orchestrator
2023.10
false
在 Active Directory 适配器之间切换
Orchestrator 用户指南
在 Active Directory 适配器之间切换
UiPath™ Identity Server 为两个 Active Directory 适配器提供支持:
ad
和 ldapad
。
-
ad
适配器:仅在独立部署中工作的旧版适配器。ad
适配器仅在 Windows 上运行,并且支持外部信任域和 NTLM,为未加入域的客户端进行身份验证提供支持。 -
ldapad
适配器:2021 年 10 月推出的适配器。ldapad
适配器适用于独立部署和 Automation Suite 部署,并且不支持外部信任域和 NTLM 对未加入域的客户端进行身份验证。
部署 |
ad 适配器
|
ldapad 适配器
|
---|---|---|
单机版 |
支持 备注:
支持外部信任域和 NTLM - 支持未加入域的客户端进行身份验证。 |
支持 |
备注:
版本 2021.10 之前的所有启用了 Active Directory 集成的部署在升级后都会保留
ad
适配器。启用 Active Directory 集成后,所有其他部署都会默认获取 ldapad
适配器。
要确定适配器类型,可以执行 SQL 查询,以检查 如果是
[identity].[DirectoryConnections]
表中的适配器类型。SELECT dc.* from [identity].[DirectoryConnections] dc
JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId]
WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[IsDeleted]=0
SELECT dc.* from [identity].[DirectoryConnections] dc
JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId]
WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[IsDeleted]=0
[Type]=ad
,则表示正在使用 ad
适配器。如果是 [Type]='ldapad'
,则表示正在使用 ldapad
适配器。
备注:
仅在独立部署中支持此操作。
要将
ldapad
切换到 ad
,请执行以下操作:
-
确保以下查询返回一行,以检查
ldapad
适配器是否已启用。SELECT dc.* from [identity].[DirectoryConnections] dc JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId] WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[Type]='ldapad' AND dc.[IsDeleted]=0
SELECT dc.* from [identity].[DirectoryConnections] dc JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId] WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[Type]='ldapad' AND dc.[IsDeleted]=0 -
连接到 Orchestrator/Identity 数据库并运行下面的脚本,确保将
FQDN-OF-DOMAIN
替换为默认域/主域的完全限定名称。在 UiPath 主机门户中启用 Active Directory 集成后,以下 SQL 脚本会更新 Active Directory 用户和组的DirectoryId
,软删除ldapad
目录连接,并创建ad
目录连接。-- convert users IF OBJECT_ID('tempdb..#tmp_ldap_users') IS NOT NULL DROP TABLE #tmp_ldap_users SELECT [Id], [MasterPartitionId], CONCAT('ad', SUBSTRING([DirectoryId], 7, 256)) AS [DirectoryId] INTO #tmp_ldap_users FROM [identity].[AspNetUsers] WHERE [DirectoryId] LIKE 'ldapad|%' AND [IsDeleted]=0 --SELECT * FROM #tmp_ldap_users DELETE tmp FROM #tmp_ldap_users tmp JOIN [identity].[AspNetUsers] u ON u.[MasterPartitionId]=tmp.[MasterPartitionId] AND u.[DirectoryId]=tmp.[DirectoryId] --SELECT * FROM #tmp_ldap_users UPDATE u SET u.[DirectoryId]=tmp.[DirectoryId] FROM [identity].[AspNetUsers] u JOIN #tmp_ldap_users tmp on tmp.[Id]=u.[Id] -- create 'ad' directory connection DECLARE @HostPartitionId int -- host partition id SELECT @HostPartitionId = [Id] FROM [identity].[Partitions] WHERE [GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' UPDATE [identity].[DirectoryConnections] SET [IsDeleted]=1, [DeletionTime]=GETUTCDATE() WHERE [PartitionId]=@HostPartitionId AND [Type]='ldapad' and [IsDeleted]=0 SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [Type]='ad' and [IsDeleted]=0 IF @@ROWCOUNT=0 INSERT INTO [identity].[DirectoryConnections] ([PartitionId], [Type], [CreationTime], [Configuration], [IsDeleted]) VALUES (@HostPartitionId, 'ad', GETUTCDATE(), '{ "Domain": "<FQDN-OF-DOMAIN>" }', 0) SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [IsDeleted]=0
-- convert users IF OBJECT_ID('tempdb..#tmp_ldap_users') IS NOT NULL DROP TABLE #tmp_ldap_users SELECT [Id], [MasterPartitionId], CONCAT('ad', SUBSTRING([DirectoryId], 7, 256)) AS [DirectoryId] INTO #tmp_ldap_users FROM [identity].[AspNetUsers] WHERE [DirectoryId] LIKE 'ldapad|%' AND [IsDeleted]=0 --SELECT * FROM #tmp_ldap_users DELETE tmp FROM #tmp_ldap_users tmp JOIN [identity].[AspNetUsers] u ON u.[MasterPartitionId]=tmp.[MasterPartitionId] AND u.[DirectoryId]=tmp.[DirectoryId] --SELECT * FROM #tmp_ldap_users UPDATE u SET u.[DirectoryId]=tmp.[DirectoryId] FROM [identity].[AspNetUsers] u JOIN #tmp_ldap_users tmp on tmp.[Id]=u.[Id] -- create 'ad' directory connection DECLARE @HostPartitionId int -- host partition id SELECT @HostPartitionId = [Id] FROM [identity].[Partitions] WHERE [GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' UPDATE [identity].[DirectoryConnections] SET [IsDeleted]=1, [DeletionTime]=GETUTCDATE() WHERE [PartitionId]=@HostPartitionId AND [Type]='ldapad' and [IsDeleted]=0 SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [Type]='ad' and [IsDeleted]=0 IF @@ROWCOUNT=0 INSERT INTO [identity].[DirectoryConnections] ([PartitionId], [Type], [CreationTime], [Configuration], [IsDeleted]) VALUES (@HostPartitionId, 'ad', GETUTCDATE(), '{ "Domain": "<FQDN-OF-DOMAIN>" }', 0) SELECT * FROM [identity].[DirectoryConnections] WHERE [PartitionId]=@HostPartitionId AND [IsDeleted]=0 -
通过在提升的提示符下运行
iisreset
来重新启动身份应用程序池。
-
确保以下查询返回一行,以检查
ad
适配器是否已启用。SELECT dc.* from [identity].[DirectoryConnections] dc JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId] WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[Type]='ad' AND dc.[IsDeleted]=0
SELECT dc.* from [identity].[DirectoryConnections] dc JOIN [identity].[Partitions] p ON p.[Id]=dc.[PartitionId] WHERE p.[GlobalId]='FEB0DD79-85B6-483B-B297-0E49A1AA5B7D' AND dc.[Type]='ad' AND dc.[IsDeleted]=0 -
在主机门户中禁用 Active Directory 集成。
-
在主机门户中重新激活 Active Directory 集成。