Integrating a Directory Service

Before integrating the portal to an active directory, to set up integration with TLS:

• LDAPS (TCP port 636) and Global Catalog TLS (TCP port 3269) ports must be opened.
• Domain controllers must have a domain controller certificate with the EKU (Enhanced Key Usage) Client Authentication/ServerAuthentication.
  1. On the domain controller, open the Certificates MMC and export the domain controller certificate into .cer format.
  2. Import the certificate on each CTERA Portal application server:
     1. Log in to each CTERA Portal application server using SSH.
     2. Run the command: portal-cert.sh import -f <certificate>.cer <Alias_Name> where certificate is a name for the certificate and Alias_Name is a name you can use to identify the certificate.
        Note

        You only need to import the certificate and not the whole certificate chain.

  3. After importing the certificate to each CTERA Portal application server, run the command to start the portal: portal-manage.sh restart
  4. Follow the instructions for Active Directory in the To integrate a virtual portal with a directory service procedure, below, checking Use TLS.
  5. Remove access to ports TCP 389 and TCP 3268.

To integrate a virtual portal with a directory service:

1. Select Settings > Control Panel in the navigation pane.
   The Control Panel page is displayed.
   

2. Select Directory Services under User Settings.
   The Directory Services page is displayed.
   

3. Click Connection Settings to set connect to a directory service.
   The Settings page is displayed.
   

4. Slide Enable Directory Synchronization on to enable integration with a directory domain.
   The Settings page is redisplayed with additional fields.
   

5. Specify the Directory Type – The type of directory with which to integrate portal:

   • Active Directory
   • LDAP Directory Server
   • Apple Open Directory

   After selecting the directory type the fields are enabled and match the type selected.

6. Click Save.

Active Directory

Use TLS – Connect to the Active Directory domain using TLS.
Use Kerberos – Use the Kerberos protocol for authentication when communicating with the Active Directory domain. This is useful for achieving Single Sign-on (SSO) with Windows computers. If unchecked, NTLM is used.

Domain – The name of Active Directory domain with which you want to synchronize users.
Username – The name to use for authenticating to Active Directory.
Password – The password for authenticating to Active Directory.
Organizational Unit (Optional) – The name of the organizational unit within the Active Directory domain.
Manually specify domain controller addresses – Slide on to specify the IP address of the Active Directory domain controllers. If disabled, DNS is used to automatically find the domain controllers.

• Primary – The address of the primary domain controller.
• Secondary – The address of the secondary domain controller.
  
  

LDAP Directory Server

LDAP URL – The URL to connect to the LDAP server. Both ldap and ldaps are supported. The default port is 389 for ldap and 636 for ldaps.
Base DN – Optional: The base DN of the LDAP server.
Login DN – The bind DN: The distinguished name of a user with full user read rights, used for binding to the directory. For example, cn=Manager,dc=company,dc=com
Password – The password to use for binding to the LDAP server.
User Class – The LDAP object class for user objects in the LDAP directory.
Proxy Based SSO – To configure an access manager that supports proxy-based SSO, also known as reverse proxy-based SSO:

• User ID Header – The attribute that your access manager adds to each incoming HTTP request.

Apple Open Directory Server

LDAP URL – The URL to connect to the Apple Open Directory server.
Base DN – Optional: The base DN of the Apple Open Directory server.
Login DN – The distinguished name of a user with full user read rights, used for binding, authenticating, to the LDAP server, also known as bind DN.
Password – The password to use for binding to the Apple Open Directory server.
Proxy Based SSO – To configure an access manager that supports proxy-based SSO, also known as reverse proxy-based SSO:

• User ID Header – The attribute that your access manager adds to each incoming HTTP request.

Active Directory

1. In the Directory Services page click UID/GID Mapping.
   The Address Mapping page is displayed.
   

2. For each domain in the tree/forest, do the following:

   1. Select the domain from the Add Domain drop-down list.
   2. Click Add.
   3. In the UID/GID Start field enter the starting number in the range of portal user and group IDs (UID/GID) to assign to users and user groups from this domain.
   4. In the UID/GID End field enter the ending number in the range of portal user and group IDs (UID/GID) to assign to users and user groups from this domain.
   5. Click .
   6. Click Save.
   Notes

   To edit a domain address mapping, click in the row to edit.
   To remove a domain address mapping, click in the row to remove.

3. In the Directory Services page click Access Control.
   The Access Control page is displayed.
   

4. Add each directory user and user group allowed to access the portal:

   1. In the drop-down list, select one of the following:
      Domain Users – Search the users defined in directory service.
      Domain Groups – Search the user groups defined in directory service.
   2. Select the user or user group from the drop-down list or in the Quick search field, enter a string that is displayed anywhere within the name of the user or user group you want to add.
   3. Select the user or group and click Add.
      The user or user group is added to the list of users and user groups with access to the portal.

5. In each user and user group's row, click in the Role column, then select the user role from the drop-down list.
   Disabled – The user account is disabled. The user cannot access the end user portal view.
   End User – The user can access the end user portal view.
   Read/Write Administrator – The user can access the end user portal view as an administrator with read-write permissions.
   Read Only Administrator – The user can access the end user portal view as an administrator with read-only permissions.
   Support – The user can access the end user view portal as an administrator and has read/write access to devices, user accounts, folders, and folder groups, and read-only access to all other settings in the portal.
   Compliance Officer – The user can access the end user portal view as an administrator with read-write permissions and manage compliance settings for cloud drive folders.
   Archive Operator – The user can access the end user portal view and manage archive settings for cloud drive folders.

6. Click .

   Notes

   To edit the access control for a user or group, click in the row to edit.
   To remove the access control for a user or group, click in the row to remove.

7. To set a role for a directory user or user group with no match in the access control list, click the Settings tab.
   

   1. select the user role from the If no match, assign this role drop-down list: Disabled, End User, Read/Write Administrator, Read Only Administrator, Support, Compliance Officer, Archive Operator.
   2. Specify the way to fetch the users:
      Lazy – Users are created and data associated with them after either the user signs in to the portal or a manual fetch is performed for the users.
      Eager – Users in groups in the access control list that were added are immediately created and home folders created for them.
   3. Click Save

The users in the portal are automatically updated at midnight of every night with the users in the directory. To immediately fetch the users, see Manually Fetching User Data.