Auto-sync: 2026-04-28 20:03
This commit is contained in:
42
wiki/concepts/Active-Directory-Integration.md
Normal file
42
wiki/concepts/Active-Directory-Integration.md
Normal file
@@ -0,0 +1,42 @@
|
||||
---
|
||||
title: "Active-Directory-Integration"
|
||||
type: concept
|
||||
tags: [Identity, AWS, Networking]
|
||||
sources: [ctp-topic-7-saas-landing-zone-design]
|
||||
last_updated: 2026-05-06
|
||||
---
|
||||
|
||||
## Active-Directory-Integration
|
||||
|
||||
AWS 环境中的 Active Directory 集成方案,用于实现统一的身份认证和资源访问控制。
|
||||
|
||||
## Definition
|
||||
|
||||
Active Directory 集成是 Landing Zone 基线服务的重要组成部分:
|
||||
- **核心功能**:通过双 AD 节点实现域加入(Domain Join)和资源访问控制
|
||||
- **部署位置**:独立的 Active Directory Account(基线账户层)
|
||||
- **认证用途**:用于 AWS Workspaces、EC2 实例(Windows/Linux)、VPN 接入等场景的身份认证
|
||||
|
||||
## Role in SAS Landing Zone
|
||||
|
||||
在 [[ctp-topic-7-saas-landing-zone-design]] 定义的 Baseline 账户中:
|
||||
- **部署**:Active Directory 账户托管两个 AD 节点(双节点高可用)
|
||||
- **用途 1**:域加入(Domain Join)— Windows 和 Linux 实例自动加入 AD 域
|
||||
- **用途 2**:资源访问控制 — 基于 AD 组映射 IAM 角色,实现最小权限原则
|
||||
- **用途 3**:VPN 认证 — Pulse VPN 通过 AD 认证远程访问人员身份
|
||||
|
||||
## Key Properties
|
||||
- **Type**: Identity & Access Management
|
||||
- **Architecture**: 双 AD 节点高可用
|
||||
- **In SAS LZ Layer**: Baseline Accounts
|
||||
|
||||
## Related Concepts
|
||||
- [[Domain-Join]] — 实例域加入机制
|
||||
- [[Federated-Access]] — 联邦身份认证
|
||||
- [[Multi-factor-Authentication]] — 多因素认证
|
||||
|
||||
## Connections
|
||||
- [[ctp-topic-7-saas-landing-zone-design]] — SAS LZ 基线账户身份认证基础设施
|
||||
- [[ctp-topic-11-ad-integration-and-login-using-ad-accounts]] — AD 集成与登录详细实践
|
||||
- [[ctp-topic-17-active-directory-services-in-gruntwork-aws-lzs]] — Gruntwork LZ 中的 AD 服务集成
|
||||
- [[ctp-topic-6-aws-workspaces-demo]] — AWS Workspaces 使用 AD 账号登录
|
||||
Reference in New Issue
Block a user