LDAP user database
You can use an external LDAP database to hold all of the authentication information and properties for your users.
You must configure the LDAP user database before users can authenticate using this user database. You can set a filter to determine which users in an LDAP user database should be added as WS_FTP Server users.
For a description of the LDAP feature in WS_FTP Server, see About LDAP.
To configure an LDAP user database:
- From the top menu, select . The Host Details page opens.
- Next to , click . The User Database Configuration page opens.
- Set the appropriate options, then click .
Connection Settings
This section specifies the information used to connect to an LDAP database server.
- . Select this option to connect via SSL on the specified port so that all communications between WS_FTP Server and the LDAP server are encrypted. The standard SSL port for LDAP is 636 (TCP).
- . Select this option if the LDAP server requests a client certificate to prove the client's identity. Your LDAP server administrator can tell you if a client certificate is needed. In many cases, you can use the default option . If you have a trusted SSL client certificate that you want to use, you can select the certificate from the list, provided it has been imported into the certificate store. For information on SSL certificates, see Using SSL.
- . Enter the hostname or IP address of the LDAP server.
- . Enter the port on which the primary host's LDAP server is running. The default is port 389, or if SSL is selected, 636.
- . Optionally, enter the hostname or IP address of a second LDAP server that will be queried if the connection to the primary host fails. The secondary host should be contain a mirrored version of the primary's LDAP database.
- . Enter the port on which the secondary host's LDAP server is running. The default is port 389, or, if SSL is selected, 636.
Some LDAP servers allow you to connect anonymously (an anonymous bind). To do an anonymous bind, leave the and blank.
- . Enter the Distinguished Name (DN) used to authenticate to the LDAP database on the primary host. This user is used to run the query (specified below in the Directory Attributes section ) that selects users from the LDAP database. The DN is the information required to authenticate to the LDAP server, and depends on your LDAP server's configuration. The administrator of your LDAP server will know what is required, but typically you need to enter: your user name, called Common Name (CN), your Organizational Unit (OU), and your domain, called domain component (DC); for example:
cn=mjones, ou=georgia office, dc=domain1, dc=YourCompany, dc=comThe domain in this example is: domain1.YourCompany.com
If you specify a secondary host, the DN and password should be the same on both the primary and secondary hosts.
- . Enter the password for the DN.
LDAP servers use the syntax "username@hostname," which means you need to change the host separator (default is @) used for WS_FTP Server hosts. The host separator is defined on the System Details page.
To troubleshoot an LDAP connection error, see Troubleshooting an LDAP connection and query.
Server Settings
This section contains options for working with the LDAP server.
Directory Attributes
This section provides the information used to form the query of the LDAP database. The query returns the set of users to be added to the user database for the WS_FTP Server host.
- . Enter the DN of the object to be searched in the LDAP database. For example, to search for users in the domain, domain1.YourCompany.com, you would enter the DN as: dc=domain1,dc=yourCompany,dc=com
- . Enter an LDAP query that returns a specific list of users that you want to add to the user database for the WS_FTP Server host. You should use as specific a query as possible to return the best fit of users.
: For more information about distinguished names and creating an LDAP query, see "LDAP Naming Model" in How Active Directory Searches Work on the Microsoft Web site. To troubleshoot an LDAP query, see Troubleshooting an LDAP connection and query.
- . The LDAP object name for the user name. The default object returns the user name, which is required to create a WS_FTP Server user. If your LDAP database uses a non-standard schema, you will need to enter the object that defines the login user name.
- . The LDAP object name for the user's full name. The default object returns the user's full name. This object is not required to create a WS_FTP Server user. If your LDAP database uses a non-standard schema, you will need to enter the object that defines the user's full name.
- . The LDAP object name for the user's e-mail address. This object is not required to create a WS_FTP Server user. If your LDAP database uses a non-standard schema, you will need to enter the object that defines the user's email address.
- . The button runs a script that simulates a connection to the LDAP server and tests the query by using the information you have provided on this page. The test results are displayed in a log window, these results can be copied and pasted to an email or other report. You can use this log to determine if there is a connection error or if the specified query returns the appropriate list of users.