At line 3 changed one line |
The settings can br grouped into three major sections, based on functionality: |
The settings can be grouped into three major sections, based on functionality: |
At line 5 changed one line |
!Connectivity and user lookup |
!!!1. Connectivity and user lookup |
At line 7 changed one line |
[attachments|Clipboard01.png] |
[attachments|ldapconn1.png] |
At line 9 changed one line |
__LDAP server URL, fully qualified user name and password__ of an LDAP account used for queries; the account needs read only access on the full LDAP tree. |
!LDAP server URL, fully qualified user name and password of an LDAP account used for queries: |
The account needs read only access on the full LDAP tree. |
At line 12 added one line |
|
At line 13 changed one line |
__Search base location__ needs to be pointed to the root of the LDAP tree or full path to some container OU. LDAP objects outside this path will not be visible to the plugin. |
Multiple server URLs supported, for high availability, the plugin will round robin between these. |
At line 15 changed one line |
__Search filter__ needs to be some unique LDAP attribute name, like __sAMAccountName__ for plain username or __userPrincipalName__ for the user FQDN as allowed username format. We can also automatically round robin between these if the __On login, make two attempts...__ option is enabled. This field also allows more complex LDAP filter expressions , an example for enabled user accounts only |
The plugin also allows multiple instances, this feature facilitates integration with different user domains or to have different configurations to catch a certain subset of users, etc. The query order is left to right, as the instances appear on the tab list. First successful hit allows login, we look for the user no further. |
|
[attachments|ldapconn3.png] |
|
Each plugin instance can restrict the allowed users to certain server ports or Sever Connection Groups |
|
[attachments|ldapconn2.png] |
|
!Search base location: |
This field needs to be pointed to the root of the LDAP tree or full path to some container OU. LDAP objects outside this path will not be visible to the plugin. |
|
!Search filter: |
This field needs to contain some unique LDAP attribute name, like __sAMAccountName__ for plain username or __userPrincipalName__ for the user FQDN as allowed username format. We can also automatically round robin between these if the __On login, make two attempts...__ option is enabled. This field also allows more complex LDAP filter expressions , an example for enabled user accounts only |
At line 20 changed one line |
!Home directory |
!Roles and inheritance |
Roles allow filtering on LDAP group membership. Each role has two options, a role filter and an optional role template field. Each role filter needs to be set a full LDAP path to a security group as of the user object's memberOf attribute value. |
At line 37 added 11 lines |
[attachments|roles1.png] |
|
A role template is a local CrushFTP user account for parenting group membership based inheritance. In case such a role template is assigned, all LDAP users member of this group will inherit settings from this account, including it's __VFS__ configuration; this can be used to grant per group based common working directories or local admin rights for example. |
|
|
A master template can also be designated , with instance wide scope |
|
[attachments|roles2.png] |
|
!!!2. Home folder access |
|
At line 24 changed one line |
__LDAP used for authentication only__, if this option is enabled, the plugin will match the logging in user name against the local user database, in case of a successful match, the user is allowed to log in with it's LDAP password, and the user settings, including it's VFS configuration, is loaded from the local account. This method allows the most fine grained control over each LDAP integrated account, with the cost of being tedious, will need to create for each allowed user a matching account in User Manager (with blank or random password, since that will be ignored anyways). |
!LDAP used for authentication only |
With this option if is enabled, the plugin will match the logging in user name against the local user database, in case of a successful match, the user is allowed to log in with it's LDAP password, and the user settings, including it's VFS configuration, is loaded from the local account. This method allows the most fine grained control over each LDAP integrated account, with the cost of being tedious, will need to create for each allowed user a matching account in User Manager __manually__ (with blank or random password, since that will be ignored anyways). |
At line 26 changed one line |
__LDAP or local home directory__ method is used if the above option is not enabled. The plugin will attempt to grant the user folder access to a path loaded from an LDAP attribute value or assign a local folder path. In this case __local__ doesn't necessarily means a local folder on the CrushFTP server host itself, we do support network share |
[attachments|homedir0.png] |
|
!LDAP home directory or local home directory |
This method is used if the above option is not enabled. The plugin will attempt to grant the user folder access to a path loaded from an LDAP attribute value or assign a local folder path. In this case __local__ doesn't necessarily means a local folder on the CrushFTP server host itself, we do support network share |
At line 29 changed 3 lines |
__HomeDirectory field__ , if this contains a valid LDAP attribute name, the plugin will attempt to grant access to the path contained by the attribute as it's value. In case of Microsoft Active DIrectory, this field should be set to __homeDirectory__, in case of Linux SLAPD, to __unixHomeDirectory__, etc. or any arbitrary LDAP attribute containing a single folder path or coma separated list of paths. To disable, set this field value to __NA__ (or any arbitrary value __not__ matching an LDAP attribute name). |
|
__Use local folder if LDAP's HomeDirectory not found__ if this option is enabled, and loading a valid path as per above, failed, the plugin will attempt to grant local folder |
!HomeDirectory field |
If this contains a valid LDAP attribute name, the plugin will attempt to grant access to the path contained by the attribute as it's value. In case of Microsoft Active DIrectory, this field should be set to __homeDirectory__, in case of Linux SLAPD, to __unixHomeDirectory__, etc. or any arbitrary LDAP attribute containing a single folder path or coma separated list of paths. To disable, set this field value to __NA__ (or any arbitrary value __not__ matching an LDAP attribute name). |
[attachments|homedir1.png] |
!Use local folder if LDAP's HomeDirectory not found |
In case this option is enabled, and loading a valid path as per above section config, failed, the plugin will attempt to grant local folder |
At line 66 added 39 lines |
A more advanced use case is to honor ACL permissions using an SMB:// URL and server variables to dynamically reference user credentials at login time |
{{{ |
SMB3://INTRANET{backslash}{username}:{password}@srv11.intranet.local/SHAREROOT/ |
}}} |
|
[attachments|homedir2.png] |
|
The __Create additional subfolders in home directory :__ section instructs the plugin to automatically create a pre defined set of subfolders below the user's home directory root. |
|
In stream PGP file Encryption and Sync can be configured using the __Advanced__ menu. |
!!!3. Key mapping |
This section allows mapping of LDAP attributes to local user parameters. Most common use case LDAP integration with SSH user public key based authentication. |
In this case, an otherwise redundant LDAP field, __description__ was used to store the user public key path (or the key file content). |
|
[attachments|mapping1.png]. |
|
!!!Troubleshooting |
|
There are separate test tools to validate connectivity and query account credentials |
|
[attachments|trblshoot1.png] |
|
user lookup and role based filtering |
|
[attachments|trblshoot2.png] |
|
and user login (without the need of the actual end user password, the test tool will fake a login based on user lookup and validate home folder access) |
|
[attachments|trblshoot3.png] |
|
Notify Locked Account: If an account becomes disabled or locked, this option triggers sending an email to the LDAP User's email address. |
A special email template must be set up for this with the exact name of "LDAP_Locked_Account" on Preferences -> Email Templates page. |
The "Email address cache" option prevents the server of sending multiple emails. |
|
[attachments|Notify_Locked_Account.png] |
|
!!!Followup |
Later versions of Crush v9 also discern between LDAP error code 49 subtypes, the above method will provide meaningful feedback for subcode 52e, 773 and 775. |
|