There are a variety of different configuration options for setting up Active Directory (AD) users in Cerberus FTP Server. When using AD authentication, Cerberus FTP Server needs a way to map authenticated AD users to the server’s filesystem.
The most basic decision an administrator has to make when configuring AD authentication is the Default Group and Directory Virtual Directory Mapping for all AD users. These defaults will be applied to all AD users unless further customization is performed.
Default Cerberus Group for AD Users
A single Cerberus group can be selected as the default group that all AD users become a member of when they log in to Cerberus FTP Server. This default group selection is optional. If a default Cerberus group is selected, the constraints on this default group are applied to all AD users when they log in.
Using the default group option is a simple way to make sure that global constraints are applied to all AD users.
For example, consider a Cerberus group named AD_Users. On the Cerberus AD Users page of the User Manager, this group is assigned as the Default Group for AD users.
All of the settings on this group are applied to any AD users that are logged in. If the group AD_Users had a maximum file upload size of 1 GB and was configured to only allow SSH SFTP and HTTPS logins, then those constraints would be applied to all AD users that logged in. However, virtual directories for group AD_Users will not be applied by default to AD users unless Cerberus Group is selected as the Default Directory Mapping mode. More information on the Default Directory Mapping mode will be discussed in the next section.
The default Cerberus group can be overridden later for individual AD users through custom AD user to Cerberus groups mappings. This will be discussed in the section Customizing Individual AD Users.
Default Directory Mapping for AD Users
The other default selection that has to be made for AD users is the default virtual directory mapping mode. 4 different modes are available, and their operation is discussed below.
The Default Virtual Directory Mapping modes work as follows:
|Global Home||Every AD account will use the directory specified under the “Global Home” edit box as the FTP root. This is the simplest option, and every AD user is assigned this one directory as their root folder.|
|Global Home\%USER%||Every AD account will use a subdirectory off of the “Global Home” directory that is the same as the account’s name.|
|User Home Directory||Every AD account will use that account’s home directory as the FTP root.|
|Cerberus Group||The specified Default Cerberus Group will be used to determine what directories and what settings to apply to the Active Directory user when they login, including any security requirements associated with the group.|
Customizing individual AD Users
By default, all AD users are assigned the same virtual directories and permissions, based off of the Default Directory Mapping Mode selection. However, if you wish to customize the directory and permission mappings for individual AD users, then you can do so through the AD User Customization page by clicking on the Customize button. You can select individual AD user accounts and map them to Cerberus group accounts.
An AD user to Cerberus group mapping will override the default Cerberus Group and directory mapping for the AD user. Only the settings and virtual directories from the mapped group will be applied to the AD user (not the defaults).
Further AD user customization using AD Group to Cerberus Group Mapping
Customizing each individual AD User to a Cerberus group can be a time-consuming task if you have many users, especially if you can divide up large groups of users into just a few groups.
Another form of customization, that can make maintaining large numbers of users easier, is to use the new AD group to Cerberus group mapping capability. On the AD User Customization page, you can map AD groups to Cerberus groups.
When an AD user logs into Cerberus, the server will check the direct AD group memberships for that AD user and see if there are any AD group to Cerberus group mappings. If a mapping is found, the virtual directories for that Cerberus group will be added to the virtual root for the AD user. Only the virtual directories from the Cerberus groups are added to the AD user. No other constraints are transferred.
The Default Group and Default Virtual Directory mappings are still applied to the user when AD group to Cerberus group mappings are present, unlike AD user to Cerberus group mappings.
I want all of my AD users to have their own home folder, but I want some user to share a common set of directories
To achieve this setup we will combine the default virtual directory mapping mode on the AD User page with a custom AD group to Cerberus group mapping. You will need to do two things:
- Select a default virtual directory mapping mode. This setup can be achieved by selecting the Global Home\%USER% default directory option, or the User Home Directory option.
The above default configuration will ensure every AD user receives their own directory under the directory C:\ftproot\users.
- Create an AD group to Cerberus group mapping.
If you have a group of users that you would like to also have access to a shared folder, you can achieve this with AD group to Cerberus group mappings. First, create a Cerberus group named designers, and assign the shared directory to that Cerberus group. Then, create a group in Active Directory called AD_designers and make the group of AD users you wish to share a folder with members of that AD group.
Press the Customize button on the AD Users page:
The AD User Customization dialog will appear. You can use this dialog to create an AD group to Cerberus group mapping:
- Select the Groups radio button to see a list of AD groups.
- Select the AD_designers group from the AD objects list box and the designers group from the Cerberus groups list box.
- Press the Assign button to create a mapping
- Press the Ok button to save the mapping
When AD users log in that are not members of the AD_designers group, they will only see their home directory. AD users that are members of the AD_designers group will see their home directory, named “home” and the other directories from the Cerberus group designers.
I want all of my AD groups to have their own home folder and not see any shared folders
To achieve this setup we will override the default virtual directory mapping mode to make it invisible and use custom AD group to Cerberus group mappings to allow the AD users to see their own directory(ies). You will need to do three things:
- In Cerberus > 'Users' > 'Groups', create an EMPTY Cerberus group. This would be a Cerberus group with NO members. When creating this group, DO NOT specify a folder under 'New Virtual Directory'. That way there will be no default directory displayed to users when they log in. Finally, specify any security requirements that you want to be associated to all users. When they log in, Active Directory users will the security settings from the default Cerberus group, but will not see a default directory you don't want them to see. Click 'Save' to save your new group.
- In 'Groups', create new groups assigned to the virtual directories and permissions you want those users to see/use.
- In 'Groups', ensure your AD users are associated to their correct groups and those groups are limited to access only the virtual directories you wish them to see.
- In 'AD Users', specify the new empty group in the 'Default Group' setting and select 'Use Default Group Directories and Permissions'.