Active Directory and LDAP User Import

Macula allows you to import users and user groups from the existing Active Directory/LDAP service database. The only thing that is left to do is to specify permissions for the imported users and/or user groups (referred to as AD users further in this topic).

Please keep in mind that in multi-server systems - using Macula Enterprise - all recording servers must belong to the domain for the AD/LDAP imported users to be able to access their resources - streams and the recorded video archive. If some of the servers are out of the domain, external users will be unable to connect to them (this happens automatically, in background) and there will be errors instead of the video streams.

Active Directory and LDAP user import is available in the following Macula versions:

• Macula Enterprise - fully supported for all versions

• Macula Professional v.1.4.1 - 10 users

• Macula Professional v.1.5.0 and newer - fully supported

AD/LDAP imported user accounts can be used to log into Macula Console, Macula Monitor, and Web client for Macula Streaming Server. These user accounts cannot be used in Macula Mobile applications at this point.

Note that it is not necessary for you to be logged into Windows under the same AD account; rather, once AD accounts are imported as external users into Macula, you can use any valid AD account credentials to log into Macula Console or Macula Monitor. Also, note that you are always required to enter the password for the AD account, even if you are logged under the same user account in your current Windows session.

If you are using AD/LDAP user accounts for the Web login, we strongly recommend that you turn on HTTPS for enhanced safety. Plain HTTP will work, too, but is not recommended for security reasons.

For you to be able to log into a Macula server with an AD user account, you must be able to log into the target server computer with the same AD account. If you are unable to do so, contact your Windows administrator and let him check the effective policies.

In order to use your imported AD account with Macula, type in your full domain name and user name, and then specify the password. Please see the description below on how to add your AD users into Macula.

Add Active Directory and LDAP Users

In Macula Console, open the Configuration section and choose Users from the menu on the left; then, click the little arrow next to the +New user button and choose New external user group from the drop-down list.

On the Details tab, click the Change button next to the empty External group field in order to load the available AD group list in a separate dialog box.

Macula will automatically fetch all user groups available via your Windows AD service. Pick a group from the list of available AD user groups and confirm your choice either with a double-click or using the OK button below.

The selected user group will appear in External group field in the Details tab. Switch to the Members tab to view the imported user list.

On the Membership tab, you can choose an internal user group to contain the newly imported external user group (nested grouping). All user permissions inherited from the higher level group will be applied to the members of the imported external user group and will be displayed as grayed out in the Resources tab.

If you have decided to make no nested groups or wish to add more permissions specifically to the AD user group, go to the Resources tab to manage the user permissions.

Select resources by adding at least one permission; remove them by clearing the permissions using the Clear button below, or simply by double-clicking them in the Selected resources list.

Click OK when you have finished to return back to Users; the newly created external user group as well as all users contained in that AD group will be added to the item list. Use the buttons on the upper panel to edit the group details at any time. If there are a large number of user accounts, the Search field in the upper-right-hand corner and the contents filters in the bottom panel can help you to quickly find the accounts you are looking for.

Edit External Users Or User Groups

After adding the external user group, you can edit the group properties as well as individual external users. In order to do this, select the target user/user group in the list and click the Edit button on the upper panel, or, alternatively, simply double-click the desired item to bring up the configuration dialog box.

Editing an external user group will be pretty much the same as adding a new one; individual external user settings will have some differences comparing to the regular, built-in user settings.

On the Details tab, the only settings available for editing will be user account status (enabled by default) and PTZ priority (which will be 5, by default). All the other properties will be grayed out as they cannot be changed via Macula and should be changed via Active Directory instead.

If two or more users try using PTZ control of a device at the same time, PTZ priority is used to decide who gains access first: user with a lower priority is blocked for ten seconds to allow a higher-priority user to use PTZ. If two users with the same PTZ priority have an access conflict, they will be both granted PTZ access simultaneously.

Default PTZ priority for all users, including those built-in and imported, is equal to five (medium priority). You can assign any user a higher PTZ priority (six to ten) or a lower one (four to zero) by editing individual user properties.

On the Membership tab, you can choose an internal user group to contain the AD user as a member. All user permissions inherited from the group will be applied to the target AD user and will be displayed as grayed out in the Resources tab. You can assign additional user-specific permissions on the Resources tab.