We do seem to be running into a difficulty, if not an outright bug...guess it depends on how the functionality was envisioned. We use CerberusFTP with Active Directory and all of our users are logging into Cerberus via their AD accounts. We have set up the "Global Home\%USER%" options and have a login constraint group to limit access from ALL domain users. We do NOT have a Default Group set as we have different tiers of sizes for file upload and permissions that we want assigned explicitly to each configured user.
In the AD User Customization screen, we select a user from the "Active Directory User or Group" list and then assign a group from the "Cerberus Groups" list. When the user logs in with their samAccountName they get the mapped group permissions and limits applied to their account. However, if the user logs in with their UPN they do not get the group mapping and a secondary set of folders are created.
NOTE: From reading some of the other articles I understand that if we used the checkbox "Use User Principal Name (UPN)..." that either login method would create a USER folder as "email@example.com", solving the issue of multiple folder structures ("C:\username" for samAccountName login and "C:\firstname.lastname@example.org" for UPN/e-mail login).
- AD login, variable mapping -- viewtopic.php?f=2&t=3469
- Different folder structure depending on login method (AD users) -- viewtopic.php?f=4&t=3447
For the time being we've found we can work around this issue by manually creating (because they DO NOT show up this way in the GUI) an "Ad User Customization" for the UPN name that maps them to a group we've explicitly created in CerberusFTP with "Is Disabled" set to TRUE. This forces our users to use their samAccountName to get access. To be clear, this means that for every user we need to create one mapping using the user accounts populated in the list and the other must be created by manually adding the "@domain.com" to a second group mapping resulting in 2 entries per user.
I was hoping that by setting an AD user mapping that that mapping would apply to the AD user no matter what login method they used. Since the samAccountName and UPN should both reference the same user, you should not have to create two explicit mappings. It should not treat domain user "jsmith" as different from "email@example.com" for permissions.
We do not want to use the UPN naming convention for our users for the sake of consistency across our platforms. It would be neat if you had the reverse of the UPN checkbox as the previous user suggested above, forcing the samAccountName for the folders instead. However, that would not solve the problem of groups not being applied consistently to the user. Obviously we've found a workaround for that by creating a second entry with the UPN name that maps to a "disabled" group. Unfortunately, this just blocks the user from logging in. Best case scenario would be that whether they use their UPN or samAccountName, they will be dumped into the same folder with the same permissions with only 1 mapping.
Maybe if the USER folder creation could have the variables:
%UPN% to create the folder with "firstname.lastname@example.org"
%samAccountName% to create the folder with "username"
%USER% to create the folder with whatever login name is used for the session
I'm hoping that there's some functionality I'm missing or a better workaround then creating multiple mappings per user. If not, maybe making it so that a user mapping applies to all the various descriptors (UPN, samAccount, et al.) for that user would be possible?
Thanks for your attention!