Using LDAP User Authentication in Cornerstone - South River ...
Using LDAP User Authentication in Cornerstone - South River ...
Using LDAP User Authentication in Cornerstone - South River ...
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Version 10<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong><strong>Authentication</strong>This document is <strong>in</strong>tended for System Adm<strong>in</strong>istrators tasked with configur<strong>in</strong>g orma<strong>in</strong>ta<strong>in</strong><strong>in</strong>g <strong>Cornerstone</strong> MFT when used <strong>in</strong> conjunction with a back end <strong>LDAP</strong>server for <strong>Cornerstone</strong> <strong>User</strong> <strong>Authentication</strong><strong>Cornerstone</strong> MFT Server®QuickStart Guide© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.All Rights ReservedMay, 2013
OverviewThe follow<strong>in</strong>g <strong>in</strong>structions will help you to set up <strong>Cornerstone</strong> MFT for user authentication withLightweight Directory Access Protocol (<strong>LDAP</strong>). Some screens <strong>in</strong> this <strong>in</strong>struction conta<strong>in</strong> options that donot perta<strong>in</strong> to <strong>LDAP</strong> <strong>Authentication</strong>. If you need additional <strong>in</strong>formation regard<strong>in</strong>g these steps, please seethe <strong>Cornerstone</strong> MFT <strong>User</strong> Guide. For the purpose of this quick start guide, we will guide youthrough these options without configur<strong>in</strong>g additional sett<strong>in</strong>gs. A list<strong>in</strong>g of Frequently Asked Questions(FAQ) is also available at our Knowledgebase Support Center.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.1
System RequirementsSupported Operat<strong>in</strong>g SystemsW<strong>in</strong>dows Server 2012, all editions, 32‐bit and 64‐bitW<strong>in</strong>dows Server 2008‐R2, all editions, 32‐bit and 64‐bitW<strong>in</strong>dows Server 2008, all editions, 32‐bit and 64‐bitW<strong>in</strong>dows Server 2003, all editions, 32‐bit and 64‐bitM<strong>in</strong>imum Hardware Requirements2 GHz Pentium® class processor4GB of RAM is required; 8GB of RAM is recommendedM<strong>in</strong>imum 100MB of free disk space for the applicationM<strong>in</strong>imum SVGA (800x600) resolution display is required to run the Adm<strong>in</strong>istration consoleprogram.M<strong>in</strong>imum Software RequirementsLimitationsMicrosoft .NET Framework v2.0 is requiredMicrosoft SQL Server 2005 or later is requiredMicrosoft SQL Server Management Studio Express is recommended<strong>Cornerstone</strong> MFT, DMZedge, and Titan FTP Server are all multi‐threaded, dynamic server solutions forthe Microsoft W<strong>in</strong>dows operat<strong>in</strong>g system. While designed to handle an unlimited number of userconnections and servers, like all software, they are limited by the resources of the computer; mostnotably, those limitations imposed by the W<strong>in</strong>dows Sockets (WINSOCK) Library.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.2
Configur<strong>in</strong>g the <strong>Cornerstone</strong> MFT Adm<strong>in</strong>istratorThe follow<strong>in</strong>g steps can be used to configure a new server to leverage <strong>LDAP</strong> as the user authenticationeng<strong>in</strong>e.1. Run the <strong>Cornerstone</strong> Adm<strong>in</strong>istration Utility and start the New Server Wizard.2. Walk through the Server Wizard, select<strong>in</strong>g the desired options, until you reach the page ask<strong>in</strong>g forthe <strong>User</strong> <strong>Authentication</strong> choice.Use the down arrow to select Standard <strong>LDAP</strong> <strong>User</strong> <strong>Authentication</strong> and then click the <strong>Authentication</strong> ServerSetup button. This will launch the <strong>LDAP</strong> <strong>User</strong> <strong>Authentication</strong> sub‐wizard.3. Type your <strong>LDAP</strong> Doma<strong>in</strong> Name. Use the drop‐down arrow to choose your <strong>LDAP</strong> Server Name. Type your portnumber (the default port is 389). Select Use SSL for Connection* if you would like to use a secure connection.Select additional options us<strong>in</strong>g the check boxes. We recommend that you select both Get home directoryfrom users profile and Hide disabled user accounts. To use the access rights of <strong>in</strong>dividual users toauthenticate aga<strong>in</strong>st UNC shares or the NT File System, select Impersonate user after logon. When you aref<strong>in</strong>ished, click Next.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.3
*NOTE: <strong>LDAP</strong> over SSL requires that the <strong>Cornerstone</strong> Server and the <strong>LDAP</strong> server are members of the samedoma<strong>in</strong>. The default port for <strong>LDAP</strong> over SSL is 636.4. Type the Adm<strong>in</strong>istrative <strong>User</strong>name and password. The Doma<strong>in</strong> Adm<strong>in</strong>istrator must have full adm<strong>in</strong>istrativeaccess to the <strong>LDAP</strong> server. For most <strong>LDAP</strong> servers, you will want to use the Doma<strong>in</strong> Adm<strong>in</strong>istrator account. Theformat for the username must be:@.Choose your <strong>Authentication</strong> B<strong>in</strong>d Method us<strong>in</strong>g the drop‐down arrow. For most <strong>LDAP</strong> servers you can chooseSimple. When you are f<strong>in</strong>ished, click Next.5. Set the Group Cache Life and <strong>User</strong> Cache Life* us<strong>in</strong>g the up/down arrows. Click Next.*<strong>Cornerstone</strong> MFT will cache user and group <strong>in</strong>formation to <strong>in</strong>crease performance and decrease the load onyour back‐end authentication server. The number of seconds that <strong>Cornerstone</strong> caches this <strong>in</strong>formation iscontrolled by the <strong>User</strong> Cache Life and Group Cache Life values. The Group Cache Life value is used by<strong>Cornerstone</strong> MFT to determ<strong>in</strong>e how long to wait before refresh<strong>in</strong>g the group <strong>in</strong>formation and also the list ofmembers of that group. Once the cache life has expired, <strong>Cornerstone</strong> will flag the cached group <strong>in</strong>formation as“stale” and the next time <strong>Cornerstone</strong> needs that group <strong>in</strong>formation it will reload the group properties (and<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.4
the list of members of the group) from the remote database. This means that if you modify the membership ofthe group by add<strong>in</strong>g new users, or delet<strong>in</strong>g users from the group, those changes will not appear <strong>in</strong><strong>Cornerstone</strong> until the Group Cache Life value has expired and <strong>Cornerstone</strong> can reload that <strong>in</strong>formation.Therefore, if you have a dynamic system where the users/groups change frequently, set the Group Cache Lifevalue to a short value, such as 300 seconds (5 m<strong>in</strong>utes). The same applies to the <strong>User</strong> Cache Life sett<strong>in</strong>g. If youmake a change to a user account <strong>in</strong> the back‐end authentication server, these changes will not appear <strong>in</strong><strong>Cornerstone</strong> until the <strong>User</strong> Cache Life value has expired on that user account. The exception to the rule is theuser’s password. <strong>Cornerstone</strong> MFT never caches user passwords so any changes to the user’s password <strong>in</strong> theActive Directory user database will take effect immediately.Warn<strong>in</strong>g: Avoid sett<strong>in</strong>g the Cache Life values too small. If you set the values too small, the performance coulddegrade because <strong>Cornerstone</strong> will be spend<strong>in</strong>g too much time flush<strong>in</strong>g and reload<strong>in</strong>g the user/group<strong>in</strong>formation from the authentication server.If you add and delete users frequently, change the Group Cache to 300 seconds.6. Type your Groups Base DN, Group Category Filter, Group Class Filter, <strong>User</strong>s Base DN, <strong>User</strong> Category Filterand <strong>User</strong> Class Filter.* To Use paged search, be sure that the check box is checked. Click the Advanced**button for additional configuration options. When you are f<strong>in</strong>ished, click Next.*<strong>Cornerstone</strong> MFT needs to be configured with the proper search str<strong>in</strong>gs <strong>in</strong> order to locate user and group<strong>in</strong>formation <strong>in</strong> <strong>LDAP</strong>. For most <strong>LDAP</strong> <strong>in</strong>stallations, the default values can be used and will return the properuser and group <strong>in</strong>formation from <strong>LDAP</strong>. However, there are some <strong>in</strong>stances where these values may need tobe enhanced to allow <strong>Cornerstone</strong> MFT to f<strong>in</strong>d the user <strong>in</strong>formation <strong>in</strong> <strong>LDAP</strong>.Group/<strong>User</strong> Base DN—These values specify the <strong>LDAP</strong> search str<strong>in</strong>g(s) necessary to search the varioustrees/paths <strong>in</strong> <strong>LDAP</strong>. By default, <strong>Cornerstone</strong> MFT will search under the <strong>User</strong>s and BuiltIn paths of <strong>LDAP</strong>. S<strong>in</strong>cethese paths are sub‐paths under the Doma<strong>in</strong> that you specified <strong>in</strong> step 6, the full Dist<strong>in</strong>guished Name (DN) forthe search path needs to <strong>in</strong>clude the parent doma<strong>in</strong>. To search the USERS path, the DN needs to be “CN=<strong>User</strong>s,DC=SRT”. If the doma<strong>in</strong> name that you specified was “XYZ.COM”, then the DN would be“CN=<strong>User</strong>s,DC=XYZ,DC=COM”. S<strong>in</strong>ce <strong>Cornerstone</strong> MFT will search multiple paths, each path is separated witha semicolon. The complete entry to search both <strong>User</strong>s and BuiltIn is “CN=<strong>User</strong>s,DC=SRT;CN=BuiltIn,DC=SRT”.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.5
Group/<strong>User</strong> Category—These values are used to filter out certa<strong>in</strong> categories of users and groups. In generalyou will want to <strong>in</strong>clude all users and groups, so this value should rema<strong>in</strong> as an asterisk.Group/<strong>User</strong> Class Filter—These values are used to filter out certa<strong>in</strong> classes of users and groups. Multipleclasses should be separated by semicolons.**If you wish to configure Advanced <strong>User</strong> and Group Attributes, type your <strong>in</strong>formation and then click OK. Youwill then click Next to test your sett<strong>in</strong>gs.7. Click Test* to test the configuration and ensure that you are able to communicate with the <strong>User</strong><strong>Authentication</strong> Server.*If this process fails, the most common reason is that either the <strong>LDAP</strong> Doma<strong>in</strong> Name is not specified correctly,or the <strong>LDAP</strong> Server Name is not accessible. Click the Back button to return to previous pages and adjust thevalues.If <strong>Cornerstone</strong> MFT can successfully communicate with the <strong>LDAP</strong> <strong>Authentication</strong> database the message thatdisplays is Success. Click OK. (If an error is displayed, <strong>Cornerstone</strong> was not able to connect to the server.)8. After <strong>Cornerstone</strong> MFT successfully connects to the database, <strong>Cornerstone</strong> will attempt to generate a list ofgroups. Click Yes to test the generation of a list of groups.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.6
9. Click Yes to test the generation of a list of <strong>User</strong>s. Click F<strong>in</strong>ish.10. You are now returned to the <strong>Cornerstone</strong> MFT New Server Wizard. Click Next.11. Step through the rema<strong>in</strong><strong>in</strong>g pages <strong>in</strong> the Server Wizard, select<strong>in</strong>g the options you desire. On thef<strong>in</strong>al page of the Wizard you will see a list of options selected for your server.Click F<strong>in</strong>ish to create the server.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.7
12. Once the server is created, the server starts and appears <strong>in</strong> the ma<strong>in</strong> <strong>Cornerstone</strong> MFT Adm<strong>in</strong>istratorw<strong>in</strong>dow. A green icon appears to <strong>in</strong>dicate that the server is runn<strong>in</strong>g.<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.8
About <strong>South</strong> <strong>River</strong> Technologies<strong>South</strong> <strong>River</strong> Technologies is an <strong>in</strong>novator <strong>in</strong> secure file management software. The Company's softwareallows users to access, manage, and share files over the Internet <strong>in</strong> order to automate and streaml<strong>in</strong>ebus<strong>in</strong>ess processes and enhance productivity. SRT's products enhance customers' exist<strong>in</strong>g applicationsby <strong>in</strong>stantly enabl<strong>in</strong>g secure access and Internet file shar<strong>in</strong>g with<strong>in</strong> those applications. More than80,000 customers <strong>in</strong> 125 countries use SRT's software to make remote file access and collaborationmore efficient for their customers, partners, and distributed workforce. For more <strong>in</strong>formation, pleasevisit www.southrivertech.com.<strong>South</strong> <strong>River</strong> Technologies, <strong>Cornerstone</strong> MFT, Titan FTP Server, WebDrive, and DMZedge Server areregistered trademarks of <strong>South</strong> <strong>River</strong> Technologies, Inc. <strong>in</strong> the U.S. and other countries. Any<strong>in</strong>formation <strong>in</strong> this document about compatible products or services should not be construed <strong>in</strong> anyway to suggest SRT endorsement of that product or service.© 2013, <strong>South</strong> <strong>River</strong> Technologies, Inc. All Rights Reserved.Contact Information<strong>South</strong> <strong>River</strong> Technologies, Inc.127 Lubrano DriveSuite 202Annapolis, Maryland 21401USATelephone: 410‐266‐0667Fax: 410‐266‐1191Corporate Web site: www.southrivertech.comOnl<strong>in</strong>e Support: http://www.srthelpdesk.com<strong>Us<strong>in</strong>g</strong> <strong>LDAP</strong> <strong>Authentication</strong>Revised: May, 2013© 2013 <strong>South</strong> <strong>River</strong> Technologies, Inc.9