no way to compare when less than two revisions
Differences
This shows you the differences between two versions of the page.
| — | ldap [2025_11_24 22:23] (current) – created - external edit 127.0.0.1 | ||
|---|---|---|---|
| Line 1: | Line 1: | ||
| + | # LDAP Integration | ||
| + | |||
| + | #### Last Updated January 7, 2022 | ||
| + | |||
| + | The Access Anywhere supports integration with directory services through the LDAP and SAML protocols providing authentication and authorization services including single-sign-on as well as identity and role synchronization. | ||
| + | |||
| + | This document describes integration with LDAP. For SAML see [[: | ||
| + | |||
| + | This document describes configuration via LDAP for: | ||
| + | |||
| + | * Microsoft Active Directory | ||
| + | * Azure AD Domain Services | ||
| + | |||
| + | <WRAP center round important 100%> | ||
| + | If you remove an authentication system that is in use by an SMB Multi User or Nasuni provider, | ||
| + | </ | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | ### Adding a Directory Service | ||
| + | |||
| + | Directory services are managed by an Organization administrator under **Organization** \> **Auth Systems**. Multiple auth systems can be configured. | ||
| + | |||
| + | {{ : | ||
| + | |||
| + | ## Active Directory (via LDAP) | ||
| + | |||
| + | If you need to connect to: | ||
| + | |||
| + | * ADFS (Active Directory Federation Services) - see [[admin/ | ||
| + | * Azure Active Directory - see [[admin/ | ||
| + | |||
| + | ### Choose Auth System Type | ||
| + | |||
| + | For any LDAP directory service choose **Active Directory via LDAP**. | ||
| + | |||
| + | {{ : | ||
| + | |||
| + | |||
| + | ### Connection Information | ||
| + | The first section provides connection information to the directory service: | ||
| + | |||
| + | {{ :: | ||
| + | |||
| + | __Auth System Name__ - Enter any label you want for this Auth System. | ||
| + | |||
| + | __LDAP Server host or IP__ - This is the dns resolvable hostname, or the IP address for your AD servers which are listening for LDAP connections. | ||
| + | |||
| + | For high availability you can enter multiple addresses. Enter the host like you would normally then subsequent hosts separated by a space and include the protocol. | ||
| + | |||
| + | ``` | ||
| + | server1 ldap:// | ||
| + | ``` | ||
| + | |||
| + | In case NAA can not connect to the first AD, next one will be tried. | ||
| + | |||
| + | __LDAP Server Port__ - Can leave the default (port 389) if the Connection Encryption is none or TLS. Use port **636** for SSL. Or other port if you are using non-standard ports for your AD environment. | ||
| + | |||
| + | __Connection Encryption__ - Select the encryption method your AD environment supports. | ||
| + | |||
| + | __Base DN__ - Enter the Base DN for your enviornment. This is dependent on your AD environment setup. | ||
| + | |||
| + | __Administrator User DN__ - Enter the DN for a service account in your AD environment that we will use to connect. | ||
| + | |||
| + | __Administrator User Password__ - Password for the account entered in the previous field. | ||
| + | |||
| + | ==== User Import Settings ==== | ||
| + | |||
| + | The next three boxes should be checked if you want Access Anywhere to automatically create new users and roles/ | ||
| + | |||
| + | If you do not check these, you must import the Users and Roles you want to have access to the system. | ||
| + | {{ : | ||
| + | |||
| + | ==== User Directory Settings ==== | ||
| + | |||
| + | The next section will describe how your directory defines the users we will use in Access Anywhere. | ||
| + | |||
| + | {{:: | ||
| + | |||
| + | __User Object Class__ - For Active Directory we will select " | ||
| + | |||
| + | __Additional Custom User Object Classes__ - If you have additional classes which represent the users on your system, you can enter them here in a comma separated list. Standard AD installations will leave this blank. | ||
| + | |||
| + | __Login Field__ - This defines the attribute which NAAwill use for the NAALogin attribute in Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName | ||
| + | |||
| + | __Use Customer User Login Field__ - If Checked then you can select a custom field for the NAALogin. Standard AD installations will leave this blank. | ||
| + | |||
| + | __Unique User Attribute__ - This defines which field will be used as the unique user ID with Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName. | ||
| + | |||
| + | __User Name Field__ - This defines which field will be used for the NAAUser Name attribute. Standard AD installations should use displayName. | ||
| + | |||
| + | __Use Custom User Name Field__ - If Checked then you can select a custom field for the NAAUser Name. Standard AD installations will leave this blank. | ||
| + | |||
| + | __Use Custom User Email Field__ - If Checked then you can select a custom field for the NAAemail. Standard AD installations will leave this blank. | ||
| + | |||
| + | ==== Group Directory Settings ==== | ||
| + | |||
| + | The next section will describe how your directory defines the groups we will use for the roles within Access Anywhere. | ||
| + | |||
| + | {{:: | ||
| + | |||
| + | __Group (Role) id Field__ - This will define which field to use in the directory to create the Roles within Access Anywhere. Standard AD installations will select cn. | ||
| + | |||
| + | __Restrict import of users from the following groups__ - Enter any group DNs for groups within your directory which you want to limit which users can access Access Anywhere. | ||
| + | |||
| + | __Group(Role) Object Class__ - This defines the object class the directory users for group objects. Standard AD installations will select group. | ||
| + | |||
| + | __Custom Group (Role) Object Classes__ - Here you can add additional classes which represent groups in your Directory, in a comma separated list. Standard AD installations will leave this blank. | ||
| + | |||
| + | __Role Name Field__ - This defines which field will be used to set the Group name in Access Anywhere. Standard AD installations will use cn. | ||
| + | |||
| + | __Use Custom Role Name Field__ - If checked then you will be able set a custom field name to be used for Access Anywhere group Names. Standard AD installations will leave this blank. | ||
| + | |||
| + | ==== Auto-Config Provider (Optional) ==== | ||
| + | |||
| + | This optional setting will allow you to define Private Providers for each user in your directory. This can be used for user home directories for example. | ||
| + | |||
| + | |||
| + | ## Azure AD Domain Services (via LDAP) | ||
| + | |||
| + | Azure AD Domain Services can be used as an LDAP provider. | ||
| + | |||
| + | We recommend enabling and configuring Secure LDAP using TLS with port 389. (You could also use SSL with port 636). | ||
| + | |||
| + | {{: | ||
| + | |||
| + | Other Settings: | ||
| + | |||
| + | * User Object Class: user | ||
| + | |||
| + | * Login Field: sAMAcountName | ||
| + | |||
| + | * Unique User Attribute: sAMAccountName | ||
| + | |||
| + | * User Name Field: cn | ||
| + | |||
| + | * Group (Role) Id Field: cn | ||
| + | |||
| + | * Group (Role) Object Class: group | ||
| + | |||
| + | * Role Name Field: cn | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||