Cerberus FTP Server Professional is able to authenticate users against LDAP directory services. The Lightweight Directory Access Protocol, or LDAP, is an application protocol for querying and modifying directory services running over TCP/IP.
Administrators can easily integrate Cerberus and LDAP or LDAPS (Secure LDAP). All you need are a few parameters describing the LDAP service.
What do I need to use LDAP Authentication?
An LDAP service and some information about the server hosting the LDAP service:
- Server is the FQDN or IP address of the LDAP server to search.
- Port is the network port of the LDAP server.
- Base DN is the distinguished name to use as the search base.
- User DN is the FDN of an account with read privileges to the LDAP server
- User DN attribute is the name of the uid attribute for a user in the directory.
Setting up Active Directory Authentication
The following steps detail the procedure for enabling LDAP Authentication to verify credentials against Active Directory. The steps are similar for connecting to other LDAP servers, such as OpenLDAP or ApacheDS.
-
Change the LDAP Server and Port attribute in the User Manager, LDAP Users tab to the host name and port number of the Active Directory:
- e.g., Server: hostname.domain.com or 192.168.0.100
- Port: 389
- Change the Base DN to the proper base for the Active Directory.
Simply specifying the base suffix will not work in this attribute. For Active Directory, it would usually be the cn=Users plus suffixes e.g.: for domain corp.cerberusllc.com
CN=Users,DC=corp,DC=cerberusllc,DC=com
or
CN=Users,DC=corp,DC=cerberusllc,DC=local
-
Change the DN for the User DN bind attribute to a user with the right to read the Active Directory.
Anonymous access to the Active Directory is not allowed, so a bind account is needed. It is simply an account for Active Directory that has read ability on the attribute to which the user will authenticate. An example might be cn=administrator,CN=Users,DC=corp,DC=cerberusllc,DC=local. Enter the password for the user account.
-
Change the User Naming Attribute.
This attribute is the one that the LDAP module will search for in Active Directory and attempt to match against the supplied FTP username. It is often the UID attribute on many LDAP servers. For example, if users login using their Common Name, the value of this attribute would be cn. For Active Directory, the login name is usually mapped to sAMAccountName, as it is the attribute in Active Directory most like UID. For Active Directory, it is usually best to specify sAMAccountName, as it is the attribute in Active Directory most like UID.
-
Change the User Entry Search Filter.
This string is an LDAP search string used to locate and filter the account in Active Directory. It should correspond to the attribute with which people use to log in.
e.g., (objectClass=User)
The above filter will include on search entities that have the object class User. Do not attempt to add the uid search attribute here. Cerberus will automatically append an attribute filter to select the correct account based on the User Naming Attribute.
I.e., if the User Naming Attribute is sAMAccountName, Cerberus will automatically create a string like
(&(objectClass=User)(sAMAccountName=ftpUser)
where ftpUser is the name of the user that attempted login.
-
Set the search scope.
This setting controls how deep into the directory to search for users. This setting combined with the Base DN and Search Filter determines which users are matched for authentication.
One Level is usually the best setting for typical Active Directory configurations.
-
Verify that the settings are correct by clicking the "Test Connection" button. You should see the user DNs from Active Directory that are able to log in to Cerberus FTP Server.
- Select a Cerberus FTP Group to represent the virtual directories and permissions for LDAP users. Note that the "isAnonymous" and "isDisabled" setting on the group are ignored.
Cerberus FTP Server is now configured for authentication against Active Directory.