user can use only the bound endpoint MAC addresses to access the desktop. To allow the user to use the endpoint MAC address at the first login to access the desktop, select Bind First-Login MAC Address. You do not need to enter the first-login MAC address. To bind other endpoint MAC addresses to the user, you must manually enter the MAC addresses. You can enter a MAC address in each line.
Expire At: Expiration time of the user. If scheduled user clearing is disabled, the client displays an expiration reminder after the user expires. If scheduled user clearing is enabled, Space Console will delete the user when it expires. If this field is empty, the user will never expire.
User Validity Period (Days): If a user has not logged in to the cloud desktop within the specified validity period, the user will be disabled. A value of 0 means the user validity period is not limited.
Authentication
Third-Party Login: Select whether to enable third-party login. After you enable third-party login, a user can log in through SMS, DingTalk one-time password and QR code, WeCom one-time password and QR code. Third-party login is supported only by VDI clients.
Phone: Phone number of the user. As a best practice, configure this parameter if SMS authentication is enabled.
DingTalk Account: Specify the DingTalk account that binds to the user. If you do not specify this parameter, the DingTalk account uses the user login name by default. This parameter is not supported in the education scenario.
WeCom Account: Specify the WeCom account that binds to the user. If you do not specify this parameter, the WeCom account uses the user login name by default. This parameter is not supported in the education scenario.
QuantumCTek Auth: Select whether to enable QuantumCTek authentication. When QuantumCTek authentication is enabled, the user must bind a USB key provided by QuantumCTek for login authentication when it logs in to the client installed on a Windows endpoint through its username and a password. The user can log in to the client only after it binds to the USB key successfully. Before enabling QuantumCTek authentication, you must configure QuantumCTek authentication parameters on the System > Auth Collaboration > Secondary Auth > QuantumCTek Auth page. QuantumCTek authentication is supported only by VDI clients.
Google Authenticator: Select whether to enable Google Authenticator. With Google Authenticator enabled, when a user logs in to the client, the user must enter a username and password and then enter the one-time password obtained from Google Authenticator. You cannot enable Google Authenticator with
QuantumCTek Auth or Third-Party Login simultaneously. If RADIUS authentication is enabled, Google Authenticator does not take effect. When Google Authenticator is enabled, make sure the system time of the NTP server is consistent with the time of the time zone where the user endpoint resides.
Import LDAP users
As a best practice, download the LDAP user template file, add LDAP user information to the template file, and then upload the file back to the Space Console.
Procedure
From the left navigation pane, select Users > LDAP Users or Users > LDAP Users > User group name.
Click Create User.
Select Import Users from File.
Click Download Template and add LDAP user information to the downloaded template file.
Upload the file back to the Space Console and configure other import parameters.
Click Next.
Verify that the configuration is correct.
Click OK.
Parameters
Import Method: Options are Add and Modify. If you select Modify, modifications to the user expiration time, description, and contact address are synchronized to the LDAP server. Modifications to other parameters are synchronized to the local database.
Import File: Upload the file that contains LDAP user information. The encoding format of the file must be GBK.
Delimiter: By default, the value is a comma (,). The value is not user configurable.
LDAP: Select a general-purpose LDAP authentication server. The successfully imported user accounts will be automatically sent to the selected LDAP server.
User Group: Select a method to assign the imported users to user groups. The following options are available:
Import—To import user groups in the file and assign the users to the user groups, select this option. If a user group does not exist on the Space Console, the Space Console will create that user group and import the corresponding users to that user group.
Existing Group—To assign the users to one or multiple existing user groups on the Space Console, select this option. For student users, you must select an existing class group.
Create—To create a user group and assign the users to the user group, select this option.
Specify User Type: Select a user type. The following options are available:
Import—To import the user type of each user in the file, select this option.
Existing Type—To specify a user type for all imported users, select this option.
Select a column in the file for each user parameter. The column selected for a parameter must be the same as the column of that parameter in the file.
Synchronize users from a third-party server
Perform this task to manually synchronize user accounts on a third-party platform to Space Console. The system automatically synchronizes user accounts on a third-party platform to Space Console at 3:40 every day. The third-party platforms include JIT, IDLINK, and China Bank's Identity Management Platform. Before configuring this feature, complete third-platform settings from the System > Auth Collaboration > Account Collaboration > Third-Party Account Docking page.
To synchronize user accounts:
From the left navigation pane, select Users > LDAP Users or Users > LDAP Users > User group name.
Click Create User.
Select Sync Users from Third-Party Server, click Next.
Confirm the third-party server information, select a local group (only supported by JIT) ,and then click OK.
Import third-party system accounts
Perform this task to import third-party system accounts, and set up mapping entries between these accounts and existing users on Space Console. This task is not supported in the education scenario.
| You can configure this feature only for DingTalk or WeCom accounts of existing users on Space Console, and the system will update DingTalk or WeCom accounts for these users based on the imported file. You cannot configure this feature for users that do not exist on Space Console. |
To import third-party accounts:
From the left navigation pane, select Users > LDAP Users or Users > LDAP Users > User group name.
Click Create User.
Select Import Third-Party System Accouts, click Next.
Click Download Template, enter user information in the template, click Select File, select the template, and then click Next.
Verify that the configuration is correct, and click OK.
Create an LDAP user group
Procedure
From the left navigation pane, select Users > LDAP Users or Users > LDAP Users > OU name.
Click Create User Group.
In the dialog box that opens, configure LDAP user group parameters.
Click OK.
Parameters
LDAP Server: Select a general-purpose LDAP authentication server. The successfully imported user accounts will be automatically sent to the selected LDAP server.
Parent Group: Parent group of the LDAP user group. If the parent group is the root group, the value for this field is a slash (/).
Group Name: Name of the LDAP user group.
Class Or Not: Select whether the LDAP user group is a class. If the group is a class, you must select a grade level for the class. This parameter is available only in an education scenario or in an office-education hybrid scenario.
Grade Level: Grade level of the class. You can create a grade level in the Manage Grade Levels dialog box. This parameter is available only in an education scenario or in an office-education hybrid scenario.
Access Policy: Select an access policy to limit user access to cloud desktops or course desktops by time and IP address.
OU: Organization unit (OU) to which the user group belongs on a general LDAP server. After you select an OU, you must select users added to this user group.
Create a grade level (education scenario)
In the current software version, ARM hosts do not support grade level management.
Procedure
From the left navigation pane, select Users > LDAP Users.
Click Manage Grade Levels in the upper-right corner of the page.
Click Create.
In the dialog box that opens, configure the grade level name and the lower-level grade.
Click OK.
The new grade level is displayed in the Manage Grade Levels dialog box, and you can delete an existing grade level.
Parameters
Grade Level Name: Name of the grade level. The value can contain only letters, Chinese characters, digits, underscores (_), and hyphens (-), and it cannot contain an at sign (@) or pound sign (#).
Lower-Level Grade: Grade level lower than the current grade level. The lower-level grade can be upgraded to the current grade level.