Integrating Xlight FTP Server with LDAP servers
Xlight FTP Server can be integrated with LDAP servers to authenticate users. Users can use the same user name and password to access the resources of ftp server, e-mail server etc.
In this example, we use Novell eDirectory LDAP server to demonstrate the procedure of integrating Xlight FTP Server with LDAP server. For other LDAP servers, procedures are very similar. Note: after 30-day evaluation period, this function is only supported by the Professional edition of Xlight FTP Server.
To use LDAP server for external user authentication, you need to goto [Virtual Server Configuration]->[General]->[Virtual Server], select the option "Enable external user authentication" . Click the "Setup..." button, LDAP must be selected in the "Authentication Type" of virtual server configuration as showed in the figure below:
You have to set the IP address or domain name of LDAP Server. Because Novell eDirectory server forces TLS connection by its default settings, the option "Use TLS/SSL connection" is selected. You won't need to select this option, if your LDAP server doesn't force TLS/SSL.
Most LDAP servers support anonymous bind by their default settings, so the option "Anonymous Bind" is selected. If your LDAP server doesn't support anonymous bind, you have to fill in the "Bind DN" and "Bind Password".
You would better set the "Base DN to begin searching users". Or you can click the "Fetch DN" button to retrieve the base DN. Otherwise Xlight FTP Server will start searching users from the root DN, but may not be able to find any users.
Xlight FTP Server will search LDAP server for user with object Class "inetOrgPerson" and the attribute "uid" matched with user's login name. If some users have trouble to authenticate, please check if the attribute "uid" is set for them in the LDAP server.
If you want to only check username and password against LDAP server, you can choose the option "Only check username and password". If you don't choose this option, LDAP attribute homeDirectory (POSIX attributes) will be used also.
Setup default user profile
If you don't want to set LDAP attribute homeDirectory as user's FTP home directory, or if you have many LDAP users and don't want to set homeDirectory for each of them. You can use default user profile to setup home directory for users. This link has detail description about setup default user profile.
Use Microsoft ADAM as LDAP server
Microsoft ADAM can be used as LDAP server. But its default settings is different from other LDAP servers. For example, in Microsoft ADAM the attribute "uid" by default is associated with object class "user", but most other LDAP servers use object class "inetOrgPerson" for the attribute "uid". So if you use Microsoft ADAM as LDAP server, you need to select the option "Use Microsoft ADAM as LDAP server". You also need to add the user associated with the Bind DN to the ""Reader Role"" in the ADAM, because the default ACL of ADAM will not allow anyone to search LDAP directory.
Impersonate user to access UNC path of his home directory
When user's homeDirectory is UNC path, the default behavior is to access it by using the account running Xlight FTP Server. For example, if Xlight FTP Server is running as service, normally it will be the "Local System Account". But if the option "Impersonate user to access UNC path of his home directory" is selected, the UNC path is accessed by the account of login user. As a result, the login user must have proper NTFS permission to access the UNC path.
Setup public paths for ftp server
You can setup public paths for the virtual server. After authentication, all users can see and download from public paths, as showed in the figure below:
Create and allow anonymous user to access the ftp server
When users are authenticated againest in the LDAP server, you may want to allow anonymous user who can use any password to access the ftp server. Because users in the LDAP server must have password, anonymous user can not be created in the LDAP server.
However, you can create a user with username "anonymous" in the local ftp server and select the option "Bypass the external authentication" in his settings([User settings]->[Account]->[Option for external authentication]), as showed in the picture below. The local ftp user will bypass the external authentication and be authenticated againest the local ftp server. His settings will come from the local ftp server also.
How to install extended schema xlightFTPdUser in the eDirectory
There is another option "Use extended schema "xlightFTPdUser"". It will provide many Xlight FTP Server related options by using extended schema xlightFTPdUser.
When this option is selected, the attribute homeDirectory in the POSIX attributes will be not be used any more. Instead ftpHomeDirectory from extended schema xlightFTPdUser will be used to set home directory for this user.
Note: When a user logins for the first time, if his home directory doesn't exist, it will be created by Xlight FTP Server automatically.
If you want to use this option, extended schema xlightFTPdUser must be installed in the LDAP server. We use Novell eDirectory LDAP server to demonstrate procedures to install the extended schema xlightFTPdUser
To install schema xlightFTPdUser, open Novell ConsoleOne program and select import LDIF file in the NDS Import/Export Wizard as showed in the figure below:
Select the file eDirectory-xlightFTPdUser.ldif, this file is LDIF file for Novell eDirectory, and it can be found under the ldap directory in the place where Xlight FTP Server is installed. After importing the schema xlightFTPdUser, you should be able to see it in the Schema Manager Window, xlightFTPdUser is the last Object Class as showed in the figure below:
To use schema xlightFTPdUser, you can select a user object and select the menu "Extensions of this object" as showed in the figure below:
Click the button "Add Extensions...". In the dialog box, select xlightFTPdUser and click OK button as showed in the figure below:
In the dialog box showed in the figure below, fill "FTP properties" as its name and click OK button. You can use other name in here as well.
Schema xlightFTPdUser will be in the current auxiliary class extensions as showed in the figure below:
Select the properties of this user. Under the Other Edit tab, you can click "Add..." button to add Xlight FTP Server related options to this user. These attributes are all started with letters "ftp". You only need to add attributes you want to use. However if you add the attribute ftpHomeDirectory, you must add the attribute ftpHomePerm to control the permission of ftpHomeDirectory. You can give and edit values for these options, as showed in the figure below:
You should be able to use Schema xlightFTPdUser now and set Xlight FTP Server related ftp options for this user.
Setup virtual paths for a ftp user
From Xlight FTP Server version 3.5, you can setup multiple virtual paths for a user through the attribute ftpVirtualPaths of xlightFTPdUser schema. The string for "ftpVirtualPaths" is the "|" separated combination of virtual path, real path and permission, as showed in the figure below. Its format is "virtual path | real path | permission". An example virtual path string can be "/files/ | d:\Downloads\ | RLS----", where the "/files/" is the virtual path, "d:\Downloads\" is the real path mapped to "/files/", "R--L--S" is permission flag of "/files/". Virtual path, real path and permission are separated by "|".You can refer to the description of "ftpHomePerm" for the meaning of each permission flag. Note: Virtual path must be UNIX style path and real path must be Windows style path.
