Updated June 16th, 2016
By enabling LDAP authentication, users can log in to Serv-U using login credentials as provided by a remote LDAP server (such as Active Directory or OpenLDAP). LDAP Users can use a home directory from their LDAP account, eliminating the need to manually specify a home directory.
Use LDAP users if the following conditions apply:
To enable LDAP authentication, select Enable LDAP authentication under Users > LDAP Authentication.
LDAP User home folders are normally pulled from the "Home Directory" LDAP attribute specified in your LDAP Server configuration. The service account Serv-U runs as should have full permission to the root folder of all LDAP User folders. (For example, if your LDAP User home folders are similar to \\usernas\homefolders\username and Serv-U is running as a service on Windows as servu, then the Windows servu user should have full permissions to \\usernas\homefolders.)
LDAP Login ID suffix
The LDAP Login ID suffix field is used to send fully qualified Login IDs to the LDAP server. (A typical value in an Active Directory environment might be @mydomain.com.) After changing this field, click Save to apply the change.
Use LDAP User Group home directory instead of account home directory
By default, Serv-U uses the LDAP account's home directory (that is, the value of the "Home Folder" attribute) when an LDAP User logs in. Enabling this option causes Serv-U to use the home directory specified in the Default LDAP User Group instead. If no home directory is specified at the group level, then the LDAP account's home directory is still used. However, if no home directory is defined at the user, group, domain, or system level, and none is available from the LDAP server, the user will not be allowed to sign on.
LDAP User Groups
LDAP User accounts are not visible or configurable on an individual basis in Serv-U, but LDAP Group membership can be used to apply common permissions and settings such as IP restrictions and bandwidth throttles.
All LDAP Users are members of a special Default LDAP Group. Click Configure Default LDAP Group under Users > LDAP Authentication or under Groups > LDAP Groups to configure this group just like a normal Serv-U group.
LDAP Users can also be members of individual LDAP Groups. Click Configure LDAP Groups on the LDAP Authentication screen to configure these groups just like normal Serv-U groups.
LDAP Group membership
In order for Serv-U to match users up to the appropriate user groups, the entire hierarchy - including the Distinguished Name (DN) - must be recreated in the user group hierarchy. For example, in the Active Directory domain myoffice.local the tree must start with local -> myoffice before populating any OUs or Security Groups.LDAP Users are also added to any LDAP Groups whose names appear in Group Membership attributes defined on the LDAP Authentication page. For example, if the Group Membership field is configured to be grp and an LDAP user record has bothgrp=Green and grp=Red attributes, Serv-U will associate that LDAP User with both the "Red" and "Green" LDAP Groups.
Membership in one or more LDAP groups is required if the Require fully-qualified group membership for login option is selected on the LDAP Groups page. If this option is selected and LDAP Users cannot be matched up to at least one LDAP Group, they will not be allowed to sign on. In this case it is possible that Serv-U successfully authenticates to the LDAP server, and then rejects the user login because the user is not a member of any group.
LDAP Server Configuration
Serv-U requires administrators to define one or more LDAP Servers before LDAP authentication will work. LDAP Servers are configured on the Domain Users > LDAP Authentication page in the Serv-U Management Console.
LDAP Server Configuration
The LDAP Server configuration dialog is displayed when you click Add, Edit, or Copy on the LDAP Servers list.
The LDAP Server Configuration dialog contains the following fields:
To test the connection to the LDAP server, log in with an LDAP user. If the connection fails, the log files of Serv-U will provide detailed information about the reason for the failure.
NOTE: Active Directory and OpenLDAP users are configured in the same way. In the case of OpenLDAP, the user account must have permission to connect to the OpenLDAP database.