Remote Authentication

The File Transfer Appliance supports remote authentication, or centralised user account management using either LDAP or IMAP. The purpose is so that there's no need to define users on the File Transfer Appliance but instead autocreate users on the fly when they login using valid credentials for the configured LDAP or IMAP server.

The File Transfer Appliance requires that the users login with the email address they intend to use when sending files. Sometimes a bit of configuration is needed for this to be achieved and most of the configuration on this page is aimed at solving this.

The following authentication schemes are supported

• LDAP Advanced: A user that has LDAP search rights in the LDAP directory needs to be specified, together with the LDAP base and an LDAP attribute that lists the email address of the user. When a user logs in, the entered email address will be searched for using the LDAP attribute within the LDAP search base. The searched for user will then be authenticated using the password and if successful, the user is authenticated and an account will be created if none exists.
• LDAP: (version 1.2 only) The File Transfer Appliance will make an LDAP Bind with the entered email address and password. If the bind is successful, the user is authenticated and an account will be created if none exists.
• IMAP: (version 1.2 only) The File Transfer Appliance will try a PLAIN login (CRAM-MD5 or other mechanisms are not supported) to the specified IMAP server, if the login is successful, the user is authenticated and an account will be created if none exists.

The LDAP Authentication is aimed at simple LDAP/Active Directory setups for most small to medium size companies. If the users email address is user@example.com and the LDAP/Active Directory is setup as EXAMPLE.COM, this is the best setup. If the LDAP/Active Directory as setup with something like EXAMPLE.LOCAL and there's another LDAP attribute that specifies that the email address is user@example.com, the LDAP Advanced setup needs to be used instead.

The following screenshot outlines the configuration for the LDAP server.

The easiest way to test if LDAP will work for you is to validate with the correct details.

• fill in the details for the LDAP server, with the correct port and SSL enabled as required.
• Validate with username joe.admin@example.com (replace example.com with your domain, and joe.admin with your accountname).
• If it works, use the LDAP authentication
• If it doesn't work, and the error is a username or password incorrect error, you will most likely need to use the LDAP Advanced Configuration below

This authentication mechanism provides the maximum amount of flexibility when setting up LDAP authentication. The first step when dealing with any advanced LDAP setups is to verify the install with an LDAP browser. If you don't currently have an LDAP browser available, you can download one from here: http://www.mcs.anl.gov/~gawor/ldap/.

In this example, a Windows 2003 Active Directory has been installed with the ALLARD.LOCAL domain. A typical user in the AD Accounts settings page looks like this:

So the email style authentication for this user would be johan.allard@allard.local, which obviously won't work when sending files to the Internet. To get around this, the correct email johan@allardsoft.com is configured on the General Account Properties page as follows:

When starting the LDAP browser and point that to the directory, we can see the user in the directory

a couple of things are worth noting here

• The LDAP base (in the top left corner is): dc=allard,dc=local
• The LDAP search attribute that corresponds to the email address is: mail

When configuring the LDAP Advanced settings in the File Transfer Appliance for this setup, it will be configured as follows:

IMAP authentication is only available in version 1.2 of the Filetransfer appliance

The IMAP authentication uses a standard IMAP PLAIN login (CRAM-MD5 or other mechanisms are not supported) to the specified IMAP server.