Authenticating to Multiple AD servers
The ability for a single installation of FileCloud to authenticate against multiple Active Directory servers is available.
Although the latest versions of the Windows Server operating system handle large numbers of objects more efficiently, there are many reasons why organizations implement multidomain forests.
An example of this is a university.
- In the Faculty of Science, there are different departments or schools, such as the school of physics and the department of botany
- For political or organizational reasons it might have been decided that each department or school should have its own domain that is a part of the overall university forest
- Active Directory gives organizations the ability to create domain namespaces that meet their needs
For more information on using multidomain AD infrastructure, on the Microsoft Web site, read AD Directory Services Getting Started.
Enable multiple AD server authentication
To enable multiple AD server authentication, configure settings in the following places:
- adconfig.php file
- Admin Dashboard
To enable multiple AD server authentication:
Open a browser and log in to the Admin Portal.
On the Admin Dashboard, from the left navigation panel, click Settings.
On the Manage Settings screen, click Authentication.
To enable the Active Directory Settings, under Authentication Settings, change the Authentication Type to ACTIVEDIRECTORY.
Select the Active Directory sub-tab, type in the required information, and then click Save.
Create a file called adconfig.php in one of the following locations, depending on your OS:
Windows Location c:\xampp\htdocs\config\adconfig.php Linux Location /var/www/htdocs/config/adconfig.ph
Add the information for the other AD servers using the following example. Do not add the same AD server detail that was already configured in Admin Dashboard.
Now additional users from these domains can also login into FileCloud.
When connecting to multiple AD servers, there might be issues adding the same user account name from different domains into FileCloud. FileCloud requires unique usernames and will disallow adding another username from another domain if the name already exists.
To handle this please add the following to cloudconfig.php. This will allow duplicate users to be added from other domains as long as the email address is unique. The users will have to log in to the system using their email addresses.define("TONIDOCLOUD_ALLOW_DUPUSERNAMES", 1);
Use encrypted AD account password in the configuration file
To encrypt an AD password using the adpasswordencryption tool:
- Open a command line.
- Enter the following:
Windows:Linux:$ cd C:\xampp\htdocs\resources\tools\security\ $ C:\xampp\php\php adpasswordencryption.php
$cd /var/www/html/resources/tools/security/ php adpasswordencryption.php
- At the prompt, enter your password:
This tool encrypts an AD password string to be used in the adconfig.php configuration files of FileCloud Enter your password: [your-password-string]
- As instructed, copy the encrypted password string returned:
Carefully copy paste the following string to adconfig.php key TONIDOCLOUD_AD_ENC_ACCOUNTPASSWORD or TONIDOCLOUD_AD_ENC_ADMINACCOUNTPASSWORD: zk8aQV6+L1Q7kA7N6JGgj2MzNjRkNzMwMTU0OTY0MjAzMGVhNWI0NDM5NjIxMWI2N2UzMzRkZTcwNjE2YzgxOTk0YzVjNjI2ZGQ2NjgzMTZ1bTJBN0gwdmdabHYzQzlmQm9IZUN3PT0=
To paste the encrypted password into adconfig.php:
Navigate to the adconfig file:
Windows: xampp > htdocs > config
Linux: /var/www/htdocs/configRename adconfig-sample.php file to adconfig.php.
To add an encrypted password for AD admin operations, add:
define("TONIDOCLOUD_AD_ENC_ACCOUNTPASSWORD", "encryptedpassword");To add an encrypted password for the ad service account, add:
define("TONIDOCLOUD_AD_ENC_ADMINACCOUNTPASSWORD", "encryptedpassword");
FileCloud will decrypt the passwords when it makes the directory calls.