Add new attachment

Only authorized users are allowed to upload new attachments.

List of attachments

Kind Attachment Name Size Version Date Modified Author Change note
jpg
Clipboard01.jpg 219.8 kB 1 05-Dec-2023 05:32 Ada Csaba uru
png
Clipboard01.png 207.7 kB 1 05-Dec-2023 05:32 Ada Csaba
png
Notify_Locked_Account.png 4.7 kB 1 05-Dec-2023 05:32 Halmágyi Árpád
png
crushldapgroup1.png 68.3 kB 2 05-Dec-2023 05:32 Ben Spink
png
crushldapgroup2.png 40.8 kB 2 05-Dec-2023 05:32 Ben Spink
png
homedir0.png 16.4 kB 1 05-Dec-2023 05:32 Ada Csaba
png
homedir1.png 111.3 kB 2 05-Dec-2023 05:32 Ada Csaba
png
homedir2.png 134.0 kB 2 05-Dec-2023 05:32 Ada Csaba
png
ldapconn1.png 207.7 kB 1 05-Dec-2023 05:32 Ada Csaba
png
ldapconn2.png 50.6 kB 2 05-Dec-2023 05:32 Ada Csaba
png
ldapconn3.png 60.1 kB 2 05-Dec-2023 05:32 Ada Csaba
jpg
ldaplookupsettings1.jpg 66.1 kB 1 05-Dec-2023 05:32 Ada Csaba
png
mapping1.png 25.1 kB 1 05-Dec-2023 05:32 Ada Csaba
png
roles1.png 271.1 kB 3 05-Dec-2023 05:32 Ada Csaba
png
roles2.png 6.2 kB 1 05-Dec-2023 05:32 Ada Csaba
png
trblshoot1.png 144.8 kB 1 05-Dec-2023 05:32 Ada Csaba
png
trblshoot2.png 113.0 kB 1 05-Dec-2023 05:32 Ada Csaba
png
trblshoot3.png 230.8 kB 1 05-Dec-2023 05:32 Ada Csaba

This page (revision-75) was last changed on 19-Apr-2024 03:32 by Ben Spink

This page was created on 05-Dec-2023 05:32 by Ben Spink

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Difference between version and

At line 5 changed one line
!!!1. Connectivity and user lookup
!!!1. Connectivity settings
At line 9 changed one line
!LDAP server URL, fully qualified user name and password of an LDAP account used for queries:
LDAP server URL, fully qualified user name and password of an LDAP account used for queries.
At line 12 added one line
At line 13 removed one line
Multiple server URLs supported, for high availability, the plugin will round robin between these.
At line 15 added 2 lines
Multiple server URLs supported, for high availability, the plugin will round robin between these, need to enter those as comma separated list.
At line 24 added one line
!!!2. LDAP user lookup
At line 30 changed one line
!Lookup parameters:
[{Image src='ldaplookupsettings1.jpg' width='..' height='..' align='left' style='..' class='..' }]
\\
;On login, make two attempts using username, and fully qualified username:try to look up the user by both it's FQDN and it's plain user name. This allows to log in by plain username (sAMAccountName) even if the __Search Filter__ is set to userPrincipalName
;Relay LDAP error message to user logging in:in case of access denied, show the LDAP error in the Webinterface or client application along with our standard error message
;Prefer simple username on login attempt:prioritize user lookup by it's sAMAcountName if the __Search Filter__ is set to anything else. With this flag set, on failure we'll make an attempt with simple username appended with the lookup admin user's domain suffix, v10 specific.
;Notify Locked Account:If an account becomes disabled or locked, this option triggers sending an email to the LDAP User's email address.
A special email template must be set up for this with the exact name of "LDAP_Locked_Account" on Preferences -> Email Templates page.
The "Email address cache" option had been removed from the GUI, a hidden setting now, default 30 minutes. This option prevents the server of sending multiple emails.
CrushFTP v10 can discern between LDAP error code 49 subtypes, the above method will provide meaningful feedback for subcode 52e, 773 and 775. The {user_ldap_last_error} server variable
can be used to reveal these in the notification email body.
;Allow reverse role lookup:validate role membership by checking the user's memberOf attribute against the roles list
;Allow forward role lookup:validate role membership by checking all roles' member attribute for the user DN
One of the role lookup methods is mandatory for role based lookup to work.
;Validate this plugin before calling other plugins:in case multiple integration plugins are linked together, call the LDAP plugin first ( for example in case of RADIUS & LDAP )
\\
At line 32 changed 4 lines
Roles allow filtering on LDAP group membership. Each role has two options, a role filter and an optional role template field. Each role filter needs to be set a full LDAP path to a security group as of the user object's memberOf attribute value.
[attachments|roles1.png]
A role template is a local CrushFTP user account for parenting group membership based inheritance. In case such a role template is assigned, all LDAP users member of this group will inherit settings from this account, including it's __VFS__ configuration; this can be used to grant per group based common working directories or local admin rights for example.
!!!2. Home folder access
Roles allow filtering on LDAP group membership. Each role has two options, a role filter and an optional role template field. Each role filter needs to be set a full LDAP path to a security group as of the user object's memberOf attribute value.\\
\\
__IMPORTANT:__ in case an LDAP user is member of multiple Roles, inherited settings will follow the hierarchy of the Roles order, topmost item has the least prevalence, while lowmost one in the list, the highest. This means
the same setting that is configured on multiple Role Template accounts will be inherited from the last Role in the list. Exception being the per-role VFS directories inherited, these cumulate.\\
\\
[attachments|roles1.png]\\
\\
A role template is a local CrushFTP user account for parenting group membership based inheritance. In case such a role template is assigned, all LDAP users member of this group will inherit settings from this account, including it's __VFS__ configuration; this can be used to grant per group based common working directories or local admin rights for example.
At line 37 removed one line
Most important, as the user will be denied login in case of an invalid home directory configuration.
At line 60 added 8 lines
A master template can also be designated , with instance wide scope
[attachments|roles2.png]
!!!3. Home folder access
__IMPORTANT:__ the user will be denied login in case of an invalid home directory configuration or (local) home directory path not accessible.
\\
At line 40 changed one line
With this option if is enabled, the plugin will match the logging in user name against the local user database, in case of a successful match, the user is allowed to log in with it's LDAP password, and the user settings, including it's VFS configuration, is loaded from the local account. This method allows the most fine grained control over each LDAP integrated account, with the cost of being tedious, will need to create for each allowed user a matching account in User Manager (with blank or random password, since that will be ignored anyways).
With this option if is enabled, the plugin will match the logging in user name against the local user database, in case of a successful match, the user is allowed to log in with it's LDAP password, and the user settings, including it's VFS configuration, is loaded from the local account. This method allows the most fine grained control over each LDAP integrated account, with the cost of being tedious, will need to create for each allowed user a matching account in User Manager __manually__ (with blank or random password, since that will be ignored anyways).
At line 72 added one line
At line 88 added one line
At line 63 changed one line
!!!3. Key mapping
!!!4. Key mapping
At line 65 changed one line
In this case, an otherwise redundant LDAP field, __description__ was used to store the user public key path (or the key file content).
In this case, an otherwise redundant LDAP field, __description__ was used to store the user public key path (or the key file content).\\
__IMPORTANT:__ LDAP user email address is automatically mapped behind the scenes. This works with most LDAP implementations, we do an implicit mapping of the LDAP user's __mail__attribute value to our specific __user_email__ user attribute. Need only to map manually in case of some non-standard LDAP implementations\\
At line 114 added 7 lines
\\
----
!!!AutoMap
LDAP for enterprise customers also supports "automap" feature for the groups. You configure a single role with the name "automap", and the groups that are found from the memberOf attribute (which must be in full DN notation). Then all groups the user is a member of are searched for in the User Manager to find a matching usermanager and they are assigned to them.
----
!!!MFA
See [CrushLDAPGroupMFA] for info on how to make CrushFTP v11 do MFA for LDAP.
Version Date Modified Size Author Changes ... Change note
75 19-Apr-2024 03:32 9.676 kB Ben Spink to previous
74 09-Apr-2024 14:39 9.583 kB Ada Csaba to previous | to last
73 09-Apr-2024 14:38 9.571 kB Ada Csaba to previous | to last
72 05-Dec-2023 05:32 9.15 kB Ada Csaba to previous | to last
71 05-Dec-2023 05:32 9.048 kB Ben Spink to previous | to last
70 05-Dec-2023 05:32 9.03 kB Ben Spink to previous | to last
69 05-Dec-2023 05:32 8.662 kB Ada Csaba to previous | to last
68 05-Dec-2023 05:32 8.667 kB Ada Csaba to previous | to last
67 05-Dec-2023 05:32 8.525 kB Ada Csaba to previous | to last
66 05-Dec-2023 05:32 8.485 kB Ada Csaba to previous | to last
65 05-Dec-2023 05:32 8.479 kB Ada Csaba to previous | to last
64 05-Dec-2023 05:32 8.159 kB Ada Csaba to previous | to last
63 05-Dec-2023 05:32 8.074 kB Ada Csaba to previous | to last
62 05-Dec-2023 05:32 8.216 kB Ada Csaba to previous | to last
61 05-Dec-2023 05:32 8.231 kB Ada Csaba to previous | to last
« This page (revision-75) was last changed on 19-Apr-2024 03:32 by Ben Spink
G’day (anonymous guest)
CrushFTP11 | What's New

Referenced by
LeftMenu

JSPWiki