LDAP Authentication
The LDAP authentication mechanism offers the ability to integrate the Filetransfer appliance into an existing authentication directory such as Microsoft Active Directory.
Terminology
| Keyword | Description |
|---|---|
| Server Name | The hostname or the IP address of the LDAP server |
| Server Port | Optional port to use when connecting to the LDAP host. The default port if no port is specified is 389 for non-ssl connections and 636 for SSL connections.(*) |
| Use SSL | Should SSL be used when connecting to the LDAP server. |
| LDAP User | A user with search credentials in the LDAP Directory |
| LDAP Password | The password for the LDAP User above |
| LDAP Base | The LDAP search base Distinguished Name (DN) |
| Filter | The LDAP search filter that will find users in the directory |
| Email key | The LDAP key to find a users email address. |
| Append Domain | Optional parameter to append to the email key if the email key does not match a user on its own. |
| Name key | The LDAP key to find a users full name. |
(*) Some people believe that port 3268 is the default LDAP port in Active Directory. This is not true. Port 3268 is used for the global addressbook lookups, it won't work to authenticate against. Use port 389 instead.
Finding Users
The Filetransfer appliance uses RFC 2254 style LDAP filters for finding users. This offers the maximum flexibility of finding users in the directory.
Examples:
- (sAMAccountName=<user>)
- (|(sAMAccountName=<user>)(mail=<user>))
- (&(|(sAMAccountName=<user>)(mail=<user>))(objectClass=user))
The <user> tag will be replaced with whatever the user types on the login field. In the first example, the sAMAccountName key is searched for the user. In Active Directory, this matches the users shortname (i.e. jdoe in jdoe@example.com, or DOMAIN\jdoe).
In the second example, we're search both the sAMAccountName field and the mail field. So with the same user, both jdoe and jdoe@example.com would match, if jdoe@example.com is listed in the users mail key.
In the last example, we're also only matching the user if the LDAP object has an objectClass=user, which all users in Active Directory has, but no computer entries or other entries.
Troubleshooting
The first step in troubleshooting LDAP Authentication is to look at your directory with an LDAP browser (Google for LDAP Browser if you don't have one available). This will display the structure of the directory like this:
This is the view from Active Directory from a Windows 2003 system with the domain set as dc=allard,dc=local.