Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
ldap [2021_01_19 23:50] – Redirect to Active Directory docs stevenldap [2024_04_22 21:30] (current) – external edit 127.0.0.1
Line 1: Line 1:
-====== LDAP Integration ======+# LDAP Integration 
 + 
 +#### Last Updated January 7, 2022 
 + 
 +The Access Anywhere supports integration with directory services through the LDAP and SAML protocols providing authentication and authorization services including single-sign-on as well as identity and role synchronization. 
 + 
 +This document describes integration with LDAP. For SAML see [[:admin/saml|SAML Integration]]. More information at [[iam]]. 
 + 
 +This document describes configuration via LDAP for: 
 + 
 + * Microsoft Active Directory 
 + * Azure AD Domain Services 
 + 
 +<WRAP center round important 100%> 
 +If you remove an authentication system that is in use by an SMB Multi User or Nasuni provider,  then organization members may gain read access to the provider and its contents. 
 +</WRAP> 
 + 
 + 
 + 
 + 
 +### Adding a Directory Service 
 + 
 +Directory services are managed by an Organization administrator under **Organization** \> **Auth Systems**. Multiple auth systems can be configured.  
 + 
 +{{ :iam:auth-systems-page.png?600 }} 
 + 
 +## Active Directory (via LDAP) 
 + 
 +If you need to connect to: 
 + 
 + * ADFS (Active Directory Federation Services) - see [[admin/saml|SAML integration]] 
 + * Azure Active Directory - see [[admin/saml|SAML integration]] 
 + * Active Directory without secure LDAP - see the [[:admin/activedirectory/activedirectoryintegration|Access Anywhere Active Directory Proxy]] 
 + 
 +### Choose Auth System Type 
 + 
 +For any LDAP directory service choose **Active Directory via LDAP**.  
 + 
 +{{ :admin:activedirectory:activedirectoryintegration:ldap_auth.png?400 |}} 
 + 
 + 
 +### Connection Information 
 +The first section provides connection information to the directory service: 
 + 
 +{{ ::ldap_ad_auth_connsettings.png?600 |}} 
 + 
 +__Auth System Name__ - Enter any label you want for this Auth System. 
 + 
 +__LDAP Server host or IP__ - This is the dns resolvable hostname, or the IP address for your AD servers which are listening for LDAP connections.  
 + 
 +For high availability you can enter multiple addresses. Enter the host like you would normally then subsequent hosts separated by a space and include the protocol. 
 +  
 +``` 
 +server1 ldap://server2.com ldap://server3.com 
 +``` 
 + 
 +In case NAA can not connect to the first AD, next one will be tried. 
 + 
 +__LDAP Server Port__ - Can leave the default (port 389) if the Connection Encryption is none or TLS. Use port **636** for SSL. Or other port if you are using non-standard ports for your AD environment.  
 + 
 +__Connection Encryption__ - Select the encryption method your AD environment supports.  
 + 
 +__Base DN__ - Enter the Base DN for your enviornment. This is dependent on your AD environment setup.  
 + 
 +__Administrator User DN__ - Enter the DN for a service account in your AD environment that we will use to connect.  
 + 
 +__Administrator User Password__ - Password for the account entered in the previous field.  
 + 
 +==== User Import Settings ==== 
 + 
 +The next three boxes should be checked if you want Access Anywhere to automatically create new users and roles/groups when a user logs in and their account and/or groups do not exist in Access Anywhere.  
 + 
 +If you do not check these, you must import the Users and Roles you want to have access to the system.  
 +{{ :ldap_ad_user_autoimport.png |}} 
 + 
 +==== User Directory Settings ==== 
 + 
 +The next section will describe how your directory defines the users we will use in Access Anywhere. 
 + 
 +{{::ldap_ad_user_connsettings.png?600|}} 
 + 
 +__User Object Class__ - For Active Directory we will select "users" 
 + 
 +__Additional Custom User Object Classes__ - If you have additional classes which represent the users on your system, you can enter them here in a comma separated list. Standard AD installations will leave this blank.  
 + 
 +__Login Field__ - This defines the attribute which NAAwill use for the NAALogin attribute in Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName 
 + 
 +__Use Customer User Login Field__ - If Checked then you can select a custom field for the NAALogin. Standard AD installations will leave this blank.  
 + 
 +__Unique User Attribute__ - This defines which field will be used as the unique user ID with Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName.  
 + 
 +__User Name Field__ - This defines which field will be used for the NAAUser Name attribute. Standard AD installations should use displayName. 
 + 
 +__Use Custom User Name Field__ - If Checked then you can select a custom field for the NAAUser Name. Standard AD installations will leave this blank.  
 + 
 +__Use Custom User Email Field__ - If Checked then you can select a custom field for the NAAemail. Standard AD installations will leave this blank.  
 + 
 +==== Group Directory Settings ==== 
 + 
 +The next section will describe how your directory defines the groups we will use for the roles within Access Anywhere. 
 + 
 +{{::ldap_ad_group_connsettings.png?600|}} 
 + 
 +__Group (Role) id Field__ - This will define which field to use in the directory to create the Roles within Access Anywhere. Standard AD installations will select cn.  
 + 
 +__Restrict import of users from the following groups__ - Enter any group DNs for groups within your directory which you want to limit which users can access Access Anywhere.  
 + 
 +__Group(Role) Object Class__ - This defines the object class the directory users for group objects. Standard AD installations will select group.  
 + 
 +__Custom Group (Role) Object Classes__ - Here you can add additional classes which represent groups in your Directory, in a comma separated list. Standard AD installations will leave this blank.  
 + 
 +__Role Name Field__ - This defines which field will be used to set the Group name in Access Anywhere. Standard AD installations will use cn.  
 + 
 +__Use Custom Role Name Field__ - If checked then you will be able set a custom field name to be used for Access Anywhere group Names. Standard AD installations will leave this blank.  
 + 
 +==== Auto-Config Provider (Optional) ==== 
 + 
 +This optional setting will allow you to define Private Providers for each user in your directory. This can be used for user home directories for example.  
 + 
 + 
 +## Azure AD Domain Services (via LDAP) 
 + 
 +Azure AD Domain Services can be used as an LDAP provider. 
 + 
 +We recommend enabling and configuring Secure LDAP using TLS with port 389. (You could also use SSL with port 636). 
 + 
 +{{:ldap:azure-ad-domain-services1.png?600|azure-ad-domain-services1.png}} 
 + 
 +Other Settings: 
 + 
 + * User Object Class: user 
 + 
 + * Login Field: sAMAcountName 
 + 
 + * Unique User Attribute: sAMAccountName 
 + 
 + * User Name Field: cn 
 + 
 + * Group (Role) Id Field: cn 
 + 
 + * Group (Role) Object Class: group 
 + 
 + * Role Name Field: cn 
  
-To integrate using LDAP see [[:organisationcloud/activedirectory/activedirectoryintegration]] 
  
-See also [[iam]]. 
  
  
  
© Copyright 2024 Nasuni.