I finaly got iFolder to work with Active Directory! :)
All you need to do is answer yes on LDAP in the simias-server-setup and write in all the DN information for the admin and proxy user. I made the users in AD before I ran the setup. You can get the DN information from AD with adsiedit.msc on your domain controller. Right click the user or OU you want the information from and click properties. Scroll down to distinguishedName, double click it, and copy the value.
One question you will encounter in the simias-server-setup is the LDAP group support. Because it need to change the AD schema, I chose not to do it at the beginning. At a later point I found out that you get some benefits with the LDAP group support without extending AD schema. Make sure the proxy user is not a member of schema administrators if you don't want to extend the schema.
The benefits with LDAP group support is that you can put groups in the search context instead of just OUs. I find this very useful because it's much simpler to control who gets access to iFolder. However, to add more that one search context, I had to edit the Simias.conf file and add a new line:
<context dn="CN=ifolder-group,OU=Groups,OU=Company,DC=example,DC=com">
<context dn="CN=ifolder-group2,OU=Groups,OU=Company,DC=example,DC=com">
I used sAMAccountName insted of cn or email for the NamingAttribute. Works like a charm. Now the users can use their usual username to login to iFolder.
I did another change in the Simias.conf file. I change the "LdapSyncOnRestart" value to "yes". Default, the LDAP sync is every 24 hours. You can change this on the admin web as soon as you can log in. You can also force a sync here. I do not know how to force a sync from command line. I had problems logging in to the admin web before I changed this.
Remember to restart apache after doing changes in the Simias.conf file
Useful logs:
/simias/data/directory/Simias.log
I used this alot when I experimented with DN. You will see error messages here if you have wrong format in your search context. You also see the sync information. You need to turn the logging to debug to see more information. This can be done from the admin web.
/var/log/ifolder3/adminweb.log
Log for admin web. You'll find information about logins to the admin web.
Hi !
ReplyDeleteI succeed to install and setup ifolder with AD as well, but i met a problem, when renaming an AD user account, ifolder keeps the old username, have you met this problem before ?
Bye !
Hello Yang :)
ReplyDeleteI haven't tried to rename an AD account, but I would guess that iFolder doesn't handle this well. If you do another sync with AD (from iFolder admin web, if it has not synced yet), you should find the renamed user as a new user in the user list. Then you can give the renamed user access to the iFolders in the iFolders list.
Please note that I haven't done this before, but I think it will work :)
During the setup after you install the RPM's How long does the LDAP configuration take to finish? I gave it all the information for LDAP user and proxy information and it keeps throwing lots of characters up in the putty session with an occasional blurb about verifying an object.
ReplyDelete