Integrating With LDAP For User Authentication

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

Code42 for EnterpriseSee product plans and features

CrashPlan for Small Business

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to version 3.

This tutorial explains how to enable basic user authentication via LDAP for CrashPlan PROe. Additional advanced LDAP configuration options are available at User Management With LDAP Integration.

Before you begin

This article assumes you are familiar with basic LDAP principles.

An LDAP user account with read and search permissions is required for your master server to bind to your corporate directory service.

The following roles include the privileges to configure LDAP settings:

SYSADMIN role
Server Administrator role

Considerations

LDAP integration can cause existing CrashPlan PROe users to be deactivated in the following situation:
1. A user account has been created in a given organization in your Code42 environment
2. LDAP integration is activated for that organization
3. A corresponding user account does not exist in the LDAP schema
Your enterprise servers do not store or cache the user password from LDAP in a local database.
CrashPlan PROe never writes any information to LDAP.
The enterprise server periodically synchronizes with the LDAP server(s) to run the Active, Org name, and Role scripts. The scripts determine if any changes need to be made based on the user's current attributes and group membership. A user that is removed from LDAP is automatically deactivated during synchronization. The default synchronization interval is once every 12 hours.

User creation with LDAP
LDAP integration helps to manage users, but it does not create them on its own. Create CrashPlan PROe users alongside LDAP integration in one of three ways:

Self-service: When users install the CrashPlan app and sign in as a new user, their accounts are automatically created. If their organizations are configured to use LDAP, then they must use their LDAP credentials, registration key, and enterprise server address to create their account.
Deploy custom installers: deploy preconfigured custom installers with software like Microsoft System Center Configuration Manager or JAMF Software's Casper Suite
Create users manually: administrators can create users manually or by uploading a CSV list.

Steps

Configure an LDAP server within CrashPlan PROe

On the master server:

Sign into the administration console
Go to Settings > Security > LDAP
Click Add to add a new LDAP server
Enter the following values:
- Server Name: Name for your LDAP server
- URL and search base: LDAP URL and Search Base for all queries
  - LDAP Example:
    ldap://demo.company.com:389/ou=users...company,dc=com
  - LDAPS Example:
    ldaps://demo.company.com:636/ou=user...company,dc=com
- Bind DN and password (if required to search): Enter a fully-qualified distinguished account for Bind DN.
  - Bind DN example:
    uid=admin,ou=admins,dc=company,dc=com
  - Bind DN example for Active Directory:
    DOMAIN\exampleuser
- Search Filter: The parameter specified before the ? is the attribute used to identify the user in CrashPlan PROe
  - Example LDAP filter to identify the user with UID:
    (&(objectclass=person)(uid=?))
  - Example LDAP filter to identify the user with E-mail:
    (&(objectclass=person)(email=?))
  - Example AD filter to identify the user with AD login name:
    (&(objectclass=person)(sAMAccountName=?))
- Attribute Mapping: Choose the LDAP attributes to use for the Code42 environment user account fields:
  - Email
  - First name
  - Last name
    TIP: Use the username search field at the bottom to search or scroll through the list of users returned to check your settings.

Click Save to save your settings.

You have now completed configuration of your LDAP server with CrashPlan PROe. Next, configure your enterprise server to utilize the configured LDAP server for user authentication.

Enable CrashPlan PROe to use LDAP authentication

Once your LDAP server is configured on your master server, you must enable your environment to use the LDAP server for authentication. You can enable LDAP authentication system-wide for all organizations inheriting settings from the top-level, or you can enable LDAP authentication only for specific organizations from the organization-level.

Disabling inheritance
If inheritance is disabled for an organization, that organization is not affected by changes to its parent organization.

To leverage LDAP authentication system-wide:

From the administration console, navigate to Settings > Organization > Security
Check the box next to LDAP server you configured previously
Click Save to save your changes

To leverage LDAP authentication for an individual organization:

From the administration console, navigate to Organizations
Click name of the organization where you'd like LDAP authentication enabled
This displays the organization's detail pane.
From the action menu, choose Edit…
Click the Security tab
If checked, uncheck Inherit security settings from parent
Check the box next to LDAP server you configured previously
Click Save to save your changes

Before you begin

Considerations

Steps

Configure an LDAP server within CrashPlan PROe

Enable CrashPlan PROe to use LDAP authentication

Related articles