Integrating Xlight FTP Server with Active Directory
Xlight FTP Server can be integrated with Active Directory to authenticate users. Users can use the same user name and password to access the resources of ftp server, e-mail server etc. Note: after 30-day evaluation period, this function is only supported by the Professional edition of Xlight FTP Server.
To use Active Directory for external user authentication, you need to goto [Virtual Server Configuration]->[General]->[Virtual Server], select the option "Enable external user authentication" . Click the "Setup..." button, Active Directory must be selected in the "Authentication Type" of virtual server configuration as showed in the figure below:
When you open Active Directory setup dialog, if your server already joined the Active Directory domain, Xlight FTP Server will automatically detect your Logon Domain and Base DN. If you can not see this information, you have to set Logon Domain and Base DN manually.
If you want to only check username and password against Active Directory, you can choose the option "Only check username and password". If this option is selected, AD attribute homeDirectory will not be used also.
Setup user's home directory in the active directory
You can use Microsoft's Active Directory Users and Computers console to set user's home directory, as showed in the figure below. The AD attribute homeDirectory will be used as ftp user's home directory.
Note: When a user logins for the first time, if his home directory doesn't exist, it will be created by Xlight FTP Server automatically.
Use NTFS permission for user's home directory
When the option "Use NTFS permission for user's home directory" is selected, Xlight FTP Server will impersonate the AD account of logon ftp user. Access to his home directory will be restricted by his NTFS permission. If this option is not selected, the SYSTEM or current login user account running Xlight FTP Server will be used to access home directories of all users.
When the option "Use NTFS permission for user's home directory" is selected, but user could not access his home directory, there are two things about NTFS permission that you need to check:
1. If user authentication to the Active Directory succeeded, but in the FTP log, there was log entry such as "450 Can't change directory to /.". This is very possible a NTFS permission problem. You need to check if the account has the permission to access this directory. If home directory is a UNC path located in another remote machine, from the desktop console of that machine, you should be able to to log in by pressing "Alt+Ctl+Del" key with the same user account. After log in with this account from desktop console, check if he has enough permissions to access to the configured home directory.
2. You should not set normal user's home directory to the domain controller. Microsoft's domain security policy will not allow normally user to access resources in the domain controller. Although this user can be successfully authenticated with AD, he will not able to access his home directory in the domain controller. Only the account with administrator privilage can access his home directory in the domain controller.
Compatible with the IIS FTP active directory's user isolation mode
Xlight FTP Server provides a way to be compatible with the Active Directory user isolation mode introduced by IIS FTP Server 6.0. You can select the option "Compatible with IIS FTP active directory user isolation mode". When this option is selected, Xlight FTP Server will read and use IIS FTP AD attributes msIIS-FTPRoot and msIIS-FTPDir as user's home directory. If these IIS FTP attributes are not set or do not exist in the active directory, AD attribute homeDirectory will automatically be used as this user's home directory.
Setup public paths for ftp server
You can setup public paths for the virtual server. After authentication, all users can see and download from public paths, as showed in the figure below:
Because user's home directory in the AD implicitly uses "/" as his user virtual path, you should not use "/" for the public virtual path. Otherwise since the "/" is duplicated, when AD user logins, he can only see the content of public virtual path, not his home directory. In the above figure, we use "/public" as the public virtual path.
Use NTFS permission for FTP Server's public path
When the option "Use NTFS permission for public path" is selected, Xlight FTP Server will impersonate the logon AD account. The NTFS permission of each AD user will then be used to check against the public path access. NTFS based permission will give more flexibilities to the public path's permission control and it will override the public path's local FTP permission. However the impersonation of AD account may fail in some rare situations. If the impersonation fails, the local FTP permission of public path will be used. So if you use NTFS permission for public path access, you still need to set a proper (the least) local FTP permision for it in case for the situation that impersonation of AD account fails.
Use NTFS permission for user's group path
When the option "Use NTFS permission for group path" is selected, Xlight FTP Server will impersonate the logon AD account. The NTFS permission of each AD user will then be used to check against the group path access. When a user logon to Active Directory, if this account has a primary group in the AD, it will become this user's FTP group. The group path can be set in the local Xlight FTP Server, after creating a FTP group.
Create and allow anonymous user to access the ftp server
When users are authenticated againest in the active directory, you may want to allow anonymous user who can use any password to access the ftp server. Because users in the active directory must have password, anonymous user can not be created in the active directory.
However, you can create a user with username "anonymous" in the local ftp server and select the option "Bypass the external authentication" in his settings([User settings]->[Account]->[Option for external authentication]), as showed in the picture below. The local ftp user will bypass the external authentication and be authenticated againest the local ftp server. His settings will come from the local ftp server also.
How to install extended schema xlightFTPdUser in the Active Directory
There is another option "Use extended schema "xlightFTPdUser"". It will provide many Xlight FTP Server related options by using extended schema xlightFTPdUser. You can click here to check what options are provided by extended schema xlightFTPdUser.
Please note: The following steps are optional. If you don't want to use options of xlightFTPdUser schema, you can skip steps below.
When this option is selected, the attribute homeDirectory of user objectfrom AD will be not be used as FTP home directory. Instead ftpHomeDirectory from extended schema xlightFTPdUser will be used for this user's FTP home directory.
Before using this option, extended schema xlightFTPdUser must be installed in the Active Directory. The procedure is showed in the below.
To install schema xlightFTPdUser, first you need to open file AD-xlightFTPdUser.ldif and replace all DC=X with your domain as showed in the figure below. AD-xlightFTPdUser.ldif can be found under the ldap directory in the place where Xlight FTP Server is installed.
Save the file AD-xlightFTPdUser.ldif. You can use the tool ldifde.exe to import schema xlightFTPdUser into Active Directory as showed in the figure below. You have to logon as doamin administrator to do operations below.
If above operation is succeeded, you can use MMC to check if schema xlightFTPdUser is imported successfully as showed in the figure below:
In the MMC Snap-in, select Active Directory Schema and click the "Add" button then the "Close" button as showed in the figure below:
If you can see auxiliary object class xlightFTPdUser in the window below, the schema xlightFTPdUser is imported successfully.
You can use ADSI Edit to modify Xlight FTP Server options for users in the Active Directory. ADSI Edit can be found in the Windows Support Tools from the product CD or downloaded from Microsoft web site. From MMC Snap-in window, add ADSI Edit as showed in the figure below:
Connect to Active Directory with ADSI Edit. Select the CN=Users, you will find users in the right side panel. Select the user you want to set Xlight FTP Server related options as showed in the figure below:
Press the right button of mouse; click the menu item "Properties". From the dialog box, select and edit Xlight FTP Server related options as showed in the figure below. These attributes are all started with letters "ftp". You only need to add attributes you want to use. When you add the attribute ftpHomeDirectory, if the option "Use NTFS permission for user's home directory" is not selected, you need to add the attribute ftpHomePerm to control the permission of ftpHomeDirectory.
You should be able to use Schema xlightFTPdUser now and set Xlight FTP Server related ftp options for this user.