Navigation:  Domain > Domain Settings >

Authentication Settings

Previous pageReturn to chapter overviewNext page

Wing FTP Server supports the several authenticating methods: XML files, ODBC database, MySQL database, Windows Authentication(NTLM or Active Directory), and LDAP.

 

 

Storage Way

    store-way

XML:                Store your user/group data in xml files.

ODBC:                Store your user/group data in the ODBC database.

MySQL:        Store your user/group data in MySQL database.

 

Note: The server will automatically create all of the database schemas for the first time. If you use MySQL, please create a MySQL database first, the default database name is "wftp_database".

 

 

 

ODBC setting  

    odbc

It is very easy to create an ODBC source, just enter the Data Source Name (DSN), Username, and Password.

When everything is fine, user/group data can be stored via most popular database which have an ODBC driver.

 

 

Mysql setting

    mysql

If your database system is MySQL, we suggest you use "MySQL" instead of "ODBC", because it can connect to MySQL database directly through C API, much faster than "ODBC".

 

You need to create a MySQL database "wftp_database" for the first time.

 

You need to fill the field "UnixSocket" if you are using Linux/Unix system. Otherwise, just keep it empty.

 

 

 

 

Windows Authentication

 

      windows-auth

     

 

Wing FTP Server can handle Windows NTLM or Windows Active Directory authentication, without the need to import users or sync user data manually.

 

If you enable "Windows Authentication", you need to specify a default home directory for the AD account.

And if you want each AD account to have its own home directory, please enable the checkbox "Create a folder under default home dir using the login name for each user".

 

If you want to have more control to the AD user like a local user of WingFTP, you can map the AD user to a local user. First, create a local user at "Domains -> Users -> Add User", then click the button "Add AD Users Mapping", input a new line in the format of "ADUser:LocalUser" (AD username and Local username is separated by a colon). Since the version 6.3.2, the wildcard "*" is supported for the Windows AD username, so you can write the mapping rule as: Tester*:LocalTester

 

    windows-auth-mapping

 

 

NOTE:

1) Domain Name

   It's a string that specifies the name of the domain or server whose account database contains the AD account. If this field is empty, the user name must be specified in user principal name(UPN) format, user@DNS_domain_name. Otherwise, you can log in just with the username.

 

2) Map the AD account to local

   For example:

   AD user name: Jack@domain.com

          password: ad_password

 

   Local user name: Jack_Local

          password: local_password

 

   After the mapping, you can log in the server with Jack@domain.com/ad_password or Jack_Local/local_password. If you log in with Jack@domain.com/ad_password, Jack@domain.com will have all the functions belong to the Jack_Local like virtual directories, group memberships, permissions, and other settings.

 

   Wing FTP server user authenticates sequence:

   1) User "BOB" login with password "BOB2010".

   2) Check the local user account to see if there is an account called "BOB".

       2-1) if it exists, further checks the local password. If password is correct, your login is successful. Otherwise, login has failed.

       2-2) if the account does not exist, do AD authentication.

            2-2-1) After completing the AD authentication, check if BOB has been mapped to a local user.

                  2-2-1-1) If "BOB" is mapped to a local user named "Local_BOB", then it will get all the attributes of "Local_BOB".

                  2-2-1-2) If there is no mapping for "BOB", take the AD authentication "Default Home Dir" as its home directory.

           2-2-2) If the AD authentication fails, the login fails too.

 

 

 

 

 

LDAP Authentication

 

ldap-auth

Wing FTP Server supports using an LDAP(or LDAPS) database for authenticating users, and we have tested it successfully with OpenLDAP and Microsoft's Active Directory.

 

When you enable the option "LDAP Authentication", you need to provide the following information:

 

Host:                the IP address or domain name of the LDAP server.

Port:                the port number of the LDAP server, the default value is 389 (if you use Microsoft's Active Directory, please use the port 3268).

Base DN:        the base domain name of search starting point. The DN string would usually be "dc=xxxx,dc=com".

 

User Filter:        the filter to find the object for authenticating users. The special characters '%s' in the filter string will be replaced with the real username.                

Wing FTP Server uses default filter "(&(objectClass=posixAccount)(uid=%s))" for OpenLDAP. Or if you use Microsoft's Active Directory, the filter string would ususlly be "(&(objectClass=user)(sAMAccountName=%s))".

 

LDAP version:        the version of LDAP server will be 3 in normal cases.

Use SSL/TLS connection: you can enable it if the LDAP server supports SSL/TLS connection.

 

Bind DN:                the LDAP distinguished name string for simple authentication, e.g. "cn=manager,dc=example,dc=com".

Bind Password:        the bind password is the LDAP user password normally.

 

 

Note1: The LDAP database (except Windows Active Directory) must have an attribute 'userPassword' (RFC 3112), and the attribute 'userPassword' must be accessible. The following password format is supported: plain text, {crypt},  {md5},  {sha},  {smd5}, {ssha}

Note2: The username in the LDAP database cannot contain some special characters: '%', '*', '?', ',', ''', '"'. For security purposes.

 

You need to specify a default home directory for the LDAP account. And if you want each LDAP account to have its own home directory, please enable check box "Create a folder under default home dir using the login name for each user":

 

ldap-auth2

 

If you want to have more control to LDAP user like a local user of WingFTP, you can map the LDAP user to a local user. First create a local user at "Domains -> Users -> Add User", then click the button "Add LDAP Users Mapping", input a new line in the format of "LDAPUser:LocalUser" (LDAP username and Local username is separated by colon). Since the version 6.3.2, the wildcard "*" is supported for the LDAP username, so you can write the mapping rule as: Tester*:LocalTester

ldap-mapping

Map the LDAP account to the local account

   For example:

   LDAP username: Jack

          password: ldap_password

 

   Local username: Jack_local

          password: local_password

 

   After the mapping, you can login the server with Jack/ldap_password or Jack_Local/local_password. Then LDAP user "Jack" will have all the functions belong to the "Jack_Local" like virtual directories, group memberships, permissions and other settings.

 

   WingFTP user authenticates sequence:

   1) User "JOE" login with password "JOE2010".

   2) Check the local user account to see if there is a account called "JOE".

       2-1) if it exists, further check the local password. If password is correct, your login is successful. Otherwise, login has failed.

       2-2) if the account does not exist, do LDAP authentication.

            2-2-1) After completing the LDAP authentication, check if "JOE" has been mapped to a local user.

                  2-2-1-1) If "JOE" is mapped to a local user named "Local_JOE", then it will get all the attributes of "Local_JOE".

                  2-2-1-2) If there is no mapping for "JOE", take the LDAP authentication "Default Home Dir" as its home directory.

           2-2-2) If the LDAP authentication fails, the login fails too.

 

 

You can also map LDAP group to local user by clicking the button "Map LDAP group to local user", input a new line in the format of "LDAPGroup:LocalUser"(LDAP group name and Local username is separated by colon), then all the LDAP users belong to this LDAP group can have local user's permissions.

ldap-group-mapping