AD User Mappings Result In Inconsistent Security

Think you've found a bug? Post a description here.

Moderator: Serin

Post Reply
cquackenbush
Posts: 1
Joined: Tue Apr 18, 2017 1:36 pm

AD User Mappings Result In Inconsistent Security

Post by cquackenbush » Wed Jun 07, 2017 2:38 pm

First off, I want to say that we love your product! It's met nearly all of our needs for large file transfer with our Sales and Marketing teams. Excellent job!

We do seem to be running into a difficulty, if not an outright bug...guess it depends on how the functionality was envisioned. We use CerberusFTP with Active Directory and all of our users are logging into Cerberus via their AD accounts. We have set up the "Global Home\%USER%" options and have a login constraint group to limit access from ALL domain users. We do NOT have a Default Group set as we have different tiers of sizes for file upload and permissions that we want assigned explicitly to each configured user.

ISSUE:
In the AD User Customization screen, we select a user from the "Active Directory User or Group" list and then assign a group from the "Cerberus Groups" list. When the user logs in with their samAccountName they get the mapped group permissions and limits applied to their account. However, if the user logs in with their UPN they do not get the group mapping and a secondary set of folders are created.

NOTE: From reading some of the other articles I understand that if we used the checkbox "Use User Principal Name (UPN)..." that either login method would create a USER folder as "username@domain.com", solving the issue of multiple folder structures ("C:\username" for samAccountName login and "C:\username@domain.com" for UPN/e-mail login). WORKAROUND:
For the time being we've found we can work around this issue by manually creating (because they DO NOT show up this way in the GUI) an "Ad User Customization" for the UPN name that maps them to a group we've explicitly created in CerberusFTP with "Is Disabled" set to TRUE. This forces our users to use their samAccountName to get access. To be clear, this means that for every user we need to create one mapping using the user accounts populated in the list and the other must be created by manually adding the "@domain.com" to a second group mapping resulting in 2 entries per user.

EXPECTED BEHAVIOR:
I was hoping that by setting an AD user mapping that that mapping would apply to the AD user no matter what login method they used. Since the samAccountName and UPN should both reference the same user, you should not have to create two explicit mappings. It should not treat domain user "jsmith" as different from "jsmith@mycompany.com" for permissions.

We do not want to use the UPN naming convention for our users for the sake of consistency across our platforms. It would be neat if you had the reverse of the UPN checkbox as the previous user suggested above, forcing the samAccountName for the folders instead. However, that would not solve the problem of groups not being applied consistently to the user. Obviously we've found a workaround for that by creating a second entry with the UPN name that maps to a "disabled" group. Unfortunately, this just blocks the user from logging in. Best case scenario would be that whether they use their UPN or samAccountName, they will be dumped into the same folder with the same permissions with only 1 mapping.

Maybe if the USER folder creation could have the variables:
%UPN% to create the folder with "username@domain.com"
%samAccountName% to create the folder with "username"
%USER% to create the folder with whatever login name is used for the session

I'm hoping that there's some functionality I'm missing or a better workaround then creating multiple mappings per user. If not, maybe making it so that a user mapping applies to all the various descriptors (UPN, samAccount, et al.) for that user would be possible?

Thanks for your attention!

User avatar
Serin
Site Administrator
Posts: 1785
Joined: Sat Jan 01, 2005 6:57 pm
Location: United States
Contact:

Re: AD User Mappings Result In Inconsistent Security

Post by Serin » Thu Jun 08, 2017 3:14 pm

Hello Christian,

The short answer is that you can achieve both the samAccountName and the UPN name resolving to the same thing by doing two things:

1. Check the option on the User Manager's Policy page to "Use User Principal Name (UPN) for AD user name variables"
2. Map the user accounts using the UPN name (instead of the samAccountName that we show by default) to the Cerberus group. There's no need to map the samAccountName if you use the UPN name - as long as the "Use User Principal Name" option is selected.


The ability to enumerate AD accounts has been there for a while, and is in need of an option to enumerate them using the UPN name instead of the samAccountName. We would eventually like to make mapping selections default to the UPN name, and default installations to using the Use User Principal Name for variables option the default.

Post Reply