Integrating Xlight FTP Server with LDAP servers
Xlight FTP Server can be integrated with LDAP servers to authenticate users. Users can use the same username and password to access the resources of the FTP server, e-mail server etc.
In this example, we use the Novell eDirectory LDAP server to demonstrate the procedure of integrating the Xlight FTP Server with the LDAP server. For other LDAP servers, procedures are very similar. Note: after the 30-day evaluation period, this function is only supported by the Professional edition of Xlight FTP Server.
To use an LDAP server for external user authentication, you need to go to [Virtual Server Configuration]->[General]->[Virtual Server], and select the option "Enable external user authentication". Click the "Setup..." button, LDAP must be selected in the "Authentication Type" of the virtual server configuration as shown in the figure below:
You have to set the IP address or domain name of the LDAP Server. Because the Novell eDirectory server forces TLS connection by its default settings, the option "Use TLS/SSL connection" is selected. You won't need to select this option if your LDAP server doesn't force TLS/SSL.
Most LDAP servers support anonymous bind by their default settings, so the option "Anonymous Bind" is selected. If your LDAP server doesn't support anonymous bind, you have to fill in the "Bind DN" and "Bind Password".
You would better set the "Base DN to begin searching users". Or you can click the "Fetch DN" button to retrieve the base DN. Otherwise, Xlight FTP Server will start searching for users from the root DN, but may not be able to find any users.
Xlight FTP Server will search the LDAP server for the user with object Class "inetOrgPerson" and the attribute "uid" matched with the user's login name. If some users have trouble authenticating, please check if the attribute "uid" is set for them in the LDAP server.
If you want to only check the username and password against the LDAP server, you can choose the option "Only check username and password". If you don't choose this option, the LDAP attribute "homeDirectory" (POSIX attributes) will be used also.
Setup the default user profile
If you don't want to set the LDAP attribute "homeDirectory" as the user's FTP home directory, or if you have many LDAP users and don't want to set the "homeDirectory" for each of them. You can use the default user profile to set up the home directory for users. This link has a detailed description of the setup of the default user profile.
Users' ObjectClass is "user", "posixAccount" or "organizationalPerson"
Most LDAP Servers use the object class "inetOrgPerson" for the attribute "uid". In some LDAP servers, the attribute "uid" is associated with the object class "user", "posixAccount" or "organizationalPerson". For these LDAP servers, you need to select this option, Otherwise, the user authentication will fail.
Impersonate user to access the UNC path of his home directory
When the user's "homeDirectory" is the UNC path, the default behavior is to access it by using the account running Xlight FTP Server. For example, if the Xlight FTP Server is running as a service, normally it will be the "Local System Account". But if the option "Impersonate user to access UNC path of his home directory" is selected, the UNC path is accessed by the account of the login user. As a result, the login user must have proper NTFS permission to access the UNC path.
Setup public paths for the FTP server
You can set up public paths for the virtual server. After authentication, all users can see and download from public paths, as shown in the figure below:
Create and allow anonymous users to access the FTP server
When users are authenticated against the LDAP server, you may want to allow anonymous users who can use any password to access the FTP server. Because the user in the LDAP server must have a password, an anonymous user can not be created in the LDAP server.
However, you can create a user with username "anonymous" in the local FTP server and select the option "Bypass the external authentication" in his settings([User settings]->[Account]->[Option for external authentication]), as shown in the picture below. The local FTP user will bypass the external authentication and be authenticated against the local FTP server. His settings will come from the local FTP server also.
How to install extended schema xlightFTPdUser in the eDirectory
There is another option "Use extended schema "xlightFTPdUser"". It will provide many Xlight FTP Server-related options by using the extended schema xlightFTPdUser.
When this option is selected, the attribute "homeDirectory" in the POSIX attributes will not be used anymore. Instead ftpHomeDirectory from extended schema xlightFTPdUser will be used to set the home directory for this user.
Note: When a user logs in for the first time if his home directory doesn't exist, it will be created by Xlight FTP Server automatically.
If you want to use this option, extended schema xlightFTPdUser must be installed in the LDAP server. We use the Novell eDirectory LDAP server to demonstrate procedures to install the extended schema xlightFTPdUser
To install schema xlightFTPdUser, open the Novell ConsoleOne program and select import LDIF file in the NDS Import/Export Wizard as shown in the figure below:
Select the file "eDirectory-xlightFTPdUser.ldif", this file is "LDIF" file for Novell eDirectory, and it can be found under the "ldap" directory in the folder where the Xlight FTP Server is installed. After importing the schema xlightFTPdUser, you should be able to see it in the Schema Manager Window, xlightFTPdUser is the last Object Class as shown in the figure below:
To use schema xlightFTPdUser, you can select a user object and select the menu "Extensions of this object" as shown in the figure below:
Click the button "Add Extensions...". In the dialog box, select xlightFTPdUser and click the OK button as shown in the figure below:
In the dialog box shown in the figure below, fill in "FTP properties" as its name and click the OK button. You can use another name here as well.
Schema xlightFTPdUser will be in the current auxiliary class extensions as shown in the figure below:
Select the properties of this user. Under the Other Edit tab, you can click the "Add..." button to add Xlight FTP Server-related options to this user. These attributes all started with the letters "ftp". You only need to add the attributes you want to use. However, if you add the attribute ftpHomeDirectory, you must add the attribute ftpHomePerm to control the permission of ftpHomeDirectory. You can give and edit values for these options, as shown in the figure below:
You should be able to use Schema xlightFTPdUser now and set Xlight FTP Server-related FTP options for this user.
Setup virtual paths for an FTP user
From Xlight FTP Server version 3.5, you can set up multiple virtual paths for a user through the attribute ftpVirtualPaths of xlightFTPdUser schema. The string for "ftpVirtualPaths" is the "|" separated combination of virtual path, real path and permission, as shown in the figure below. Its format is "virtual path | real path | permission". An example virtual path string can be "/files/ | d:\Downloads\ | RLS----", where the "/files/" is the virtual path, "d:\Downloads\" is the real path mapped to "/files/", "R--L--S" is permission flag of "/files/". Virtual path, real path and permission are separated by "|".You can refer to the description of "ftpHomePerm" for the meaning of each permission flag. Note: The virtual path must be a UNIX style path and the real path must be a Windows style path.
The variable %username% can be used for the real path. %username% will be replaced with the actual user name after user logins. If the real path doesn't exist when the user logs in, Xlight FTP Server will create it automatically.