It's a bit easier than that.
-
Use the Ignition default internal user source for your administrator login. This is most important for access if you mess up the AD Internal Hybrid configuration for any reason.
-
Use the Ignition default internal user source for contractors or support that aren't on your AD system.
-
Create the necessary roles and assign them to the miscellaneious users. The administrator account should automatically have full permissions.
-
Configure the hybrid with soft failover to the internal.
-
Add the users and set their roles in the hybrid user source. You don't need to do it in the default internal. That means that there is no need for temporary passwords. The AD password will just work!
So to address your questions:
If I'm understanding it correctly, I should create the roles I need for my project (there are three - Admin, Chemist, Engineer) on the gateway, and the create the users on the gateway and assign them to the roles.
Yes but all in the AD Internal Hybrid.
When I create the users, I would use the LDAP username and that would be the common user name that ties the user to the authentication.
Correct.
Temporarily for testing, I gave each of those users a basic password and that all works fine.
Not correct. Enter any old rubbish into the password field. AD will look for the real AD password.
Next I would configure AD Internal Hybrid per the user guide. And the way it would work is when the user signs on with his LDAP username and password, Ignition will authenticate the credentials with the AD server.
Correct so far.
If it's all OK, Ignition would then look internally and see which role that user name gets assigned.
Yes, but it's looking for the roles in the Hybrid - not in the default.
... although I am a little concerned that once I start using the AD Server, if something isn't working will I be locked out of my gateway and unable to reverse it or turn AD off since the Ignition administrative account is now tied to AD (or maybe it's not)?
That's why having the soft failover to the internal default administrator account is important.
You can consider using the Perspective User Management tool available on the Ignition Exchange. You can build it into any application or create a standalone. It will make editing users much simpler.