Setting up Active Directory Authentication using LDAP
The following steps detail the procedure for enabling LDAP Authentication to verify credentials against Active Directory. The steps are similar for connecting to other LDAP servers, such as OpenLDAP or ApacheDS.
- Change the LDAP Server and Port attribute in the User Manager, LDAP Users tab to the host name and port number of the Active Directory:
- e.g., Server: hostname.domain.com or an IP address:192.168.0.100
- Port: 389 is the default for unencrypted LDAP connections. Port 636 is the default for LDAPS encrypted connections.
- Change the Base DN to the proper base for the Active Directory. Simply specifying the base suffix will not work in this attribute. For Active Directory, it would usually be the cn=Users plus base suffix. e.g.: for domain corp.cerberusllc.com:
or for local domain corp.cerberusllc.local :
- Change the DN for the User DN bind attribute to a user with the right to read the Active Directory. Anonymous access to Active Directory is not allowed, so a bind account is needed. This is simply an account for Active Directory that has read ability on the attribute to which the user will authenticate. An example might be cn=administrator,CN=Users,DC=corp,DC=cerberusllc,DC=local. Enter the password for the user account.
Note: This password will be encrypted in memory and before being saved to disk.
- Change the User DN Attribute. This attribute is the one that the LDAP module will search for in Active Directory and attempt to match against the supplied FTP username. It is often the UID attribute on many LDAP servers. For example, if users login using their Common Name, the value of this attribute would be cn. For Active Directory, the login name is usually mapped to sAMAccountName as it is the attribute in Active Directory most like UID. For Active Directory, it is usually best to specify sAMAccountName.
- Change the Search Filter. This string is an LDAP search string used to locate and filter the account in Active Directory. This filter can be used to make sure only certain types of objects are checked for authentication.
Search Filter Examples
The above filter will include only search entities that have the object class User.
The above filter will include all users that are members of the group FTPUsers.
Do not attempt to add the uid search attribute here. Cerberus will automatically append an attribute filter to select the correct account based on the User DN Attribute.
I.e., if the User DN Attribute is sAMAccountName, Cerberus will automatically create a string like
where ftpUser is the name of the user that attempted login.
- Set the Search Scope. This setting controls how deep into the directory to search for users. This setting combined with the Base DN and Search Filter determines which users are matched for authentication. One Level is usually the best setting for typical Active Directory configurations.
- Verify that the settings are correct by clicking the Connect button. You should see the user DNs from Active Directory that are able to log in to Cerberus FTP Server. Note: Unless “Use FQDN” is checked, only the value of the User DN Attribute will be displayed in the LDAP user list. It is this value that will be compared against the FTP username to determine an account match.
- Select a Cerberus FTP Group to represent the virtual directories and permissions for LDAP users. Note that the “isAnonymous” setting on the group is ignored. The group cannot be anonymous.
Cerberus FTP Server is now configured for authentication against an LDAP server (Active Directory, in this case).