Integrating with LDAP/AD

Administrator can integrate FileAgo with an LDAP/Active Directory server via Admin Panel -> LDAP Settings, after which FileAgo will:

fetch users and groups from LDAP/AD and create them in FileAgo.
sync changes or fetch new users/groups from LDAP/AD every 5 minutes.
confirm the username/password credentials with LDAP/AD before allowing access to its users.

This page is only available in FileAgo Self-hosted servers.

Active Directory and LDAP are usually on-premise services, and for this reason, this feature is not supported in FileAgo Cloud.

Configuration

Click on Configure to input LDAP/AD settings.

LDAP Server

Host

Enter the hostname (FQDN) of your LDAP/AD server.

Port

Enter the port number. Default LDAP port is 389.

User DN

The Distinguished Name (DN) of a user who has permissions to do searches in the LDAP directory. For e.g.: uid=systemuser,cn=sysusers,dc=my-company,dc=com

Password

Password of the user.

Keep LDAP passwords?

If this option is enabled, then FileAgo will store the last known working LDAP password of the users, and the supplied password (during authentication) will be matched with it if the LDAP server is not accessible or is down at that time.

When LDAP server is available, authentication of FileAgo users will always be performed by the LDAP server. This setting only has effect when the LDAP server is unreachable.

User Accounts

Contact your LDAP/AD Administrator for the correct settings to fill in here.

Base user tree

The base DN of LDAP from where all users can be reached. E.g.: cn=users,dc=my-company,dc=com

Filter user by

From the base user tree, how do you want to filter users? You can either use a valid object class (for e.g.: inetOrgPerson), or any custom filter, like:

(&(objectClass=inetOrgPerson)(memberOf=cn=fileagousers,ou=groups,dc=my-company,dc=com))

The above custom filter will only fetch those users who are member of cn=fileagousers,ou=groups,dc=my-company,dc=com group.

Username attribute (case sensitive)

The attribute which uniquely identifies a user in LDAP. E.g.: uid, or sAMAccountName.

Display name attribute (case sensitive)

The attribute which stores the name of the user in LDAP. E.g.: sn, or displayName.

Email attribute (case sensitive)

The attribute which stores the email of the user in LDAP. E.g.: mail, or mailPrimaryAddress.

Default disk quota of a user (in bytes)

When a new user account has to be created during the sync process, what should be its disk quota? Set 0 for unlimited disk quota.

Exclude users list

Enter the DN of those users who should not be added into FileAgo in each line. E.g.:

uid=john,cn=users,dc=my-company,dc=com
uid=james,cn=users,dc=my-company,dc=com

Groups

Contact your LDAP/AD Administrator for the correct settings to fill in here.

Sync groups from LDAP?

Choose Yes if you wish to also sync groups from the LDAP server.

Base group tree

The base DN of LDAP from where all groups can be reached. E.g.: cn=groups,dc=my-company,dc=com.

From the base group tree, how do you want to filter groups? You can either use a valid object class (for e.g.: group), or any custom filter, like:

(&(objectClass=group)(cn=groups,dc=my-company,dc=com))

The above custom filter will only fetch those groups which are under cn=groups,dc=my-company,dc=com path.

Group name attribute (case sensitive)

The attribute which stores the name of the group in LDAP. E.g.: cn, or name.

Default disk quota of a group (in bytes)

When a new group account has to be created during the sync process, what should be its disk quota? Set 0 for unlimited disk quota.

Exclude groups list

Enter the DN of those groups which should not be added into FileAgo in each line. E.g.:

cn=demousers,cn=groups,dc=my-company,dc=com
cn=remoteusers,cn=groups,dc=my-company,dc=com

Group permissions

Configure the permissions which a user should have when it is first added to a group during the process of LDAP sync.

LDAP Custom Attributes

It is possible to create custom attributes in LDAP to override certain default values which are configured above.

For example, the default disk quota for a user or group can be overridden individually by setting an integer value for faDefaultQuota attribute in the DN. The complete list is given below.

NOTE: If these attributes exist in LDAP with invalid values, then the default values (configured above) will be used instead.

Attribute Name	Applies To	Type	Info
`faDefaultQuota`	User DN, Group DN	Integer	Enter a numeric value to set the disk quota. The value will be considered as bytes.
`faDefaultNodePermissions`	Group DN	String	Use this attribute to set the permissions that should be granted for a user at the time of adding it to a group. For full permissions, set its value as `read, write, delete, download`.
`faDefaultSharePermissions`	Group DN	String	Set the file sharing permissions for a user at the time of adding it to a group. For full permissions, set its value as `public_create, public_delete, private_create, private_delete`.
`faDefaultTagPermissions`	Group DN	String	Set the permissions for tag creation/deletion for a user at the time of adding it to a group. For full permissions, set its value as `create, delete`.

Configuring FileAgo Integrating with SSO (SAML)

Installation

Concepts

Admin Guide