This plugin allows us to integrate CrushFTP with your LDAP server, such as the Microsoft Active Directory server, or OpenLDAP, etc.
The settings can br grouped into three major sections, based on functionality:
Connectivity and user lookup#
LDAP server URL, fully qualified user name and password of an LDAP account used for queries.#
The account needs read only access on the full LDAP tree. The plugin supports referral chasing, in case of multiple forests with trust relationship between, can allow this by setting the Follow referrals option. To use a secure LDAP (ldaps://) URL, set either the Accept any SSL certificate option or import the LDAP server public certificate into the Java trust store, cacerts.Search base location.#
This field needs to be pointed to the root of the LDAP tree or full path to some container OU. LDAP objects outside this path will not be visible to the plugin.Search filter.#
This field needs to contain some unique LDAP attribute name, like sAMAccountName for plain username or userPrincipalName for the user FQDN as allowed username format. We can also automatically round robin between these if the On login, make two attempts... option is enabled. This field also allows more complex LDAP filter expressions , an example for enabled user accounts only(&(objectClass=user)(objectCategory=person)(sAMAccountname=?)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Home folder access#
Most important, as the user will be denied login in case of an invalid home directory configuration.
LDAP used for authentication only, if this option is enabled, the plugin will match the logging in user name against the local user database, in case of a successful match, the user is allowed to log in with it's LDAP password, and the user settings, including it's VFS configuration, is loaded from the local account. This method allows the most fine grained control over each LDAP integrated account, with the cost of being tedious, will need to create for each allowed user a matching account in User Manager (with blank or random password, since that will be ignored anyways).
LDAP or local home directory method is used if the above option is not enabled. The plugin will attempt to grant the user folder access to a path loaded from an LDAP attribute value or assign a local folder path. In this case local doesn't necessarily means a local folder on the CrushFTP server host itself, we do support network share access via UNC paths or any of the supported remote networking protocols based URLs (FTP, SMB, etc.).
HomeDirectory field , if this contains a valid LDAP attribute name, the plugin will attempt to grant access to the path contained by the attribute as it's value. In case of Microsoft Active DIrectory, this field should be set to homeDirectory, in case of Linux SLAPD, to unixHomeDirectory, etc. or any arbitrary LDAP attribute containing a single folder path or coma separated list of paths. To disable, set this field value to NA (or any arbitrary value not matching an LDAP attribute name).
Use local folder if LDAP's HomeDirectory not found if this option is enabled, and loading a valid path as per above, failed, the plugin will attempt to grant local folder access within a root folder pointed to by the Path field value. Set the Append username to path and Create folder with username to create individual, username based home directories.
Add new attachment
List of attachments
Kind | Attachment Name | Size | Version | Date Modified | Author | Change note |
---|---|---|---|---|---|---|
jpg |
Clipboard01.jpg | 219.8 kB | 1 | 05-Nov-2018 16:11 | Ada Csaba | uru |
png |
Clipboard01.png | 207.7 kB | 1 | 05-Nov-2018 16:19 | Ada Csaba | |
png |
Notify_Locked_Account.png | 4.7 kB | 1 | 16-Jul-2020 17:23 | Halmágyi Árpád | |
png |
crushldapgroup1.png | 68.3 kB | 2 | 25-Oct-2018 04:31 | Ben Spink | |
png |
crushldapgroup2.png | 40.8 kB | 2 | 25-Oct-2018 04:31 | Ben Spink | |
png |
homedir0.png | 16.4 kB | 1 | 05-Nov-2018 18:29 | Ada Csaba | |
png |
homedir1.png | 111.3 kB | 2 | 05-Nov-2018 18:37 | Ada Csaba | |
png |
homedir2.png | 134.0 kB | 2 | 05-Nov-2018 18:37 | Ada Csaba | |
png |
ldapconn1.png | 207.7 kB | 1 | 05-Nov-2018 18:06 | Ada Csaba | |
png |
ldapconn2.png | 50.6 kB | 2 | 05-Nov-2018 19:18 | Ada Csaba | |
png |
ldapconn3.png | 60.1 kB | 2 | 05-Nov-2018 19:18 | Ada Csaba | |
png |
mapping1.png | 25.1 kB | 1 | 05-Nov-2018 18:46 | Ada Csaba | |
png |
roles1.png | 271.1 kB | 3 | 05-Nov-2018 18:25 | Ada Csaba | |
png |
roles2.png | 6.2 kB | 1 | 05-Nov-2018 19:33 | Ada Csaba | |
png |
trblshoot1.png | 144.8 kB | 1 | 05-Nov-2018 19:29 | Ada Csaba | |
png |
trblshoot2.png | 113.0 kB | 1 | 05-Nov-2018 19:29 | Ada Csaba | |
png |
trblshoot3.png | 230.8 kB | 1 | 05-Nov-2018 19:29 | Ada Csaba |