LDAP Configuration

Explanation of LDAP Authentication

When a user logs on to the web or from the client the steps below are performed to authenticate the user:

1. PowerFolder Server connects with the username configured in the LDAP settings to the directory server.
2. It searches for the distinguished name of the user in the search context using the search match criteria.
3. It uses the retrieved distinguished name of the user and the given password to login at the LDAP server.
4. If the login succeeds the user is authenticated at PowerFolder Server. If not or if any problem occurs the user login is rejected.

This makes it possible to authenticate users from a corporate directory at the server via LDAP.

 Some PowerFolder Server relevant user data like permissions, computers and storage quota will still be stored in the PowerFolder Server database.

Email addresses retrieved from LDAP are now marked in the database using the corresponding LDAP search path (existing addresses are automatically updated to the new format). If an email address is removed from LDAP, it is also removed from the database.

The LDAP information is updated when

• A user logs in via LDAP (only this user is updated)
• LDAP information is synchronized (authentication settings)
• LDAP accounts are imported (authentication settings)

Connecting to a LDAP Directory

The connection can be configured using the web interface. Choose Preferences → Authentication → LDAP.  Please note that you need to be logged in with the admin account to change LDAP settings.

You can find an explanation of all settings on the Server Configuration File page.

Testing the connection

To test the connection, you can simply hit the Test button on the Preferences → Authentication → LDAP page. It should return a popup saying "Successfully connected to ldap://ldap.domain.local:389" if everything is fine.

Adding more LDAP servers

It is possible to setup a unlimited directory server as authentication source for users. If a user is not found in the first directory, the server will try the following LDAP sources. 

Connecting to LDAP using SSL

To connect to a LDAP directory server which uses an SSL certificate to protect the connection, just replace ldap:// with ldaps:// when specifying the hostname of the LDAP server. If your LDAP server is using a different port for secure communication, simply append the port next to the hostname separated by colons.

 Please note: If your LDAP directory server is using a self-signed certificate or certificate chain, which is not trusted by common public certificate authorities, you need to import the certificate into the Java KeyStore and restart PowerFolder Server before testing the connection.

Migrating to a new Domain / Changing the Search Context

To change the Domain / Search Context of your AD/LDAP, simply apply the new values to the Server Configuration File or navigate to the Preferences → Authentication → LDAP page.

When Users log in the PowerFolder Server will try to find them in its Database by the LDAP Distinguished Name first, secondly by the username and at last by the E-Mail address. When the User's account was found the either the username of E-Mail address a new Distinguished Name will be stored to the Database and used for the next log in of that User.

Periodical synchronization of LDAP Accounts known to PowerFolder

Possibility to choose type and time interval of LDAP structure synchronization in server settings:

1. No accounts: No accounts will be imported
2. Only existing accounts: New accounts will NOT be imported, attributes of existing accounts will be updated, but no accounts will be deleted, that are deleted in the LDAP/Active Directory.
3. All accounts: New accounts will be imported, attributes of existing accounts will be updated, but no accounts will be deleted, that are deleted in the LDAP/Active Directory

New config parameters:

The type of LDAP synchronization (0 = no accounts, 1 = only existing accounts, 2 = all accounts):

ldap.<index>.sync.type

The time interval for LDAP synchronization in hours:

ldap.<index>.sync.time

Configurable LDAP Alias dereferencing

Alias dereferencing is implemented with the release of PowerFolder version 10.5 and can only be configured via command line option in PowerFolder-Server.sh:

-Djava.naming.ldap.derefAliases=<value>

Example:

RUN_CMD="$RUN_JAVA $JAVA_MEM $JAVA_TMP -Djava.naming.ldap.derefAliases=never -Duser.home=$SERVER_HOME -Dpf.install.dir=$SERVER_INSTALL -cp $CP -server de.dal33t.Start"