Page tree
Skip to end of metadata
Go to start of metadata

In this mechanism, a user account is authenticated against an external LDAP server.

Accounts with this type of authentication are also known as external accounts.

By default, LDAP communications between client and server applications are not encrypted.

  • This means that it could be possible to use a network monitoring device or software to view the communications traveling between LDAP client and server computers.
  • This is especially problematic when an LDAP simple bind is used because credentials (username and password) are passed over the network unencrypted. This could quickly lead to the compromise of credentials.

Therefore, it is recommended that you enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

  • SSL and TLS are also known as LDAPS
  • Some applications authenticate with Active Directory Domain Services (AD DS) through simple BIND. If simple BIND is necessary, using SSL/TLS to encrypt the authentication session is strongly recommended.
  • Use of proxy binding or password change over LDAP requires LDAPS. (e.g. Bind to an AD LDS Instance Through a Proxy Object  )
  • Some applications that integrate with LDAP servers (such as Active Directory or Active Directory Domain Controllers) require encrypted communications.


Prerequisites

  1. The LDAP service must be accessible from FileCloud (IP and Port must be accessible).

  2. LDAP must support Simple Authentication Method (Anonymous or Name/Password Authentication Mechanism of Simple Bind).

  3. LDAP users must have an email attribute.

  4. The FileCloud version must be 4.0 or higher.


  • If LDAP Authentication is enabled, then Automatic User creation cannot be enabled (i.e, All user creation should be done in LDAP server)
  • The LDAP user will count towards FileCloud License only after the user account logs into FileCloud


Enable LDAP Authentication

To enable LDAP Authentication in FileCloud:

  1. Log into the FileCloud Admin Portal.

  2. In the left navigation panel, click Settings.

  3. In the right panel, from the list of tabs, click Authentication.

  4. Under Authentication Settings, in Authentication Type select LDAP.

  5. In LDAP Settings, enter the required information, and then click Save.


(lightbulb) In the following section, to display more information, click on a topic.


 Show me the screen ...



 Read a description of the LDAP Settings

Once you have selected LDAP as your method of authentication, you must provide some additional information. Table 1 explains the required fields.

Table 1. LDAP Required Settings

SETTINGREQUIRED?DESCRIPTIONExample
LDAP HostREQUIRED FIELDThe hostname or IP address where the LDAP server is running
mycompany.com
LDAP PortREQUIRED FIELDThe port to be used to connect to LDAP server (typically 389)
389
LDAP Account NameREQUIRED FIELDA valid LDAP login account required to perform queries
<username>
LDAP Account PasswordREQUIRED FIELDPassword for the LDAP Account Name
<password>
LDAP User DN TemplateREQUIRED FIELD

The LDAP Distinguished Name(DN) template. Every entry in the directory has a DN that uniquely identifies an entry in the directory.

This is usually a combination of CN, OU , DC. Refer to your specific LDAP settings to uniquely identify a user.

To use multiple OUs, set this equal to ^USER_USER_FULL_DN^

Use the token ^NAME^ in place of user name:

cn=^NAME^,ou=someorg,dc=company,dc=com 

Multiple OU mode:
^USER_USER_FULL_DN^

LDAP Search DN

REQUIRED FIELD

The search DN (Specifies the set of resources to search for an user).

If there is an ou encompassing all users, then the search DN would be pointing to that DN.

If all users are under the employees ou, then the search DN would be:

ou=employees,dc=company,dc=com
LDAP User Filter TemplateREQUIRED FIELD

The filter to be used to identify a user entry record from results.

If the object class is inetOrgPerson, then you would use:

(&(objectClass=inetOrgPerson)(cn=^NAME^))

Mail Attribute

REQUIRED FIELD

In the FileCloud environment, every user requires an email ID.

Specify the attribute name used in the LDAP's user record to refer to the email ID.

username_email_ID


NOTE: For using with Zimbra, please use the following strings

User DN Template:

uid=^NAME^,ou=someou,dc=company,dc=com

LDAP Search DN

ou=someou,dc=company,dc=com

LDAP User Filter Template:

(&(objectClass=zimbraAccount)(uid=^NAME^))


NOTE: For using with JumpCloud, please use the following strings

User DN Template:
uid=^NAME^,ou=Users,o=xxxxxxxxxxxxxxxxxb42f7988db,dc=jumpcloud,dc=com


LDAP Search DN
ou=users,o=xxxxxxxxxxxxxxxxxb42f7988db,dc=jumpcloud,dc=com

LDAP User Filter Template:

(&(objectClass=inetOrgPerson)(uid=^NAME^))



 Use LDAP with TLS

If you are using an LDAP connection with TLS, then you must configure the LDAP fields using the following information:

SETTINGREQUIRED?DESCRIPTIONTLS Example
LDAP HostREQUIRED FIELDThe hostname or IP address where the LDAP server is runningldaps://<your_server_hostname>
LDAP PortREQUIRED FIELDThe port to be used to connect to LDAP server (typically 389)389
LDAP Account NameREQUIRED FIELDA valid LDAP login account required to perform queries<username>
LDAP Account PasswordREQUIRED FIELDPassword for the LDAP Account Name<password>
LDAP User DN TemplateREQUIRED FIELD

The LDAP Distinguished Name(DN) template. Every entry in the directory has a DN that uniquely identifies an entry in the directory.

This is usually a combination of CN, OU , DC. Refer to your specific LDAP settings to uniquely identify a user. 

Use the token ^NAME^ in place of user name

Example : cn=^NAME^,ou=someorg,dc=company,dc=com 

To use multiple OUs, set this equal to ^USER_USER_FULL_DN^

cn=<username>,ou=<abc>,dc=<company>,dc=com

Multiple OU mode:
^USER_USER_FULL_DN^

LDAP Search DN

REQUIRED FIELD

The search DN (Specifies the set of resources to search for an user).

If there is an ou encompassing all users, then the search DN would be pointing to that DN.

For example, if all users are under the employees ou, then the search DN would be ou=employees,dc=company,dc=com

ou=company-users,dc=company,dc=com
LDAP User Filter TemplateREQUIRED FIELD

The filter to be used to identify a user entry record from results.

For example, if the object class is inetOrgPerson, then you would use:

(&(objectClass=inetOrgPerson)(cn=^NAME^))
(&(objectClass=inetOrgPerson)(cn=^NAME^))

Mail Attribute

REQUIRED FIELD

In the FileCloud environment, every user requires an email ID.

Specify the attribute name used in the LDAP's user record to refer to the email ID.

username_email_ID

If you have problems connecting after saving the TLS settings and non-SSL connections work OK, you might have to set an additional parameter called TLS_REQCERT.

To set the TLS_REQCERT parameter:

  1. Create an ldap.conf file in one of the following locations according to the OS you are using:
    Windows

    c:\openldap\sysconf\ldap.conf 


    Ubuntu Linux

    /etc/ldap/ldap.conf Centos Linux Location should be /etc/openldap/ldap.conf


  2. Open the ldap.conf file for editing.

  3. Add the following lines: 

    #
    # LDAP Defaults
    #
    TLS_REQCERT never


  4. Restart the Apache server.




Authenticate to Multiple LDAP Servers



  • No labels