LDAP Authentication

Cerberus FTP Server Professional is able to authenticate users against LDAP directory services. The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying directory services running over TCP/IP.

Administrators can easily integrate Cerberus and LDAP or LDAPS (LDAP over SSL). All you need are a few parameters describing the LDAP service.

What do I need to use LDAP Authentication?

An LDAP service and some information about the server hosting the LDAP service:

Server This parameter is the FQDN or IP address of the LDAP server to search.
Port The network port of the LDAP server.
Enable SSL This checkbox determines whether the connection to the LDAP server is encrypted. The LDAP server must support encryption for this to work. Port 389 is the default port for unencrypted LDAP and port 636 is the default LDAPS port.
Base DN The distinguished name to use as the search base.
User DN The FDN of an account with read privileges to the LDAP server.
Password The password for the User DN account. This password is encrypted when saved.
User DN attribute The name of the uid attribute for a user in the directory.

By default, all LDAP users are assigned the same virtual directories and permissions. These defaults are configured under the Default Group and Virtual Directory Mapping for LDAP Users section of the LDAP Users page.  However, if you wish to customize the directory and permission mappings for individual LDAP users then you can do so using the Customize button.

The Customize button allows you to override the default settings for a user by mapping individual LDAP users to Cerberus groups. The mapped LDAP users will receive the settings and virtual directories from the mapped group, instead of the defaults.

help-72

Configuration page for LDAP Authentication

Default Virtual Directory Mapping for LDAP Users

The Default Virtual Directory Mapping modes work as follows:

Global Home Every LDAP account will use the directory specified under the “Global Home” edit box as the FTP root. This is the simplest option, and every LDAP user is assigned this one directory as their root folder. The Cerberus permissions on this folder can be restricted through the Permissions button to the right of the Global Home edit box.
Global Home\%USER% Every LDAP account will use a subdirectory off of the “Global Home” directory that is the same as the account’s name. This directory will be created automatically, if it doesn’t exist, when the user logs in. The Cerberus permissions on this folder can be restricted through the Permissions button to the right of the Global Home edit box.
LDAP User Attribute Every LDAP account will use the directory attribute defined here to determine what virtual directories to add to their account.

This directory attribute can have multiple values, and each value will be added as a separate virtual directory.

The default value will be a valid Windows directory path.  By default, the last directory of the file path will be used for the virtual directory name, and the user will have full permissions to the directory path.

The value can be customized into 3 separated components to customize the added virtual directory path into a full directory path, a virtual directory name, and a permissions set for the virtual directory.

You can separate each component by the pipe character or an asterisk.

For example, the value for the attribute could be:

C:\ftproot\user\andrew*home*2047

The first part is the directory path, the second is the directory name, and the third is a bit mask indicating the permissions the user has for that virtual directory.

The directory permissions field for a virtual directory is a simple bit mask. Permissions have the following values:

Permission Value
DOWNLOAD 1
UPLOAD 2
RENAME 4
DELETE 8
CREATEDIR 16
LIST DIRECTORIES 32
LIST FILES 64
DISPLAY HIDDEN FILES 128
ZIP 256
UNZIP 512
PUBLIC SHARE DOWNLOAD 1024
PUBLIC SHARE UPLOAD 2048

Just add the values up to achieve the desired permissions. e.g., Download, Upload, Rename, and Delete permissions would be (1 + 2 + 4 + 8) = 15.

Granting all permissions would be 2047.

Use Default Group Directories and Permissions The specified Cerberus Group will be used to determine what directories and what settings to apply to the LDAP user when they login, including any security requirements associated with the group.

Other LDAP Dialog Options

The LDAP Accounts list box that enumerates LDAP accounts is only meant as an aid in determining if your LDAP connection is configured correctly. If you can get a successful listing of user accounts, then those accounts should be accessible to Cerberus during authentication. Some additional display options are detailed below:

Show FQDN Display the fully qualified domain name of each enumerated object.
Note:
This setting has no effect on actual LDAP authentication.
Show All Users If this option is checked, every account will be retrieved and enumerated in the LDAP Accounts list box. This can take a very long time if there are a large number of users.
Note: This setting has no effect on actual LDAP authentication.

Setting up Active Directory Authentication using LDAP

The following steps detail the procedure for enabling LDAP Authentication to verify credentials against Active Directory. The steps are similar for connecting to other LDAP servers, such as OpenLDAP or ApacheDS.

  1. Change the LDAP Server and Port attribute in the User Manager, LDAP Users tab to the host name and port number of the Active Directory:
    • e.g., Server: hostname.domain.com or an IP address:192.168.0.100
    • Port: 389 is the default for unencrypted LDAP connections.  Port 636 is the default for LDAPS encrypted connections.
  2. Change the Base DN to the proper base for the Active Directory.Simply specifying the base suffix will not work in this attribute. For Active Directory, it would usually be the cn=Users plus base suffix. e.g.: for domain corp.cerberusllc.com :CN=Users,DC=corp,DC=cerberusllc,DC=com

    or for local domain corp.cerberusllc.local :

    CN=Users,DC=corp,DC=cerberusllc,DC=local

  3. Change the DN for the User DN bind attribute to a user with the right to read the Active Directory.Anonymous access to Active Directory is not allowed, so a bind account is needed. This is simply an account for Active Directory that has read ability on the attribute to which the user will authenticate. An example might be cn=administrator,CN=Users,DC=corp,DC=cerberusllc,DC=local. Enter the password for the user account. Note: This password will be encrypted in memory and before being saved to disk.
  4. Change the User DN Attribute.This attribute is the one that the LDAP module will search for in Active Directory and attempt to match against the supplied FTP username. It is often the UID attribute on many LDAP servers. For example, if users login using their Common Name, the value of this attribute would be cn. For Active Directory, the login name is usually mapped to sAMAccountName as it is the attribute in Active Directory most like UID. For Active Directory, it is usually best to specify sAMAccountName.
  5. Change the Search Filter.This string is an LDAP search string used to locate and filter the account in Active Directory. This filter can be used to make sure only certain types of objects are checked for authentication.
    Search Filter Examples

    (objectClass=User)

    The above filter will include only search entities that have the object class User.

    (memberof:1.2.840.113556.1.4.1941:=cn=FTPUsers,CN=Users,dc=corp,dc=cerberusllc,DC=local)

    The above filter will include all users that are members of the group FTPUsers.

    Do not attempt to add the uid search attribute here. Cerberus will automatically append an attribute filter to select the correct account based on the User DN Attribute.

    I.e., if the User DN Attribute is sAMAccountName, Cerberus will automatically create a string like

    (&(objectClass=User)(sAMAccountName=ftpUser))

    where ftpUser is the name of the user that attempted login.

  6. Set the Search Scope.This setting controls how deep into the directory to search for users. This setting combined with the Base DN and Search Filter determines which users are matched for authentication.One Level is usually the best setting for typical Active Directory configurations.
  7. Verify that the settings are correct by clicking the Connect button. You should see the user DNs from Active Directory that are able to log in to Cerberus FTP Server. Note: Unless “Use FQDN” is checked, only the value of the User DN Attribute will be displayed in the LDAP user list. It is this value that will be compared against the FTP username to determine an account match.
  8. Select a Cerberus FTP Group to represent the virtual directories and permissions for LDAP users. Note that the “isAnonymous” setting on the group is ignored. The group cannot be anonymous.

Cerberus FTP Server is now configured for authentication against an LDAP server (Active Directory, in this case).

LDAP User to Cerberus Group Mapping

You can customize the directory and permission mappings for individual LDAP users through the LDAP Directory Mapping tab. Customizing an LDAP account is accomplished by mapping an LDAP user account to a Cerberus group account. This mapping will override the default Cerberus Group and directory mapping, specified on the LDAP Users page, for the mapped LDAP account.

help-73

Configuration page for LDAP User to Cerberus Group Mapping

Creating an LDAP User to Cerberus Group Mapping

Mappings between an LDAP User and a Cerberus Group can be achieved by first selecting an LDAP user. Then, select an LDAP user (or simply typing the name of the LDAP user in the edit box) and then select a Cerberus Group. Select the Assign button and a mapping entry will be placed in the mapping list box to indicate the LDAP user will now have the same constraints and virtual directory mappings as the selected Cerberus Group.

Removing an LDAP mapping

To remove a mapping, simply select the mapped entry and press the Remove button.