Setting up Active Directory Authentication using LDAP
The following steps detail the procedure for enabling LDAP Authentication to verify credentials against Active Directory. The steps are similar for connecting to other LDAP servers, such as OpenLDAP or ApacheDS.
Server Overview
- Enter the LDAP "Server" and "Port" attributes on the Server Overview tab of the LDAP Users page. This should be the server and port of the server hosting your LDAP directory (a domain controller for Active Directory):
- e.g., Server: hostname.domain.com or an IP address:192.168.0.100
- Port: 389 is the default for unencrypted LDAP connections. Port 636 is the default for LDAPS encrypted connections.
- Enter the proper base for the Active Directory in the "Base DN" attribute. Simply specifying the base suffix will not work in this attribute. For Active Directory, it would usually be the cn=Users plus base suffix.
e.g.: for domain corp.cerberusllc.com:
CN=Users,DC=corp,DC=cftp,DC=com
or for local domain corp.cerberusllc.local:
CN=Users,DC=corp,DC=cftp,DC=local
-
Set the Search Scope. This setting controls how deep into the directory to search for users. This setting combined with the Base DN and Search Filter determines which users are matched for authentication. One Level is usually the best setting for typical Active Directory configurations.
- Enter the Username Attribute. This attribute is the one that the LDAP module will search for in Active Directory and attempt to match against the supplied FTP username. It is often the UID attribute on many LDAP servers. For example, if users log in using their Common Name, the value of this attribute would be cn. For Active Directory, the login name is usually mapped to sAMAccountName as it is the attribute in Active Directory most like UID. For Active Directory, it is usually best to specify sAMAccountName.
- Enter the Search Filter. This string is an LDAP search string used to locate and filter the account in Active Directory. This filter can be used to make sure only certain types of objects are checked for authentication.
Search Filter Examples
(objectClass=User)
The above filter will include only search entities that have the object class User.
(memberof:1.2.840.113556.1.4.1941:=cn=FTPUsers,CN=Users,dc=corp,dc=cftp,DC=local)
The above filter will include all users that are members of the group FTPUsers.
Do not attempt to add the uid search attribute here. Cerberus will automatically append an attribute filter to select the correct account based on the User DN Attribute.
i.e., if the User DN Attribute is sAMAccountName, Cerberus will automatically create a string like
(&(objectClass=User)(sAMAccountName=ftpUser))
where ftpUser is the name of the user that attempted login.
- Verify that the settings are correct by clicking the Verify button. You should see the user DNs from Active Directory that are able to log in to Cerberus FTP Server. Note: Unless “Use FQDN” is checked, only the value of the User DN Attribute will be displayed in the LDAP user list. It is this value that will be compared against the FTP username to determine an account match.
- In the Default Group setting, select a Cerberus FTP Group to represent the virtual directories and permissions for LDAP users. Note that the “isAnonymous” setting on the group is ignored. The group cannot be anonymous.
Binding Options
Enter the User DN for the Search Account DN attribute to a user with the right to read the Active Directory. Anonymous access to Active Directory is not allowed, so a bind account is needed. This is simply an account for Active Directory that has read ability on the attribute to which the user will authenticate. An example might be:
CN=administrator,CN=Users,DC=corp,DC=cftp,DC=local
Enter the password for the user account.
Note: This password will be encrypted in memory before being saved to disk.
Comments
0 comments
Please sign in to leave a comment.