LDAP
Contents |
Preface
This document explains how to connect PowerFolder Server to a LDAP directory or Active Directory. This makes it possible to authenticate users at the server via LDAP. Note: Some PowerFolder relevant-user data like permissions, computers, storage quota, etc. pp. will still be stored in the built-in PowerFolder database.
Supported LDAP systems:
- Microsoft Active Directory
- Novell eDirectory
- Open LDAP
- Posix Account RFC2307
- Posix Account PFC2307BIS
- Samba
- Other LDAP Servers
This feature is currently BETA. Please contact us if you encounter problems or would like to suggestion improvements.
Setup and settings
The connection can be configured as admin user at the Server admin console under Preferences / LDAP.
Important note: Change the admin user username under Preferences / General to an existing LDAP user before, otherwise admin logins are not possible after the LDAP connection is enabled. E.g. administrator
Auto-register LDAP users on first login
Allows all LDAP users to authenticate and login at PowerFolder Servers without registering them manually before. If disabled user accounts have to be manually created under "Accounts" before the user can access PowerFolder.
Server URL
Contains the hostname, port and SSL setting of the LDAP server. The format is:
ldap/ldaps://hostname:port
Examples:
- ldaps://server:636
- ldap://10.0.1.123:389
Search query username
The user to authenticate with while querying the LDAP server. Examples:
- staff@powerfolder.com
- user@mydomain.local
- unixusername
- cn=searchusername,cn=Users,dc=powerfolder,dc=com
Search query password
The password to authenticate with while querying the LDAP server.
Search context
The root entry of the sub tree to search for user entries during authentication.
Examples:
- dc=powerfolder,dc=com
- dc=example,dc=com
Search match criteria
The attribute of the user entry in the LDAP directory to search in. During authentication PowerFolder searches for the given username/email value in this attribute. It is recommended to use the attributes "mail", "uid" or "samAccountName" (Windows) for search. Other attributes are also possible here.
Examples:
- mail=$username
- samAccountName=$username
- uid=$username
Enable access for users of a specific group only (in this example "CloudUsers"):
- (&(samAccountName=$username)(memberOf=CN=CloudUsers,CN=Users,DC=mycompany,DC=com))
- (&(sAMAccountName=$username)(memberOf=CN=CloudUsers,OU=Groups,OU=companyde,DC=company,DC=local))
Make sure the powerfolder admin is member of this group.
Test
Authentication process
When a user tries to login into the web interface of PowerFolder Server or tries to login from a PowerFolder Client the following steps are performed to authenticate the user:
- PowerFolder Server connects anonymously to the LDAP directory.
- It search for the user entry (DN) in the search context with the given username via the search match criteria.
- It uses the retrieved distinguished name (DN) of the user entry and the given password to login at the LDAP server.
- If the login succeeds the user is authenticated at PowerFolder. If not or if any problem occurs the user login is rejected.
