LDAP Based Authentication

In this mechanism, a user account is authenticated against an external LDAP server.

Accounts with this type of authentication are also known as external accounts.

By default, LDAP communications between client and server applications are not encrypted.

  • This means that it could be possible to use a network monitoring device or software to view the communications traveling between LDAP client and server computers.
  • This is especially problematic when an LDAP simple bind is used because credentials (username and password) are passed over the network unencrypted. This could quickly lead to the compromise of credentials.

Therefore, it is recommended that you enable Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) or Transport Layer Security (TLS).

  • SSL and TLS are also known as LDAPS
  • Some applications authenticate with Active Directory Domain Services (AD DS) through simple BIND. If simple BIND is necessary, using SSL/TLS to encrypt the authentication session is strongly recommended.
  • Use of proxy binding or password change over LDAP requires LDAPS. (e.g. Bind to an AD LDS Instance Through a Proxy Object  )
  • Some applications that integrate with LDAP servers (such as Active Directory or Active Directory Domain Controllers) require encrypted communications.

Prerequisites

  1. The LDAP service must be accessible from FileCloud (IP and Port must be accessible).

  2. LDAP must support Simple Authentication Method (Anonymous or Name/Password Authentication Mechanism of Simple Bind).

  3. LDAP users must have an email attribute.

  • If LDAP Authentication is enabled, then Automatic User creation cannot be enabled (i.e, All user creation should be done in LDAP server)
  • The LDAP user will count towards FileCloud License only after the user account logs into FileCloud

 

Enable LDAP Authentication

To enable LDAP Authentication in FileCloud:

  1. Log into the admin portal.

  2. In the left navigation panel, click Settings.

  3. In the right panel, from the list of tabs, click Authentication.

  4. Under Authentication Settings, in Authentication Type select LDAP.

  5. In LDAP Settings, enter the required information, and then click Save.


 

Once you have selected LDAP as your method of authentication, you must provide some additional information. Table 1 explains the required fields.

LDAP Required Settings

SETTINGREQUIRED?DESCRIPTIONExample
LDAP HostREQUIRED The hostname or IP address where the LDAP server is running, including the protocol definition ldap://
ldap://mycompany.com
LDAP PortREQUIRED The port to be used to connect to LDAP server (typically 389)
389
LDAP Account NameREQUIRED A valid LDAP login account required to perform queries
<username>
LDAP Account PasswordREQUIRED Password for the LDAP Account Name
<password>
LDAP User DN TemplateREQUIRED 

The LDAP Distinguished Name(DN) template. Every entry in the directory has a DN that uniquely identifies an entry in the directory.

This is usually a combination of CN, OU , DC. Refer to your specific LDAP settings to uniquely identify a user.

To use multiple OUs, set this equal to ^USE_USER_FULL_DN^

Use the token ^NAME^ in place of user name:

cn=^NAME^,ou=someorg,dc=company,dc=com 

Multiple OU mode:
^USE_USER_FULL_DN^

LDAP Search DN

REQUIRED 

The search DN (Specifies the set of resources to search for an user).

If there is an ou encompassing all users, then the search DN would be pointing to that DN.

If all users are under the employees ou, then the search DN would be:

ou=employees,dc=company,dc=com
LDAP User Filter TemplateREQUIRED 

The filter to be used to identify a user entry record from results.

If the object class is inetOrgPerson, then you would use:

(&(objectClass=inetOrgPerson)(cn=^NAME^))

Mail Attribute

REQUIRED 

In the FileCloud environment, every user requires an email ID.

Specify the attribute name used in the LDAP's user record to refer to the email ID.

username_email_ID

 

NOTE: For using with Zimbra, please use the following strings

User DN Template:

uid=^NAME^,ou=someou,dc=company,dc=com
 

LDAP Search DN

ou=someou,dc=company,dc=com

LDAP User Filter Template:

(&(objectClass=zimbraAccount)(uid=^NAME^))

 

NOTE: For using with JumpCloud, please use the following strings

User DN Template:
uid=^NAME^,ou=Users,o=xxxxxxxxxxxxxxxxxb42f7988db,dc=jumpcloud,dc=com


LDAP Search DN
ou=users,o=xxxxxxxxxxxxxxxxxb42f7988db,dc=jumpcloud,dc=com

LDAP User Filter Template:

(&(objectClass=inetOrgPerson)(uid=^NAME^))



If you are using an LDAP connection with TLS, then you must configure the LDAP fields using the following information:

SETTINGREQUIRED?DESCRIPTIONTLS Example
LDAP HostREQUIRED The hostname or IP address where the LDAP server is runningldaps://<your_server_hostname>
LDAP PortREQUIRED The port to be used to connect to LDAP server (typically 389)389
LDAP Account NameREQUIRED A valid LDAP login account required to perform queries<username>
LDAP Account PasswordREQUIRED Password for the LDAP Account Name<password>
LDAP User DN TemplateREQUIRED 

The LDAP Distinguished Name(DN) template. Every entry in the directory has a DN that uniquely identifies an entry in the directory.

This is usually a combination of CN, OU , DC. Refer to your specific LDAP settings to uniquely identify a user. 

Use the token ^NAME^ in place of user name

Example : cn=^NAME^,ou=someorg,dc=company,dc=com 

To use multiple OUs, set this equal to ^USE_USER_FULL_DN^

cn=<username>,ou=<abc>,dc=<company>,dc=com

Multiple OU mode:
^USE_USER_FULL_DN^

LDAP Search DN

REQUIRED 

The search DN (Specifies the set of resources to search for an user).

If there is an ou encompassing all users, then the search DN would be pointing to that DN.

For example, if all users are under the employees ou, then the search DN would be ou=employees,dc=company,dc=com

ou=company-users,dc=company,dc=com
LDAP User Filter TemplateREQUIRED 

The filter to be used to identify a user entry record from results.

For example, if the object class is inetOrgPerson, then you would use:

(&(objectClass=inetOrgPerson)(cn=^NAME^))
(&(objectClass=inetOrgPerson)(cn=^NAME^))

Mail Attribute

REQUIRED 

In the FileCloud environment, every user requires an email ID.

Specify the attribute name used in the LDAP's user record to refer to the email ID.

username_email_ID


Video

LDAP Settings