Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
ldap [2018_01_30 17:23] – external edit 127.0.0.1ldap [2024_03_05 19:11] (current) – [LDAP Integration] steven
Line 1: Line 1:
-====== LDAP Integration ======+LDAP Integration
  
-To setup LDAP integration from within the Cloud Appliancelogin as the Cloud Admin, and navigate to the 'Auth Systems' option on the Organization sidebar. You can add MS Active Directory or any other LDAP server e.g. OpenLDAP {{:/LDAP:.:sme_menubar.png|menubar}}+#### Last Updated January 72022
  
-In your account you can add multiple LDAP servers.+The Access Anywhere supports integration with directory services through the LDAP and SAML protocols providing authentication and authorization services including single-sign-on as well as identity and role synchronization.
  
-===== Setup Authentication Provider =====+This document describes integration with LDAP. For SAML see [[:organisationcloud/saml|SAML Integration]]. More information at [[iam]].
  
-From the dropdown list select LDAP provider {{:/LDAP:.:sme_ldapselect.png|ldapselect}}+This document describes configuration via LDAP for:
  
-You can complete the setup for LDAP server here {{:/LDAP:.:sme_ldapform.png|ldapform}}+ * Microsoft Active Directory 
 + * Azure AD Domain Services
  
-==== Connection Settings ====+<WRAP center round important 100%> 
 +If you remove an authentication system that is in use by an SMB Multi User or Nasuni provider,  then organization members may gain read access to the provider and its contents. 
 +</WRAP>
  
-**Auth System Name:** This will be the displayed name of the ldap system when importing users **LDAP Server host or IP:** The IP or hostname of the LDAP server **LDAP Server port:** The port to use default is 389 **Connection Encryption:** You can chose //None, ldaps or TLS// **Base DN:** The root distinguished name (DN) to use when running queries against the ldap server. Example: dc=domain1,dc=local **Administrator User DN:** Administrator User **Administrator User Password:** Password for the administrator user 
  
-==== Users Import Settings ==== 
  
-**Update user roles/groups on login:** On login user will be assigned roles from LDAP **User Object Class:** The user object class **Additional Custom User Object Classes:** Additional user object classes, you can enter multiple values separated by comma **Login Field:** The login field to use, this is pre-populated with the most common values //uid,cn, sAMAccountName, userPrincipalName// and will be used as user login id. You can enter a custom value by selecting //Use Custom User Login Field// and enter a custom filed {{:/LDAP:.:sme_customloginfield.png|customloginfield}}**User Name Field:** The mapping for user name field that will be used. this is pre-populated with the most common values //cn, name, displayName// You can also enter a custom filed by selecting //Use Custom User Name Field// and entering a custom field value. {{:/LDAP:.:sme_customusernamefiled.png|customusernamefiled}} 
  
-**Use Custom User Email Field:** By default mail or email field will be used. By selecting this checkbox you can use custom filed for email mapping.+### Adding Directory Service
  
-**Group (Role) Id Field:** The group mapping to use.+Directory services are managed by an Organization administrator under **Organization** \> **Auth Systems**. Multiple auth systems can be configured
  
-**Restrict import of users from the following groups:** Restrict import of users to a certain groups+{{ :iam:auth-systems-page.png?600 }}
  
-**Group (RoleObject Class:** The Group class to use+## Active Directory (via LDAP)
  
-**Custom Group (Role) Object Classes:** You can enter multiple Group classes separated by comma.+If you need to connect to:
  
-**Role Name Field:** The field to use for role mapping. You can enter custom field for by selecting //Use Custom Role Name Field//+ ADFS (Active Directory Federation Services) - see [[organisationcloud/saml|SAML integration]] 
 + Azure Active Directory - see [[organisationcloud/saml|SAML integration]] 
 + * Active Directory without secure LDAP - see the [[:organisationcloud/activedirectory/activedirectoryintegration|Access Anywhere Active Directory Proxy]]
  
-===== Importing Users and Roles =====+### Choose Auth System Type
  
-After LDAP and the SME Cloud File Server have been successfully connected navigate to the "Users" option from the web menu. There will now be a further option, "Import users from a remote source". Clicking this link will show users that are available in LDAP for import / mapping to the Cloud File Server.+For any LDAP directory service choose **Active Directory via LDAP**
  
-{{:/LDAP:.:sme_importusers.png|importusers}}+{{ :organisationcloud:activedirectory:activedirectoryintegration:ldap_auth.png?400 |}}
  
-===== Choosing Users to Import ===== 
  
-Select the recently added auth system from the dropdown list if you have added more than one auth systems. {{:/LDAP:.:sme_selectauth.png|selectauth}}+### Connection Information 
 +The first section provides connection information to the directory service:
  
-Once the users from LDAP are visible users can be selected for import (and roles separately if required) from the set by selecting the role drop down. If multiple roles are required choose shift-select to select more than one role.+{{ ::ldap_ad_auth_connsettings.png?600 |}}
  
-{{:/LDAP:.:sme_importusers2.png|importusers2}}+__Auth System Name__ - Enter any label you want for this Auth System.
  
-When complete click the "import selected users" box.+__LDAP Server host or IP__ - This is the dns resolvable hostname, or the IP address for your AD servers which are listening for LDAP connections
  
-The SME user login ID will be **username@orgname**+For high availability you can enter multiple addresses. Enter the host like you would normally then subsequent hosts separated by a space and include the protocol. 
 +  
 +``` 
 +server1 ldap://server2.com ldap://server3.com 
 +```
  
-===== Importing Roles Directly =====+In case NAA can not connect to the first AD, next one will be tried.
  
-If the Cloud File Server users have been setup directly it is still possible to import roles separately from Active Directory. To do this login as the Cloud Administrator on the web, click on the Roles menu option in the right sidebar and click the link, "choose what roles to import"Select the auth provider and import the roles.+__LDAP Server Port__ - Can leave the default (port 389) if the Connection Encryption is none or TLSUse port **636** for SSL. Or other port if you are using non-standard ports for your AD environment
  
-{{:/LDAP:.:sme_importroles.png|importroles}}+__Connection Encryption__ - Select the encryption method your AD environment supports
  
-===== Managing Users and Roles =====+__Base DN__ - Enter the Base DN for your enviornment. This is dependent on your AD environment setup. 
  
-User role mappings can be managed from the User option in the right sidebar after logging in as the Cloud Admin. This lists all users and the Role that is assignedto them. Clicking on the edit icon enables options to be changed for an individual user, one of which is the Role Option. {{:/LDAP:sme_managingroles.png}}+__Administrator User DN__ - Enter the DN for a service account in your AD environment that we will use to connect
  
-===== Assiging Permissions to Roles =====+__Administrator User Password__ - Password for the account entered in the previous field. 
  
-Once Users and Roles are set up then permissions can be set against a Shared folder by logging into the Web as Cloud Admin and selecting the 'Shared Team Folders'i option from the right sidebar. Permissions can be set in one of three ways:+==== User Import Settings ====
  
-  * At a Folder lever +The next three boxes should be checked if you want Access Anywhere to automatically create new users and roles/groups when a user logs in and their account and/or groups do not exist in Access Anywhere. 
-  * At a Roles level +
-  * At a user level+
  
-The precedence is applied in the following order (lowest first)+If you do not check these, you must import the Users and Roles you want to have access to the system.  
 +{{ :ldap_ad_user_autoimport.png |}}
  
-  Folder permissions +==== User Directory Settings ==== 
-  Role permissions + 
-  * User permissions+The next section will describe how your directory defines the users we will use in Access Anywhere. 
 + 
 +{{::ldap_ad_user_connsettings.png?600|}} 
 + 
 +__User Object Class__ - For Active Directory we will select "users" 
 + 
 +__Additional Custom User Object Classes__ - If you have additional classes which represent the users on your system, you can enter them here in a comma separated list. Standard AD installations will leave this blank.  
 + 
 +__Login Field__ - This defines the attribute which NAAwill use for the NAALogin attribute in Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName 
 + 
 +__Use Customer User Login Field__ - If Checked then you can select a custom field for the NAALogin. Standard AD installations will leave this blank.  
 + 
 +__Unique User Attribute__ - This defines which field will be used as the unique user ID with Access Anywhere. Standard AD installations should use either sAMAccountName or userPrincipalName.  
 + 
 +__User Name Field__ - This defines which field will be used for the NAAUser Name attribute. Standard AD installations should use displayName. 
 + 
 +__Use Custom User Name Field__ - If Checked then you can select a custom field for the NAAUser Name. Standard AD installations will leave this blank.  
 + 
 +__Use Custom User Email Field__ - If Checked then you can select a custom field for the NAAemail. Standard AD installations will leave this blank.  
 + 
 +==== Group Directory Settings ==== 
 + 
 +The next section will describe how your directory defines the groups we will use for the roles within Access Anywhere. 
 + 
 +{{::ldap_ad_group_connsettings.png?600|}} 
 + 
 +__Group (Role) id Field__ - This will define which field to use in the directory to create the Roles within Access Anywhere. Standard AD installations will select cn.  
 + 
 +__Restrict import of users from the following groups__ - Enter any group DNs for groups within your directory which you want to limit which users can access Access Anywhere.  
 + 
 +__Group(Role) Object Class__ - This defines the object class the directory users for group objects. Standard AD installations will select group.  
 + 
 +__Custom Group (Role) Object Classes__ - Here you can add additional classes which represent groups in your Directory, in a comma separated list. Standard AD installations will leave this blank.  
 + 
 +__Role Name Field__ - This defines which field will be used to set the Group name in Access Anywhere. Standard AD installations will use cn.  
 + 
 +__Use Custom Role Name Field__ - If checked then you will be able set a custom field name to be used for Access Anywhere group Names. Standard AD installations will leave this blank.  
 + 
 +==== Auto-Config Provider (Optional) ==== 
 + 
 +This optional setting will allow you to define Private Providers for each user in your directory. This can be used for user home directories for example.  
 + 
 + 
 +## Azure AD Domain Services (via LDAP) 
 + 
 +Azure AD Domain Services can be used as an LDAP provider. 
 + 
 +We recommend enabling and configuring Secure LDAP using TLS with port 389. (You could also use SSL with port 636). 
 + 
 +{{:ldap:azure-ad-domain-services1.png?600|azure-ad-domain-services1.png}} 
 + 
 +Other Settings: 
 + 
 + User Object Class: user 
 + 
 + Login Field: sAMAcountName 
 + 
 + Unique User Attribute: sAMAccountName 
 + 
 + * User Name Field: cn 
 + 
 + * Group (Role) Id Field: cn 
 + 
 + * Group (Role) Object Class: group 
 + 
 + * Role Name Field: cn
  
-Where a user is in multiple roles then least restrictive permissions apply. 
  
-{{:/LDAP:.:sme_assigingpermissions.png}} 
  
-===== User Login ===== 
  
-Once the users have been setup they can login directly using their normal LDAP to login through the SME Cloud File Server. On login their user credentials are sent to LDAP if the user is authorised then this is passed back to the SME Cloud File Server which issues a token for access. This token will then be used for SME File Server access for the users sessions and will be passed with each request.