Skip to main content
Code42 Support

Configuring Your Code42 Environment To Use RADIUS And LDAP Concurrently

Applies to:
  • CrashPlan PROe
This tutorial explains how to configure your Code42 environment to support the use of RADIUS and LDAP together. Under this configuration, RADIUS is used for authentication, while LDAP handles other aspects of user management, such as user deactivation, role assignment, and organization assignment.

Considerations

  • Supported in server versions 3.6.1.4 and higher, and CrashPlan app versions 3.6.1 and higher.
  • You must use the same username convention in your LDAP and RADIUS servers. That is, each user's username must be the same in LDAP and RADIUS.
  • If you use LDAP or Active Directory (AD) for both authentication and user management and authorization in any organization, then you should not implement the solution in this tutorial.
LDAP user authorization
You cannot use LDAP for user authorization in your Code42 environment if you implement this solution, even in organizations that are not configured to use RADIUS.

Before you begin

  • The following systems should be configured and online before you begin the steps in this tutorial:
  • You should have at least one user or test user configured and added to both the LDAP and RADIUS servers.
    The configuration of RADIUS and LDAP servers is beyond the scope of this tutorial, but we do provide information on how RADIUS can fit into your Code42 environment, and how to configure your enterprise server to use LDAP.

Steps

Step 1: (Optional) create a test organization

It may be preferable to create a special test organization for this tutorial, rather than an organization that is used by actual users, in order to avoid interfering with your production environment:

  1. Sign in to the administration console.
  2. Go to Organizations Overview.
  3. Click the Add organization icon.
  4. Enter the name for your test organization, then click Add.

Step 2: Define your RADIUS and LDAP servers on the Master server

If you have not already added your RADIUS and LDAP servers, please do so now.

Step 3: Configure the test organization to use LDAP

  1. Configure your test organization to not inherit security settings from parent.
  2. Configure your test organization to use the specific LDAP server that will be used in conjunction with RADIUS.

Step 4: Confirm that the test user can sign in using LDAP

Confirm that the test user can sign in to the test organization using LDAP credentials alone:

  1. Sign in to the administration console using the test user's credentials.
  2. Confirm that user is successfully signed in to the administration console.

Step 5: Add test user to RADIUS server

The test user must be configured in your RADIUS server. Because each RADIUS implementation is different, we are unable to provide specific instructions for your RADIUS server implementation:

  1. As mentioned in above, the RADIUS username must be the same as the LDAP username.
  2. The RADIUS password must differ from the LDAP password, in order to successfully test the configuration as outlined below.

Step 6: Configure the Master server to skip LDAP authentication

Skipping LDAP authentication
The following CLI command tells your master server to skip LDAP authentication. LDAP will still be used for authorization, user organization assignment, user deactivation, and user role assignment.
  1. Sign in to the administration console in a web browser as a user with SYSADMIN privileges.
  2. Double-click the logo in the upper left corner of the administration console.
    The command-line interface appears in the administration console.
  3. Enter the following command in the CLI:
    • prop.set c42.authenticators.skipLdap true save
    • The server responds with:
      The system property has been set. Some system properties require a restart before they are recognized. c42.authenticators.skipLdap=true (saved)
      

The CLI command applies system-wide, and will cause LDAP authentication to be skipped for all organizations in your Code42 environment. If you need to revert to the standard system LDAP settings, run the following CLI command:

  • prop.set c42.authenticators.skipLdap false save
  • The server responds with:
    The system property has been set. Some system properties require a restart before they are recognized. c42.authenticators.skipLdap=true (saved)
    

Step 7: Test using LDAP credentials

Confirm that the system property set in the previous step is now in effect:

  1. Sign in to the master server as the test user, using the LDAP password.
  2. Confirm that the test user is unable to sign in.

If the test user is now unable to sign in using the LDAP password, you have confirmed that the master server is skipping the LDAP authentication step.

Step 8: Test using RADIUS credentials

  1. Sign in to the master server as the test user, using the RADIUS password.
  2. Confirm that the test user is able to sign in.

Step 9: (Optional) add all other users to RADIUS server

If necessary, add the rest of your RADIUS users to the RADIUS server.

Step 10: (Optional) user management

You may now configure any organization to use LDAP for user management and RADIUS for authentication. If you want to apply the settings system-wide, make changes to the root organization.

  1. Configure the desired organizations to use LDAP.
  2. Configure the desired organization to use RADIUS.
  3. Use your Code42 environment's advanced LDAP scripting capabilities to manage your users, including user deactivation, the assignment of user roles, and the deactivation of users.