If LDAP authentication is enabled, users can log in to Serv-U using login credentials as provided by a remote LDAP server, such as Active Directory or OpenLDAP. LDAP users can use a home directory from their LDAP account, eliminating the need to manually specify a home directory.
Before you begin the configuration of LDAP authentication, consider the following steps:
Active Directory and OpenLDAP users are configured in the same way. In the case of OpenLDAP, the user account must have permission to connect to the OpenLDAP database.
To decide between LDAP authentication and Windows user authentication, see Compare Windows and LDAP authentication.
The examples and illustrations in this topic show a Serv-U instance configured to use authentication through Active Directory.
To start configuring LDAP authentication, navigate to Users > LDAP Authentication in the Serv-U Management Console.
The LDAP Server configuration dialog is displayed when you click Add, Edit, or Copy on the LDAP Servers list.
Provide the following information to configure your LDAP server:
Tampa Office OpenLDAP).
If the Connection Account credentials are not supplied, then the credentials that are being authenticated are used.
solardomain, this value can be
This required field is used to tell Serv-U how to match incoming LoginIDs ("usernames") to specific LDAP Server entries.
$LoginID must be included somewhere in this field. The search filter is used to search in the Users tree of the LDAP server.
During authentication Serv-U will replace this variable with the LDAP User's LoginID (and LDAP Login ID suffix, if specified). The value of the search filter varies between different types of LDAP servers, and may even vary between different LDAP servers of the same type (depending on the specific schema your LDAP administrator has implemented).
For Active Directory LDAP servers, a value of
(&(objectClass=user)(userPrincipalName=$LoginID)) is recommended. This value is provided by default in Serv-U.
Consult with your local LDAP administrator or use an LDAP client (for example, Softerra LDAP Browser or Apache Directory Studio) to find and test the right value for your LDAP server before deploying into production, and then modify the default search filter according to your specific setup.
For example, if your LDAP server configuration contains subfolders, modify the search filter by adding a wildcard value (*) to match the whole folder structure.The search filter must be configured in a way that it only returns one user.
To test your search filters against Active Directory, use the Ldp tool. The default location of the tool is
For more information about the location and usage of the Ldp tool, search for Ldp on the Microsoft Technet or on the Microsoft Support website.
The configuration of the following values in the Attribute Mapping grouping is optional.
userPrincipalName. This value will almost always match the value paired with
$LoginIDin your Search Filter. In other words, this is your login ID in Serv-U, and it is compared to the
userPrincipalNamein the search filter.
grpand an LDAP user record has both
grp=Redattributes, Serv-U associates that LDAP User with both the "Red" and "Green" LDAP Groups. A typical value on Active Directory is
After configuring the LDAP server, specify the LDAP login ID suffix. The LDAP login ID suffix is necessary to send fully qualified login IDs to the LDAP server. The suffix you specify here is placed at the end of the user name when a user logs in.
A typical value in an Active Directory environment might be
@mydomain.com. After changing this field, click Save to apply the change.
In order for Serv-U to match users up to the appropriate user groups, the entire hierarchy, including the Distinguished Name (DN) must be recreated in the user group hierarchy.
LDAP Users are also added to any LDAP Groups whose names appear in "Group Membership" attributes defined on the LDAP Authentication page. For example, if the Group Membership field is configured to be
grp and an LDAP user record has both
grp=Red attributes, Serv-U will associate that LDAP User with both the "Red" and "Green" LDAP Groups.
Membership in one or more LDAP groups is required if the Require fully-qualified group membership for login option is selected on the Groups > LDAP Groups page. If this option is selected, and LDAP Users cannot be matched up to at least one LDAP Group, they will not be allowed to sign on. In this case it is possible that Serv-U successfully authenticates to the LDAP server, and then rejects the user login because the user is not a member of any group.
For more information about group permissions and settings, see User groups.
LDAP user accounts are not visible or configurable on an individual basis in Serv-U, but LDAP group membership can be used to apply common permissions and settings such as IP restrictions and bandwidth throttles.
All LDAP users are members of a special default LDAP group.
To configure the default LDAP group in Serv-U:
LDAP Users can also be members of individual LDAP Groups.
To configure LDAP groups in Serv-U:
LDAP groups have the same configuration options as other Serv-U groups. For information about the configuration options available at the group level, see LDAP user groups.
When you configure LDAP groups, recreate the same structure as the group structure in Active Directory, and use the same names as the group names in Active Directory.
The following image illustrates the group structure in Active Directory. By hovering over a user or group in Active Directory, the group structure is displayed.
This information is highlighted in yellow.
The following image illustrates how the group structure of Active Directory is recreated in Serv-U.
Serv-U requires administrators to define one or more LDAP Servers before LDAP authentication will work. LDAP Servers are configured on the Users > LDAP Authentication page in the Serv-U Management Console.
You can define more than one LDAP Server if you want Serv-U to try a backup server in case the primary LDAP server is down, or if you want to try LDAP credentials against different LDAP servers with different sets of users.
Serv-U attempts authentication against the list of LDAP servers from top to bottom. During login, the first LDAP server that approves a set of credentials will be the server from which the associated LDAP user will draw its full name, email address and other attributes.
After attempting a login against the first LDAP server, Serv-U tries each LDAP server in the list until it either encounters a successful login, or it encounters an unsuccessful login paired with an authoritative response from the LDAP server that the attempted LoginID exists on that LDAP server.
In other words, Serv-U makes login attempts on LDAP servers that are lower on the list if the preceding LDAP servers are unresponsive, or if they report that they have no knowledge of the LDAP user.
Serv-U tries each available LDAP server, even if the login credentials fail. The error log provides detailed information of any possible connection failure. For information about the error messages, see LDAP error messages.
The error log contains information about the last LDAP server Serv-U contacted.
Use the Add, Edit, Delete, and Copy buttons to work with individual LDAP server entries. When there are multiple LDAP server entries in the list, selecting any entry will reveal move up, move down, move to top, and move to bottom ordering arrows on the right of the window.
To test the connection to the LDAP server, log in with an LDAP user. If the connection fails, the log files of Serv-U will provide detailed information about the reason for the failure.
The following images show what a successful HTTP login looks like for the user and for the Serv-U administrator. Note that LDAP and Windows authentication looks identical in the log files.
The following image shows the login page for the user named LDAP.
The log entries for both a successful and a failed login are displayed under Domain > Domain Activity > Log.
The following image shows the log entries for a successful login and logout.
The following error messages relate to issues with accessing an account's home directory, and are not LDAP specific:
Additionally, when Serv-U returns unknown LDAP authentication errors, search for the LDAP error codes in the documentation of your LDAP server.
To enable LDAP authentication:
The home folders of LDAP users are pulled from the "Home Directory" LDAP attribute that is specified in your LDAP server configuration. The service account Serv-U runs as should have full permission to the root folder of all LDAP User folders. For example, if your LDAP user home folders are similar to
\\usernas\homefolders\username and Serv-U is running as a service on Windows as
servu, then the Windows
servu user should have full permissions to
By default, Serv-U uses the LDAP account's home directory when an LDAP user logs in. This is the value of the Home Folder LDAP attribute that is specified in the LDAP server configuration, as highlighted in the following image.
For information about configuring the LDAP account's home directory, see Configure the LDAP server.
If you select the Use LDAP Group home directory instead of account home directory option under Users > LDAP Authentication in the Serv-U Management Console, Serv-U will use the home directory that you specify in the Default LDAP User Group instead of the LDAP account's home directory.
The home directory of the Default LDAP User Group is specified on the Group Properties window of the Default LDAP User Group, as highlighted in the following image.
For information about configuring the Default LDAP User Group, see Use LDAP user groups.
If no home directory is specified at the group level, then the LDAP account's home directory is still used. However, if no home directory is defined at the user, group, domain, or system level, and none is available from the LDAP server, the user will not be allowed to sign on.
If a domain home directory is defined on the Domain Details > Settings page, this directory would be used by Serv-U as the default directory for LDAP authentication, resulting in errors.
To avoid possible issues in this case, make sure that you select the Use LDAP Group home directory instead of the account home directory option under Users > LDAP Authentication, and configure the LDAP group home directory as described in Use LDAP user groups.