LDAP Server Advanced Domain Settings

Users can log into the Transfer Client and Gateway Administrator using just a user ID (for example joe) or using a domain name and user ID (acme\joe). By default, when a user logs in using just a user ID, FileXpress searches all available LDAP servers for a matching user and authenticates the first matching user it finds; it does not search additional LDAP servers if that fails. When no domain name is included, a UserID for a different domain could match and allow login if the passwords for both accounts are the same.

You can use Advanced domain settings on the New/Edit LDAP Server page to customize how FileXpress manages user authentication to your LDAP server(s). The examples below show how login is handled for some possible configurations.

Note: Advanced domain settings apply to password authentication only; X.509 certificate authentication always requires user mapping that specifies both a domain and username.

These examples use acme as a sample Active Directory domain. For these examples, this acme is a domain that requires a valid authentication domain name. It can accept both acme and acme.com as the authentication domain name.

Example 1

Domain Name = anyName; Domain Mapping = anyAlias; Remove User Domain= No, Default Authentication Domain = none.

  • Login as validUser: Authentication fails because there is no authentication domain name, and this is required by the acme domain.
  • Login as anyName\validUser or anyAlias\validUser: Authentication fail fails because anyName and anyAlias are not valid authentication domain names.
  • Login as acme\validUser or attachmate.com\validUser: Authentication succeeds because attachmate and attachmate.com are valid authentication domain names.

Example 2

Domain Name = anyName; Domain Mapping = anyAlias; Remove User Domain = No, Default Authentication Domain = acme.

  • Login as validUser: Authentication succeeds because FileXpress adds the value specified for Default Authentication Domain (acme) before authenticating the user.
  • Login as anyName\validUser or anyAlias\validUser: Authentication fails because anyName and anyAlias are not valid authentication domain names.
  • Login as acme\validUser or acme.com\validUser: Authentication succeeds because attachmate and attachmate.com are valid authentication domain names.

Example 3

Domain Name = anyName; Domain Mapping = anyAlias; Remove User Domain= Yes, Default Authentication Domain = none.

The following results are based on the sample acme domain, which requires a valid domain name for authentication:

  • Login as validUser: Authentication fails because there is no authentication domain name, and this is required by the acme domain.
  • Login as acme\validUser: Authentication fails. Although acme is the valid authentication domain name, it is removed before before FileXpress attempts authentication.
  • Login as anyAlias\validUser or anyName\validUser: Authentication fails because authentication is attempted with no authentication domain name.

If your Active Directory domain does not require an authentication domain, the login attempts above will succeed because each of them presents a valid user ID to the domain. In this case, using anyAlias\validUser improves performance because the Domain Mapping directs FileXpress to authentication to this specific LDAP server. Although anyAlias is not the actual domain authentication name, authentication succeeds because the domain name is removed before FileXpress attempts authentication.

Example 4

This example shows a configuration for handling a merger that brings users from the summit domain into the acme domain. It enables summit users to log in without modifying their familiar credentials.

Domain Name = acme; Domain Mapping = summit; Remove User Domain= Yes, Default Authentication Domain = acme.

  • Login as validUser: Authentication succeeds because FileXpress Gateway uses the value specified for Default Authentication Domain (acme).
  • Login as acme\validUser or summit\validUser: Authentication succeeds because the entered domain, acme or summit, is removed and default acme is used.
  • Login as anything\validUser: Authentication succeeds. A domain is provided by the user for which no mappings exist. In this case FileXpress Gateway tries all configured LDAP servers and applies the directory-specific domain rules for each one. Authentication to the acme domain will succeed because the entered domain anything is removed and replaced by acme.