Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revisionNext revision | Previous revision | ||
ldap [2021_01_19 23:50] – Redirect to Active Directory docs steven | ldap [2024_04_22 21:30] (current) – external edit 127.0.0.1 | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ====== | + | # LDAP Integration |
+ | |||
+ | #### Last Updated January 7, 2022 | ||
+ | |||
+ | The Access Anywhere supports integration with directory services through the LDAP and SAML protocols providing authentication and authorization services including single-sign-on as well as identity and role synchronization. | ||
+ | |||
+ | This document describes integration with LDAP. For SAML see [[: | ||
+ | |||
+ | This document describes configuration via LDAP for: | ||
+ | |||
+ | * Microsoft Active Directory | ||
+ | * Azure AD Domain Services | ||
+ | |||
+ | <WRAP center round important 100%> | ||
+ | If you remove an authentication system that is in use by an SMB Multi User or Nasuni provider, | ||
+ | </ | ||
+ | |||
+ | |||
+ | |||
+ | |||
+ | ### Adding a Directory Service | ||
+ | |||
+ | Directory services are managed by an Organization administrator under **Organization** \> **Auth Systems**. Multiple auth systems can be configured. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | ## Active Directory (via LDAP) | ||
+ | |||
+ | If you need to connect to: | ||
+ | |||
+ | * ADFS (Active Directory Federation Services) - see [[admin/ | ||
+ | * Azure Active Directory - see [[admin/ | ||
+ | * Active Directory without secure LDAP - see the [[: | ||
+ | |||
+ | ### Choose Auth System Type | ||
+ | |||
+ | For any LDAP directory service choose **Active Directory via LDAP**. | ||
+ | |||
+ | {{ : | ||
+ | |||
+ | |||
+ | ### Connection Information | ||
+ | The first section provides connection information to the directory service: | ||
+ | |||
+ | {{ :: | ||
+ | |||
+ | __Auth System Name__ - Enter any label you want for this Auth System. | ||
+ | |||
+ | __LDAP Server host or IP__ - This is the dns resolvable hostname, or the IP address for your AD servers which are listening for LDAP connections. | ||
+ | |||
+ | For high availability you can enter multiple addresses. Enter the host like you would normally then subsequent hosts separated by a space and include the protocol. | ||
+ | |||
+ | ``` | ||
+ | server1 ldap:// | ||
+ | ``` | ||
+ | |||
+ | In case NAA can not connect to the first AD, next one will be tried. | ||
+ | |||
+ | __LDAP Server Port__ - Can leave the default (port 389) if the Connection Encryption is none or TLS. Use port **636** for SSL. Or other port if you are using non-standard ports for your AD environment. | ||
+ | |||
+ | __Connection Encryption__ - Select the encryption method your AD environment supports. | ||
+ | |||
+ | __Base DN__ - Enter the Base DN for your enviornment. This is dependent on your AD environment setup. | ||
+ | |||
+ | __Administrator User DN__ - Enter the DN for a service account in your AD environment that we will use to connect. | ||
+ | |||
+ | __Administrator User Password__ - Password for the account entered in the previous field. | ||
+ | |||
+ | ==== User Import Settings | ||
+ | |||
+ | The next three boxes should be checked if you want Access Anywhere to automatically create new users and roles/ | ||
+ | |||
+ | If you do not check these, you must import the Users and Roles you want to have access to the system. | ||
+ | {{ : | ||
+ | |||
+ | ==== User Directory Settings ==== | ||
+ | |||
+ | The next section will describe how your directory defines the users we will use in Access Anywhere. | ||
+ | |||
+ | {{:: | ||
+ | |||
+ | __User Object Class__ - For Active Directory we will select " | ||
+ | |||
+ | __Additional Custom User Object Classes__ - If you have additional classes which represent the users on your system, you can enter them here in a comma separated list. Standard AD installations will leave this blank. | ||
+ | |||
+ | __Login Field__ - This defines the attribute which NAAwill use for the NAALogin attribute in Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName | ||
+ | |||
+ | __Use Customer User Login Field__ - If Checked then you can select a custom field for the NAALogin. Standard AD installations will leave this blank. | ||
+ | |||
+ | __Unique User Attribute__ - This defines which field will be used as the unique user ID with Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName. | ||
+ | |||
+ | __User Name Field__ - This defines which field will be used for the NAAUser Name attribute. Standard AD installations should use displayName. | ||
+ | |||
+ | __Use Custom User Name Field__ - If Checked then you can select a custom field for the NAAUser Name. Standard AD installations will leave this blank. | ||
+ | |||
+ | __Use Custom User Email Field__ - If Checked then you can select a custom field for the NAAemail. Standard AD installations will leave this blank. | ||
+ | |||
+ | ==== Group Directory Settings ==== | ||
+ | |||
+ | The next section will describe how your directory defines the groups we will use for the roles within Access Anywhere. | ||
+ | |||
+ | {{:: | ||
+ | |||
+ | __Group (Role) id Field__ - This will define which field to use in the directory to create the Roles within Access Anywhere. Standard AD installations will select cn. | ||
+ | |||
+ | __Restrict import of users from the following groups__ - Enter any group DNs for groups within your directory which you want to limit which users can access Access Anywhere. | ||
+ | |||
+ | __Group(Role) Object Class__ - This defines the object class the directory users for group objects. Standard AD installations will select group. | ||
+ | |||
+ | __Custom Group (Role) Object Classes__ - Here you can add additional classes which represent groups in your Directory, in a comma separated list. Standard AD installations will leave this blank. | ||
+ | |||
+ | __Role Name Field__ - This defines which field will be used to set the Group name in Access Anywhere. Standard AD installations will use cn. | ||
+ | |||
+ | __Use Custom Role Name Field__ - If checked then you will be able set a custom field name to be used for Access Anywhere group Names. Standard AD installations will leave this blank. | ||
+ | |||
+ | ==== Auto-Config Provider (Optional) ==== | ||
+ | |||
+ | This optional setting will allow you to define Private Providers for each user in your directory. This can be used for user home directories for example. | ||
+ | |||
+ | |||
+ | ## Azure AD Domain Services (via LDAP) | ||
+ | |||
+ | Azure AD Domain Services can be used as an LDAP provider. | ||
+ | |||
+ | We recommend enabling and configuring Secure LDAP using TLS with port 389. (You could also use SSL with port 636). | ||
+ | |||
+ | {{: | ||
+ | |||
+ | Other Settings: | ||
+ | |||
+ | * User Object Class: user | ||
+ | |||
+ | * Login Field: sAMAcountName | ||
+ | |||
+ | * Unique User Attribute: sAMAccountName | ||
+ | |||
+ | * User Name Field: cn | ||
+ | |||
+ | * Group (Role) Id Field: cn | ||
+ | |||
+ | * Group (Role) Object Class: group | ||
+ | |||
+ | * Role Name Field: cn | ||
- | To integrate using LDAP see [[: | ||
- | See also [[iam]]. | ||