LDAP Authentication
Cerberus FTP Server Professional is able to authenticate users against LDAP directory services. The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying directory services running over TCP/IP.
Administrators can easily integrate Cerberus and LDAP or LDAPS (LDAP over SSL). All you need are a few parameters describing the LDAP service.
What do I need to use LDAP Authentication?
An LDAP service and some information about the server hosting the LDAP service:
| Server | This parameter is the FQDN or IP address of the LDAP server to search. |
| Port | The network port of the LDAP server. |
| Enable SSL | This checkbox determines whether the connection to the LDAP server is encrypted. The LDAP server must support encryption for this to work. Port 389 is the default port for unencrypted LDAP and port 636 is the default LDAPS port. |
| Base DN | The distinguished name to use as the search base. |
| User DN | The FDN of an account with read privileges to the LDAP server. |
| Password | The password for the User DN account. This password is encrypted when saved. |
| User DN attribute | The name of the uid attribute for a user in the directory. |
Other LDAP Dialog Options
The LDAP Accounts list box that enumerates LDAP accounts is only meant as an aid in determining if your LDAP connection is configured correctly. If you can get a successful listing of user accounts then those accounts should be accessible to Cerberus during authentication. Some additional display options are detailed below:
| Show FQDN | Display the fully qualified domain name of each enumerated object. Note:This setting has no effect on actual LDAP authentication. |
| Show All Users | If this option is checked, every account will be retrieved and enumerated in the LDAP Accounts list box. This can take a very long time if there are a large number of users. Note: This setting has no effect on actual LDAP authentication. |
Setting up Active Directory Authentication using LDAP
The following steps detail the procedure for enabling LDAP Authentication to verify credentials against Active Directory. The steps are similar for connecting to other LDAP servers, such as OpenLDAP or ApacheDS.
-
Change the LDAP Server and Port attribute in the User Manager, LDAP Users tab to the host name and port number of the Active Directory:
- e.g., Server: hostname.domain.com or an IP address:192.168.0.100
- Port: 389 is the default for unencrypted LDAP connections. Port 636 is the default for LDAPS encrypted connections.
- Change the Base DN to the proper base for the Active Directory.
Simply specifying the base suffix will not work in this attribute. For Active Directory, it would usually be the cn=Users plus base suffix. e.g.: for domain corp.cerberusllc.com :
CN=Users,DC=corp,DC=cerberusllc,DC=com
or for local domain corp.cerberusllc.local :
CN=Users,DC=corp,DC=cerberusllc,DC=local
-
Change the DN for the User DN bind attribute to a user with the right to read the Active Directory.
Anonymous access to Active Directory is not allowed, so a bind account is needed. This is simply an account for Active Directory that has read ability on the attribute to which the user will authenticate. An example might be cn=administrator,CN=Users,DC=corp,DC=cerberusllc,DC=local. Enter the password for the user account. Note: This password will be encrypted in memory and before being saved to disk.
-
Change the User DN Attribute.
This attribute is the one that the LDAP module will search for in Active Directory and attempt to match against the supplied FTP username. It is often the UID attribute on many LDAP servers. For example, if users login using their Common Name, the value of this attribute would be cn. For Active Directory, the login name is usually mapped to sAMAccountName as it is the attribute in Active Directory most like UID. For Active Directory, it is usually best to specify sAMAccountName.
-
Change the Search Filter.
This string is an LDAP search string used to locate and filter the account in Active Directory. This filter can be used to make sure only certain types of objects are checked for authentication.
Search Filter Examples
(objectClass=User)
The above filter will include only search entities that have the object class User.
(memberof:1.2.840.113556.1.4.1941:=cn=FTPUsers,CN=Users,dc=corp,dc=cerberusllc,DC=local)
The above filter will include all users that are memeber of the group FTPUsers.
Do not attempt to add the uid search attribute here. Cerberus will automatically append an attribute filter to select the correct account based on the User DN Attribute.
I.e., if the User DN Attribute is sAMAccountName, Cerberus will automatically create a string like
(&(objectClass=User)(sAMAccountName=ftpUser))
where ftpUser is the name of the user that attempted login.
-
Set the Search Scope.
This setting controls how deep into the directory to search for users. This setting combined with the Base DN and Search Filter determines which users are matched for authentication.
One Level is usually the best setting for typical Active Directory configurations.
-
Verify that the settings are correct by clicking the Connect button. You should see the user DNs from Active Directory that are able to log in to Cerberus FTP Server. Note: Unless "Use FQDN" is checked, only the value of the User DN Attribute will be displayed in the LDAP user list. It is this value that will be compared against the FTP username to determine an account match.
- Select a Cerberus FTP Group to represent the virtual directories and permissions for LDAP users. Note that the "isAnonymous" setting on the group is ignored. The group cannot be anonymous.
Cerberus FTP Server is now configured for authentication against an LDAP server (Active Directory, in this case).
LDAP User to Cerberus Group Mapping
If you wish to customize the directory and permission mappings for individual LDAP users then you can do so through the LDAP Directory Mapping tab. You can select individual LDAP accounts and map them to Cerberus group accounts. This mapping will override the default Cerberus Group and directory mapping specified for all LDAP users on the LDAP Users page.
Creating an LDAP User to Cerberus Group Mapping
Mappings between an LDAP User and a Cerberus Group can be achieved by first selecting an LDAP user. Then, select an LDAP user (or simply typing the name of the LDAP user in the edit box) and then select a Cerberus Group. Select the Assign button and a mapping entry will be placed in the mapping list box to indicate the LDAP user will now have the same constraints and virtual directory mappings as the selected Cerberus Group.
Removing an LDAP mapping
To remove a mapping, simply select the mapped entry and press the Remove button.
