Default Virtual Directory Mapping for AD Users
Active Directory accounts are always configured for simple directory mode (See here for more information about simple mode) if any mode other than Use Default Group Directories is selected for the Default Virtual Directory Mapping mode.
The Default Virtual Directory Mapping modes work as follows:
Global Home: Every AD account will use the directory specified under the “Global Home” edit box as the FTP root. This is the simplest option, and every AD user is assigned this one directory as their root folder. The Cerberus permissions on this folder can be restricted through the Permissions button to the right of the Global Home edit box. NTFS permissions for the AD user still apply.
Global Home\%USER%: Every AD account will use a subdirectory off of the “Global Home” directory that is the same as the account’s name. This directory will be created automatically if it doesn’t exist when the user logs in. The Cerberus permissions on this folder can be restricted through the Permissions button to the right of the Global Home edit box. NTFS permissions for the AD user still apply.
AD User Home Directory: Every AD account will use that account’s home directory as the FTP root.
- AD User Attribute: Every AD account will use the AD directory attribute defined here to determine what virtual directories to add to their account.
When an AD user logs into Cerberus, the server will lookup this attribute on the Active Directory account to determine what virtual directories to add to the user account.
This AD attribute can have multiple values, and each value will be added as a separate virtual directory.
The default value will be a valid Windows directory path. By default, the last directory of the file path will be used for the virtual directory name, and the user will have full permissions to the directory path.
The value can be customized into 3 separate components to customize the added virtual directory path into a full directory path, a virtual directory name, and permissions set for the virtual directory. You can separate each component by the pipe character or an asterisk.
For example, the value for the attribute could be:
The first part is the directory path, the second is the directory name, and the third is a bitmask indicating the permissions the user has for that virtual directory.
Permissions have the following values:
|DISPLAY HIDDEN FILES||128|
* Reserved legacy values. The RENAME_BIT and DELETE_BIT are legacy and will get migrated to the new values. If the new bit values for rename and delete are present, the old values are ignored
To assign the permissions to your virtual directories, just add the values up to achieve the desired permissions. e.g., Download, Upload, Rename Files, and Delete Files permissions would be (1 + 2 + 32768 + 8192) = 40963.
Granting all permissions would be 65523.
- Use Default Group Directories: The specified Cerberus Group will be used to determine what directories, and what settings, to apply to the AD user when they log in, including any security requirements associated with the group. The AD user will inherit all virtual directories and settings from the default Cerberus group.
Please sign in to leave a comment.