This section details integrating the SME Cloud File Server with an Active Directory service.

Applicability:

• SaaS hosted Cloud file server service
• Cloud Appliance (either directly hosted or on-premise)

Works With:

• Any SME Supported Private or Public Cloud Storage

See also:

• Identity and Access Management

There are two ways to connect the File Fabric to your Active Directory environment. The first is with the SME Active Directory Proxy. This requires the installation of the SME Active Directory Proxy application and designed for instances where you want to integrate your internal AD with a cloud-hosted instance of SME, without opening your AD to the internet directly.

The second is to connect directly to the AD environment, via an LDAP connection. This is labeled as “Active Directory via LDAP”.

The first section of the Auth Systems section is the connection to the AD environment

Auth System Name - Enter any label you want for this Auth System.

LDAP Server host or IP - This is the dns resolvable hostname, or the IP address for your AD servers which are listening for LDAP connections.

For high availability you can enter multiple addresses. Enter the host like you would normally then subsequent hosts separated by a space and include the protocol.

server1 ldap://server2.com ldap://server3.com

In case EFF can not connect to the first AD, next one will be tried.

LDAP Server Port - Can leave the default (port 389) if the Connection Encryption is none or TLS. Use port 636 for SSL. Or other port if you are using non-standard ports for your AD environment.

Connection Encryption - Select the encryption method your AD environment supports.

Base DN - Enter the Base DN for your enviornment. This is dependent on your AD environment setup.

Administrator User DN - Enter the DN for a service account in your AD environment that we will use to connect.

Administrator User Password - Password for the account entered in the previous field.

The next three boxes should be checked if you want the File Fabric to automatically create new users and roles/groups when a user logs in and their account and/or groups do not exist in the File Fabric.

If you do not check these, you must import the Users and Roles you want to have access to the system.

The next section will describe how your directory defines the users we will use in the File Fabric.

User Object Class - For Active Directory we will select “users”

Additional Custom User Object Classes - If you have additional classes which represent the users on your system, you can enter them here in a comma separated list. Standard AD installations will leave this blank.

Login Field - This defines the attribute which SME will use for the SME Login attribute in the File Fabric. Standard AD installations should use either sAMAccountName or userPrincipalName

Use Customer User Login Field - If Checked then you can select a custom field for the SME Login. Standard AD installations will leave this blank.

Unique User Attribute - This defines which field will be used as the unique user ID with the file fabric. Standard AD installations should use either sAMAccountName or userPrincipalName.

User Name Field - This defines which field will be used for the SME User Name attribute. Standard AD installations should use displayName.

Use Custom User Name Field - If Checked then you can select a custom field for the SME User Name. Standard AD installations will leave this blank.

Use Custom User Email Field - If Checked then you can select a custom field for the SME email. Standard AD installations will leave this blank.

The next section will describe how your directory defines the groups we will use for the roles within the File Fabric.

Group (Role) id Field - This will define which field to use in the directory to create the Roles within the File Fabric. Standard AD installations will select cn.

Restrict import of users from the following groups - Enter any group DNs for groups within your directory which you want to limit which users can access the File Fabric.

Group(Role) Object Class - This defines the object class the directory users for group objects. Standard AD installations will select group.

Custom Group (Role) Object Classes - Here you can add additional classes which represent groups in your Directory, in a comma separated list. Standard AD installations will leave this blank.

Role Name Field - This defines which field will be used to set the Group name in the File Fabric. Standard AD installations will use cn.

Use Custom Role Name Field - If checked then you will be able set a custom field name to be used for the File Fabric group Names. Standard AD installations will leave this blank.

This optional setting will allow you to define Private Providers for each user in your directory. This can be used for things like user home directories and the like.

When you add an LDAP external authentication system to the File Fabric, you have the option of using LDAPS. If you use LDAPS (port 636) then the File Fabric will communicate with the authentication service using encrypted traffic. It will also, by default, try to ensure the identity of the authentication system.

In some cases, such as when AD is used, the authentication system will have a certificate signed by the domain and not a commercially registered Certificate Authority. In that situation you have to tell the File Fabric to bypass the Certificate Authority verification and accept an LDAP-based authentication system with any non-expired cert. You can do this by adding:

TLS_REQCERT    never

to /etc/openldap/ldap.conf

This is a global setting for LDAP on the File Fabric.

Azure AD Domain Services can be used as an LDAP provider. We recommend enabling and configuring Secure LDAP.

Other Settings:

• User Object Class: user
• Login Field: sAMAcountName
• Unique User Attribute: sAMAccountName
• User Name Field: cn
• Group (Role) Id Field: cn
• Group (Role) Object Class: group
• Role Name Field: cn

You will first need to download the SME Active Directory Proxy and install it on your Active Directory Server to enable the SME Cloud File Server to access Active Directory. The Proxy is downloaded as an executable and just needs to be copied across to the machine and ran.  

Note: The .Net framework 3.5+ needs to be installed for it to be able to run otherwise you will be prompted to install this

Once the Active Directory Proxy has been download and installed then you can enter the necessary information to set this up:

• THe Active Directory Server information if the Proxy is not directly installed on an Active Directory Server
• The Active Directory Admin username
• The Active Directory Password

  - The Active Directory Domain

• IP of of where the Proxy is running or just leave this blank if not a multi-homed machine (it enables binding to a specific IP address)
• Key Encryption phase: The key encryption phrase must be the same phrase that is entered into the SME Cloud File Server that is used here so you can choose to generate if from the AD settings within the SME File Server and paste it here or vice versa. This phrase is used to encrypt data over http using triple DES and is unique.

Note that the negotiate option is normally left unchecked but if you are implementing in a domain where Kerberos or NTLM may used then you should check this.   A symptom of this is that you receive the error “the server cannot handle directory requests”. If this is the case you need to check this option. Please see here for more information.

Once the Proxy has been installed the Active Directory setup can be completed on the SME Cloud File Server:

• Enter the Active Directory Host IP (where the SME Proxy is running)
• Enter the Port (by default the Proxy port is configured to b 4444)
• Generate or enter the key phrase to encrypt traffic using Triple DES. This must be the same as the encryption phrase on the proxy so you must either paste the phrase here that is used on the Proxy or vice-versa.

Once this has been entered you can test the connection. Once this is successful you can choose to update the options.

Note: If you believe you have entered the information correctly but the test is unsuccessful after checking all data, please check for firewalls or something that could block the port you have used on the location where the Proxy is installed.

Once the Proxy has been installed the Active Directory setup can be completed on the SME Cloud File Server:

• Enter the Active Directory Host IP (where the SME Proxy is running)
• Enter the Port (by default the Proxy port is configured to b 4444)
• Generate or enter the key phrase to encrypt traffic using Triple DES. This must be the same as the encryption phrase on the proxy so you must either paste the phrase here that is used on the Proxy or vice-versa.

Once this has been entered you can test the connection. Once this is successful you can choose to update the options.

Note: If you believe you have entered the information correct but the test is unsuccessful after checking all data, please check for firewalls or something that could block the port you have used on the location where the Proxy is installed.

Note: Schema settings are optional

After AD and the SME Cloud File Server have been successfully connected navigate to the “Users” option from the web menu. There will now be a further option, “import users from Active Directory”. Clicking this link will show users that are available in Active directory for import / mapping to the Cloud File Server.

Once the users from the Active Directory Server are visible users can be selected for import (and roles separately if required) from the set by selecting the role drop down.   If multiple roles are required choose shift-select to select more than one role.

When complete click the “import selected users” box.

The SME user login ID will be {AD User UPN Logon }@orgname

if the Cloud File Server users have been setup directly it is still possible to import roles separately from Active Directory. To do this login as the Cloud Administrator on the web, click on the Roles menu option in the right sidebar and click the link, “choose what roles to import”. This will bring up the Active Directory Roles that can be imported and used with existing users.

User role mappings can be managed from the User option in the right sidebar after logging in as the Cloud Admin. This lists all users and the   Role that is assigned to them. Clicking on the edit icon enables options to be changed for an individual user, one of which is the Role Option.

Once Users and Roles are set up then permissions can be set against a Shared folder by logging into the Web as Cloud Admin and selecting the 'Shared Team Folders' option from the right sidebar. Permissions can be set in one of three ways:

• At a Folder lever
• At a Roles level
• At a user level

The precedence is applied in the following order (lowest first)

• Folder permissions
• Role permissions
• User permissions

Where a user is in multiple roles then least restrictive applies.

Once the users have been setup they can login directly use their normal Active Directory to login through the SME Cloud File Server. On login their user credentials are sent encrypted to the SME Proxy and the SME Proxy communicates with AD and if the user is authorised then this is passed back to the SME Cloud File Server which issues a token for access. This token will then be used for SME File Server access for the users sessions and will be passed with each request.

There are a few caveats to consider when working with users from Active Directory:

1. If you create a new user in Active Directory that you wish to make available to the SME Cloud File Server then you just need to re-run the import users and roles and select the user(s) that you wish to add.
2. If you create a new user on Active Directory and you wish to click the “Change password on next logon box” ensure the user has changed the password before you map them to the Cloud File Server as they will be unable to do it from here.
3. You can mix and match users from Active Directory with users created directly in the Cloud File Server.
4. The Proxy Solution can be made Highly Available by running two Proxies and providing two URL's
5. Multiple Active Directory Domains can be supported

An often asked question once users can be managed directly from Active Directory is how to expose internal Windows files through the cloud file server. This can be done in two ways depending on whether you are using the SaaS or dedicated hosted service or whether you are using the Appliance directly onsite:

SaaS / Dedicated hosted customer: You need to share such files using an Internet-friendly protocol so that they can be connected to. This can be done from WebDav, using perhaps Internet Information Server or simply using an FTP Server.

Onsite Appliance: If you are using the Appliance onsite or on the same subnet as the windows file shares then you can use the SME local system provider. This uses SAMBA to connect to Windows file shares, syncing meta-data as normal and making such files available.

If you are a company that has Active Directory Federation Services enabled and are interested in integrating with your Active Directory system using SAML assertions then please see SAML 2.0 Integration