Overview
User Management supports the built-in LDAP authentication system, as well as external AD, external LDAP (multi-OU supported), and external NIS authentication systems.
Feature Comparison Across Authentication Systems
| Feature | Built-in LDAP | External LDAP | External AD | External NIS |
|---|---|---|---|---|
| Admin user permissions | admin has full platform permissions and can create clusters, run jobs, etc. | admin cannot run jobs, upload/download data, or log in to DM; other permissions are available. | admin cannot run jobs, upload/download data, or log in to DM; other permissions are available. | admin cannot run jobs, upload/download data, or log in to DM; other permissions are available. |
| User management (add/delete/edit users) | Full user management capabilities | No user management; only sync users from the external auth system | No user management; only sync users from the external auth system | No user management; only sync users from the external auth system |
| Group management (add/delete/edit groups) | Group management is supported; groups are consistent with built-in LDAP groups | No group management; only sync groups from the external auth system | No group management; only sync groups from the external auth system | No group management; only sync groups from the external auth system |
| Whether user/group UID/GID matches cluster node UID/GID | Yes | Yes | Yes | Yes |
| Allow/deny login control | Not supported (use account lock to restrict login) | Not supported (use account lock to restrict login). You can set the default lock/normal status for synced users. | Not supported (use account lock to restrict login). You can set the default lock/normal status for synced users. | Not supported (use account lock to restrict login). You can set the default lock/normal status for synced users. |
| User-defined passwords | Supported | Supported | Not supported (passwords are managed in external AD) | Not supported (passwords are managed in external NIS) |
| Admin can change user roles | Supported | Supported | Supported | Supported |
Change user SHELL / HOME | Supported | Not supported (all POSIX attributes are fetched from the external auth system) | Not supported (all POSIX attributes are fetched from the external auth system) | Not supported (all POSIX attributes are fetched from the external auth system) |
| User expiration time | Supported | Supported | Supported | Supported |
User Lock/Unlock Behavior (Built-in vs External Auth)
During deployment, the platform performs a one-time sync of user and group information. After deployment completes, when admin logs in to the Fastone platform, all synced users and groups are visible.
| Authentication system | State | Notes |
|---|---|---|
| Built-in LDAP | Locked -> Normal | After unlocking, the user status returns to normal after 10 to 20 minutes, and the user can access the Fastone platform normally. |
| Built-in LDAP | Normal -> Locked | After locking, the user cannot access any Fastone platform services after 10 to 20 minutes. |
| External LDAP/NIS/AD | Locked -> Normal | After unlocking, the user can access the Fastone platform immediately. Also remove related restrictions in the external auth system so the user can log in to hosts via SSH or other methods. |
| External LDAP/NIS/AD | Normal -> Locked | After locking, the user cannot log in to the Fastone platform normally. Also apply restrictions in the external auth system to prevent the user from logging in to hosts via SSH or other methods. |
Two-Factor Authentication
FCP supports email-based two-factor authentication (2FA). After it is enabled, it is available in the Web UI, DM client, and User Portal.