AD server authentication contains the Kerberos authentication and standard LDAP authentication processes. The server verifies the administrator DN and password that the client uses to access the AD server to verify client legitimacy. You can configure LDAP over SSL (LDAPS) to use SSL to enhance security in the LDAP process.
Kerberos is a network authentication protocol. It aims to transmit data securely on insecure and open networks. An important service that Kerberos v5 provides is the key distribution center (KDC). As a part of the active directory service, the KDC runs on each domain controller. All client passwords and other account information are stored in the KDC. Each domain controller is a KDC by default. Each KDC comprises two components: authentication service (AS) and ticket granting service (TGS). Both the client and server need to register in the KDC. The KDC then have the credentials (including IDs and password hashes) of all users in the AD account database. The KDC needs to share a key with each user and each server.
To increase security, ensure that the administrator password meets the minimum complexity requirement. That is, the password must at least six characters in at least three of the following types, including upper-case letters, lower-case letters, digits, and special characters.
None
<HUAWEI> system-view [HUAWEI] ad-server template temp1 [HUAWEI-ad-temp1] ad-server authentication manager cn=manager Admin@1234 Admin@1234
<HUAWEI> system-view [HUAWEI] ad-server template temp1 [HUAWEI-ad-temp1] ad-server authentication 10.1.1.1 636 ldap-over-ssl
Run the display ad-server template command to check whether the configuration of the AD server template is correct.