Connecting to an LDAP Server
You can create an LDAP-authenticated Site and connect to an LDAP server. To enable LDAP SSL, you need to have a certificate that includes server authentication on the LDAP server you are connecting to. If you install Certificate Services on the domain on which you install EFT, you can request the certificate on the LDAP server. For more information, refer to the Microsoft Support article "How to enable LDAP over SSL with a third-party certification authority."
When you create a Site that uses LDAP authentication, you will need to provide the following information:
-
IP address/Domain Name of the LDAP server
-
Port of the LDAP server. The default is port 389; port 636 for SSL connections.
-
Base DN base distinguished name that specifies the necessary domain components of the LDAP server. Some LDAP systems, such as Sun ONE Server and Microsoft’s Active Directory server, require the organizational unit ("ou") that houses the users on that LDAP server to be included in the BaseDN to allow users to authenticate successfully. The organizational unit is the parent object that contains the user objects. EFT allows you to browse a list of LDAP base DNs from the LDAP server on the domain specified or the default domain. Click List DNs to select from the list or type it in the Base DN box.
-
With Organizational Unit:
-
Without Organizational Unit:
-
User Filter that EFT uses to query the LDAP server for a list of users. The default setting is:
-
Attribute that denotes user names in the LDAP database. This allows you to specify the attribute from the queried list of users that denotes user names. Commonly used attributes are cn or uid.
-
User Information defines how the client is authenticated. When you configure an LDAP Site, you are asked to choose one of the following binding methods:
-
Simple requires a username and password. Note that the username must follow the syntax for the LDAP server that includes the Common Name and the Domain Components of your LDAP server’s distinguished name. For example, the username might be the following:
-
Advanced Options - You can specify SSL encryption and the frequency with which the user list is refreshed.
For example, if the classObject that holds user accounts is person, the hierarchical parent node/container could be the organizational unit people. If the organizational unit is required by your LDAP server, prepend it to the distinguished name. For example:
ou=people,dc=forest,dc=tree,dc=branch
dc=forest,dc=tree,dc=branch
objectClass=person
This finds the LDAP entries that are part of the objectClass person; that is, it retrieves the users on the LDAP server that belong to the person ObjectClass.
cn=Manager,dc=forest,dc=tree,dc=branch
When you use LDAP as the authentication method, EFT pulls the user account list and the authentication from the LDAP Server. Group lists, Group membership, VFS Groups, and VFS User permissions are handled by EFT. These permissions must be configured and maintained in the administration interface or through the COM API.