Authenticating to Multiple AD servers

The ability for a single installation of FileCloud to authenticate against multiple Active Directory servers is available.

Although the latest versions of the Windows Server operating system handle large numbers of objects more efficiently, there are many reasons why organizations implement multidomain forests.

An example of this is a university.

  • In the Faculty of Science, there are different departments or schools, such as the school of physics and the department of botany
  • For political or organizational reasons it might have been decided that each department or school should have its own domain that is a part of the overall university forest 
  • Active Directory gives organizations the ability to create domain namespaces that meet their needs

The reasons for using multidomain AD structures can include but are not limited to:

  • Historical domain structure. Some organizations have retained the forest structure that was established when the organization first adopted Active Directory.
  • Organizational or political reasons. Some organizations are conglomerates, and they might be comprised of separate companies that share a common administrative and management core. 
  • Security reasons Domains. Some organizations need to create authentication and authorization boundaries. You can also use domains to partition administrative privileges so that you can have one set of administrators who are able to manage computers and users in their own domain, but who are not able to manage computers and users in a separate domain. Although it’s possible to accomplish a similar goal by delegating privileges, many organizations prefer to use separate domains to accomplish this goal.

For more information on using multidomain AD infrastructure, on the Microsoft Web site, read AD Directory Services Getting Started.

Enable multiple AD server authentication

To enable multiple AD server authentication, configure settings in the following places:

  • adconfig.php file
  • Admin Dashboard

 

To enable multiple AD server authentication:

  1. Open a browser and log in to the Admin Portal.

  2. On the Admin Dashboard, from the left navigation panel, click Settings.

  3. On the Manage Settings screen, click Authentication.

  4. To enable the Active Directory Settings, under Authentication Settings, change the Authentication Type to ACTIVEDIRECTORY.

  5. Select the Active Directory sub-tab, type in the required information, and then click Save.

  6. Create a file called adconfig.php in one of the following locations, depending on your OS:

    Windows Location 
    c:\xampp\htdocs\config\adconfig.php 
    
    
    Linux Location 
    /var/www/htdocs/config/adconfig.ph
  7. Add the information for the other AD servers using the following example.  (warning) Do not add the same AD server detail that was already configured in Admin Dashboard.

    <?php
    /* Configuration values for ActiveDirectory Authentication */

    // ... Multi-AD Server Support, set to 1 to enable additional AD servers
    define("TONIDOCLOUD_MULTI_AD_ENABLE", 1);
    //=============== SITE 1 ============================== 

    define("TONIDOCLOUD_AD_HOST_1", "ADSERVERHOST" ); // < ActiveDirectory Host
    define("TONIDOCLOUD_AD_PORT_1", 389 ); // < ActiveDirectory port
    define("TONIDOCLOUD_AD_ACCOUNTSUFFIX_1", "@mysite.internal"); // < User Login Name Suffix
    //define("TONIDOCLOUD_AD_LOGONNAMEPREFIX_1","SST"); // use this if prefix is needed. Note use only prefix or suffix
    define("TONIDOCLOUD_AD_BASEDN_1", "DC=mysite,DC=internal"); // < User Search DN 
    define("TONIDOCLOUD_AD_MAILATTRIBUTE_1", "mail"); // < Mail Attribute
    define("TONIDOCLOUD_AD_LIMIT_GROUP_1", ""); // < If you want login users to be limited to a specific AD group
    define("TONIDOCLOUD_AD_USETLS_1", false); //<< If you want to use TLS set true, default is false, both SSL and TLS can't be true
    define("TONIDOCLOUD_AD_USESSL_1", false); //<< If you want to use SSL set true, default is false, both SSL and TLS can't be true

    define("TONIDOCLOUD_AD_ACCOUNTNAME_1", "Administrator"); // < Account name for Admin Operations 
    define("TONIDOCLOUD_AD_ACCOUNTPASSWORD_1", "adminpassword"); // < Account Password for Admin Operations

    define("TONIDOCLOUD_AD_USEADMINBINDING_1", "0"); // < Account name for Admin Operations 
    define("TONIDOCLOUD_AD_ADMINACCOUNTNAME_1", ""); // < AD Service Account Username
    define("TONIDOCLOUD_AD_ADMINACCOUNTPASSWORD_1", ""); // < AD Service Account Password

    //=============== SITE 2 ==============================
    define("TONIDOCLOUD_AD_HOST_2", "ADSERVERHOST2" ); // < ActiveDirectory Host
    define("TONIDOCLOUD_AD_PORT_2", 389 ); // < ActiveDirectory port
    define("TONIDOCLOUD_AD_ACCOUNTSUFFIX_2", "@mysite2.internal"); // < User Login Name Suffix
    //define("TONIDOCLOUD_AD_LOGONNAMEPREFIX_1","SSK"); // use this if prefix is needed. Note use only prefix or suffix
    define("TONIDOCLOUD_AD_BASEDN_2", "DC=mysite2,DC=internal"); // < User Search DN 
    define("TONIDOCLOUD_AD_MAILATTRIBUTE_2", "mail"); // < Mail Attribute
    define("TONIDOCLOUD_AD_LIMIT_GROUP_2", ""); // < If you want login users to be limited to a specific AD group
    define("TONIDOCLOUD_AD_USETLS_2", false); //<< If you want to use TLS set true, default is false, both SSL and TLS can't be true
    define("TONIDOCLOUD_AD_USESSL_2", false); //<< If you want to use SSL set true, default is false, both SSL and TLS can't be true

    define("TONIDOCLOUD_AD_ACCOUNTNAME_2", "Administrator"); // < Account name for Admin Operations 
    define("TONIDOCLOUD_AD_ACCOUNTPASSWORD_2", "adminpassword"); // < Account Password for Admin Operations

    define("TONIDOCLOUD_AD_USEADMINBINDING_2", "0"); // < Account name for Admin Operations 
    define("TONIDOCLOUD_AD_ADMINACCOUNTNAME_2", ""); // < AD Service Account Username
    define("TONIDOCLOUD_AD_ADMINACCOUNTPASSWORD_2", ""); // < AD Service Account Password

    ?>

    Now additional users from these domains can also login into FileCloud.

    When connecting to multiple AD servers, there might be issues adding the same user account name from different domains into FileCloud. FileCloud requires unique usernames and will disallow adding another username from another domain if the name already exists.
    To handle this please add the following to cloudconfig.php. This will allow duplicate users to be added from other domains as long as the email address is unique. The users will have to log in to the system using their email addresses.

    define("TONIDOCLOUD_ALLOW_DUPUSERNAMES", 1);

Use encrypted AD account password in the configuration file

To encrypt an AD password using the adpasswordencryption tool:

  1. Open a command line.
  2. Enter the following:
    Windows:
    $ cd C:\xampp\htdocs\resources\tools\security\
    $ C:\xampp\php\php adpasswordencryption.php
    Linux:
    $cd /var/www/html/resources/tools/security/ 
    php adpasswordencryption.php
  3. At the prompt, enter your password:
    This tool encrypts an AD password string to be used in the adconfig.php configuration files of FileCloud 
    
    Enter your password: [your-password-string] 
  4. As instructed, copy the encrypted password string returned:
    Carefully copy paste the following string to adconfig.php key TONIDOCLOUD_AD_ENC_ACCOUNTPASSWORD or TONIDOCLOUD_AD_ENC_ADMINACCOUNTPASSWORD: zk8aQV6+L1Q7kA7N6JGgj2MzNjRkNzMwMTU0OTY0MjAzMGVhNWI0NDM5NjIxMWI2N2UzMzRkZTcwNjE2YzgxOTk0YzVjNjI2ZGQ2NjgzMTZ1bTJBN0gwdmdabHYzQzlmQm9IZUN3PT0=


To paste the encrypted password into adconfig.php:

  1. Navigate to the adconfig file:
    Windows: xampp > htdocs > config
    Linux: /var/www/htdocs/config

  2. Rename adconfig-sample.php file to adconfig.php.

  3. To add an encrypted password for AD admin operations, add:
    define("TONIDOCLOUD_AD_ENC_ACCOUNTPASSWORD", "encryptedpassword");

    To add an encrypted password for the ad service account, add:
    define("TONIDOCLOUD_AD_ENC_ADMINACCOUNTPASSWORD", "encryptedpassword");

FileCloud will decrypt the passwords when it makes the directory calls.