Quick Start for LDAP
LDAP, or Lightweight Directory Access Protocol, is used to query directory services for information, such as authentication credentials. GoAnywhere MFT can be configured to use LDAP as a login method, allowing administrators to more easily manage users while maintaining high security standards. Additionally, users can be created automatically during login and synchronized based on the configuration.
An Introduction to Basic LDAP Hierarchy
A basic understanding of LDAP hierarchy helps when configuring the LDAP login method within GoAnywhere MFT. The following image illustrates the various LDAP components and their relationships to one another.
The fundamental components that make up the LDAP tree (hierarchy) are:
- Domain Component (DC) - The Domain component is the root of the tree and is broken down into the full DNS domain name.
- Organizational Unit (OU) – Organizational Units act as containers that hold other objects, such groups or users.
- Common Name (CN) – The Common Name is a distinguished name of an individual entry in an Organizational Unit, such as the name of a user or particular group.
- Distinguished Name (DN) - The DN of an LDAP entry is much like the path to a file on a file system. It identifies the entries position on the tree (hierarchy).
The following image represents a typical LDAP tree that will be referenced for creating Groups and LDAP Login Methods in GoAnywhere MFT in this tutorial.
Example LDAP Browser
An Introduction to GoAnywhere LDAP Managed Groups
In GoAnywhere, a Group is used to control permissions and features granted to users who belong to the group. For example, a Development Group could be limited to create Project Workflows or administrate Secure Forms. A Support Group could be limited to reviewing the system or project logs.
A GoAnywhere LDAP Managed Group only allows users to be a member of that group if the user belongs to an LDAP group that has been defined in an LDAP Server Login Method.
Once the LDAP Server Login Method has been created, you will then create LDAP Managed Groups that provide the users permissions to the application.
Configuring an LDAP Server Login Method in GoAnywhere MFT
In this example, we will configure one LDAP Server Login Method for two separate GoAnywhere user groups, Support and Development.
Follow the instructions below to configure an LDAP Server Login Method in GoAnywhere MFT:
Log in as an Admin User with the Security Officer role. If your user account is assigned to a custom Admin User Role, your ability to view, modify, or execute actions on this page are based on the permissions specified for that role.
From the main menu bar, select Users, and then click the Login Methods link.
To add a new LDAP server, in the Login Methods page, click the Add Login Method link in the page toolbar.
In the Select Login Method Type page, select LDAP Managed. Choose your LDAP Server Type and the User Type that will be managed by this LDAP Login Method.
The Server tab contains the fields used to establish a connection to the LDAP server. Define the following fields:
- Name - A unique name for the LDAP Login Method.
- Primary Host - The host name or IP address of the LDAP server.
- Port - The port number for the LDAP server.
- User - An LDAP trusted user ID for performing searches within the LDAP server.
- Password - The password for the trusted user ID. To update an existing password, click the Change Password link and specify a new password.
- Base DN - The Base DN within the LDAP server restricts where GoAnywhere will find users and groups in the directory tree. This determines where GoAnywhere will start looking for user accounts. The farther down or more granular you set the Base DN, the more restrictive the search becomes. In this example, the Base DN is set at the root of the tree, so that GoAnywhere MFT can traverse down the tree.
- Object Class Attribute - The name of the attribute that holds the class value for a LDAP entry.
- Object class determines the type of object, such as a user, organizational unit, or domain.
- Distinguished Name Attribute - The name of the attribute that stores the unique identifier for a
Add LDAP Server
Web Users or Admin Users Tab
The Web Users or Admin Users tab controls how users in the LDAP server are integrated with the Users in GoAnywhere.
LDAP Login Method page, Web Users or Admin Users tab
The Advanced tab allows you to set log levels and server timeout settings. You can view these logs in the Logs > Audit Logs > Server Logs page in GoAnywhere MFT.
LDAP Login Method page, Advanced Tab
The User tab allows you to configure the LDAP schema settings for finding users. GoAnywhere populates these fields using default attributes based on the type of LDAP server selected.
Define the following fields:
- Object Class - The object class name for a user. You can view the default objectClass and other attribute values in the LDAP entry. In this example, the default objectClass of user objects is inetOrgPerson.
- User Name - The attribute for a user name.
Example LDAP User cofiguration
Example LDAP entry
The Group tab allows you to configure LDAP settings for finding groups. GoAnywhere populates these fields using default attributes based on the type of LDAP server selected.
Define the following fields:
- Object Class - The object class name for a group.
- Name - The attribute for the group name.
Example LDAP configuration - Group tab
Example LDAP group entry.
The Membership tab allows you to specify if membership is defined by the Group or User. If ‘Group defines membership’ is selected, membership will be defined by the Membership attribute specified on the Group tab. If ‘User defines membership’ is selected, membership will be defined by the Membership attribute specified on the User tab.
Example LDAP configuration - Membership tab
When a Group's members include users and groups (nested Groups), GoAnywhere will include the users who belong to the nested group. When this setting is not enabled, users that belong to the nested groups will not be included.
For example, the ‘support’ group membership contains individual users as well as the Level 1 Support and Level 2 Support groups. When’ Include Nested Group’s is enabled, the users that belong to the Level 1 and 2 Support groups will also be included. If ‘Include Nested Groups’ is not enabled, users that belong to the Level 1 and 2 Support groups will not be included.
Example LDAP browser
Linking GoAnywhere User Groups to an LDAP Login Method
When you create a new Admin User Group or Web User Group in GoAnywhere, you will be prompted to select which type of group will be used to manage user membership. Choose the LDAP Managed Group, and then specify the following:
Login Method – Select the LDAP Login Method you just configured.
LDAP Group – GoAnywhere will use the LDAP configuration and return a list of LDAP Groups that could be found using the settings in the LDAP Group tab. Select the desired group from the available groups in the selected LDAP server.
For Web Users, give the group a name and description and specify the Services, Resources, Folder, and Form permissions for the group in the respective General, Folders and Forms tabs.
For Admin Users, give the give the group a name and a description, and specify the Roles, Members, and Domains that will be available to the administrators that belong to this group.
The group members will be synced with the LDAP Group chosen previously. Repeat this process for every group you’d like to create using this login method.
Example LDAP Managed Group
Example LDAP Managed Group
Testing an LDAP Login Method and Troubleshooting Common LDAP Errors
The Test Login Method page allows you to test user authentication against the Login Method. From the Login Methods page, click the action icon next to the desire LDAP login method and select ‘Test’.
You will be prompted to enter a User name and Password.
Test Login Method page
Once successfully authenticated, the Login Method test results will be displayed.
Example Login Method test restults
Common LDAP Errors and Solutions
Here is a list of the most common LDAP setup errors and their solutions:
Users aren’t syncing or are unable to login.
“Enforce Group Membership” is enabled but the users are not part of the LDAP User Group specified.
You have not created an LDAP User Group and have “Enforce Group Membership” checked.
Your base DN is too narrow or overall incorrect.
Users have been incorrectly defined on the server tab resulting in:
User not able to query the server.
Domain/full DN not specified in the user field.
A User gets disabled.
You have enabled “Enforce Group Membership,” and the user is not a part of the Group you are trying to sync to GoAnywhere.
The user is a part of multiple login methods.
The user is disabled because of invalid login attempts.