User Authentication Configuration
The settings described in this document are located in the User Authentication Configuration section.
Two-Factor Authentication
To improve platform security, you can enable two-factor authentication (2FA). This feature is disabled by default.
Once enabled, users must enter a one-time verification code sent to their bound email address in addition to the primary login check before they can sign in successfully.
Before enabling two-factor authentication, make sure that:
all relevant users have valid email addresses bound to their accounts.
you have correctly configured the mail server in Notification Configuration, otherwise verification emails cannot be delivered.
Authentication Methods
This section contains configuration items related to platform user authentication and supports the following methods:
Use Built-in LDAP for User Authentication
Built-in LDAP is the default authentication method. After you choose Use built-in LDAP for user authentication, fill in the following fields:
| Parameter | Type | Description | Default | Required |
|---|---|---|---|---|
| Linux user home directory | Parameter | Sets the Linux home directory for users. | /fastone/users | No |
| Linux user login shell | Parameter | Sets the Linux login shell for users. | /bin/bash | No |
Use External LDAP for User Authentication
After you choose Use external LDAP for user authentication, fill in the following fields:
| Parameter | Type | Description | Default | Required |
|---|---|---|---|---|
| User import interval | Parameter | Sets the user import interval in ptsm duration format, for example 1H for one hour or 1D for one day. | 1D | No |
| Lock new users | Option | Controls whether newly imported users are locked. | Yes | No |
| External LDAP base DN | Parameter | Sets the base DN of the external LDAP service. User and group entries are searched within this base. | Yes | |
| External LDAP URI | Parameter | Sets the URI of the external LDAP service. Use the IP address or domain name with port 389. If multiple LDAP servers are required, provide multiple URIs. Example: ldap://172.10.0.1:389 ldap://172.10.0.2:389 | Yes | |
| External LDAP bind DN | Parameter | Sets the bind DN for the external LDAP service. This is a read-only account, for example cn=readonly,dc=fastonetech,dc=com. The account must have read permission on ldap_base, and it can be a user within ldap_base. | Yes | |
| External LDAP bind password | Parameter | Sets the password of the read-only LDAP account. | Yes | |
| External LDAP TLS certificate (optional) | Parameter | Sets the TLS certificate used by the external LDAP service. Only TLS certificates are supported. SSL certificates are not supported. | No | No |
Use External AD for User Authentication
If you choose external AD authentication, first configure the AD domain controller and create the required user entries. See this document for details.
After you choose Use external AD for user authentication, fill in the following fields:
| Parameter | Type | Description | Default | Required |
|---|---|---|---|---|
| User import interval | Parameter | Sets the user import interval in ptsm duration format, for example 1H for one hour or 1D for one day. | 1D | No |
| Lock new users | Option | Controls whether newly imported users are locked. | Yes | No |
| External AD base DN | Parameter | Sets the base DN of the external AD service. User and group entries are searched within this base. | Yes | |
| External AD URI | Parameter | Sets the URI of the external AD service. Use the IP address or domain name with port 389. If multiple AD servers are required, provide multiple URIs. Example: ldap://172.10.0.1:389 ldap://172.10.0.2:389 | Yes | |
| External AD bind DN | Parameter | Sets the bind DN for the external AD service. | Yes | |
| External AD bind password | Parameter | Sets the bind password for the external AD service. | Yes | |
| External AD TLS certificate (optional) | Parameter | Sets the TLS certificate used by the external AD service. Only TLS certificates are supported. SSL certificates are not supported. | No | No |
| External AD domain | Parameter | Sets the domain of the external AD service. | Yes |
Use External NIS for User Authentication
After you choose Use external NIS for user authentication, fill in the following fields:
| Parameter | Type | Description | Default | Required |
|---|---|---|---|---|
| User import interval | Parameter | Sets the user import interval in ptsm duration format, for example 1H for one hour or 1D for one day. | 1D | No |
| Lock new users | Option | Controls whether newly imported users are locked. | Yes | No |
| NIS domain name | Parameter | Sets the domain name of the NIS service. | Yes | |
| NIS server | Parameter | Sets the NIS server. | Yes |
Use OIDC for User Authentication
After you choose Use OIDC for user authentication, fill in the following fields:
| Parameter | Type | Description | Default | Required |
|---|---|---|---|---|
| Linux user home directory | Parameter | Sets the Linux home directory for users. | /fastone/users | No |
| Linux user login shell | Parameter | Sets the Linux login shell for users. | /bin/bash | No |
| Client ID | Parameter | Sets the OIDC client ID. | Yes | |
| Client secret | Parameter | Sets the OIDC client secret. | Yes | |
| Issuer URL | Parameter | Sets the OIDC issuer URL. | Yes | |
| OIDC user attribute mapped to the platform username | Parameter | Sets the OIDC user attribute used to map to the platform username. | username | No |
| Session validation interval | Parameter | Sets the OIDC session validation interval in ptsm duration format, for example 1H for one hour or 1D for one day. | 1H | No |