4.0 Planning Users, Groups, and LDAP Synchronization

IMPORTANT:If you haven’t already, we recommend that you review Users and Groups in Filr in the Filr 4.1: Understanding How Filr Works to prepare for planning your Filr Users and Groups

Most Filr deployments use an existing LDAP source, such as eDirectory or Active Directory, to control user access to the system.

The following sections help you ensure that Filr includes the users and groups that will use its services.

LDAP Planning Tips and Considerations

  • LDAP and Filr: As you plan and deploy LDAP and Filr, be aware of the following:

    • Synchronization Is One-way: LDAP synchronization is only from the LDAP directory to your Filr site. If you change user information on the Filr site, the changes are not synchronized back to your LDAP directory.

    • Multi-Value Attributes Not Supported: If your LDAP directory contains multi-value attributes, Filr recognizes only the first attribute.

      For example, if your LDAP directory contains multiple email addresses for a given user, only the first email address is synchronized to Filr.

    • LDAP Must Be Online: LDAP-imported users always authenticate to Filr via the LDAP source. If the LDAP source is unavailable for any reason, the LDAP-imported users cannot log in to Filr.

    • Multiple Connections Are Supported, but you should never configure multiple LDAP connections to point to the same location on the same LDAP directory. If you need a failover solution, you should use a load balancer.

  • Filr Must Synchronize Both LDAP Users and Groups: Make sure that you synchronize both users and groups.

    If you don’t, the file system rights assigned to users based on group membership are not recognized in Filr.

Table 4-1 Worksheet 4—eDirectory LDAP Server

Heading, Label, or Topic:

Information and Instructions:

Tree Name:

  1. Record the name of the tree in which the eDirectory server is located.

Configuration Details:

  1. Note important details about how the directory is configured, such as whether it has replicas, whether it is split over multiple sites, and so on.

Server Information tab

  1. Using the information in Server Information tab in the Filr 4: Administrative UI Reference, record information for the following:

    • LDAP server URL:

    • User DN (LDAP proxy user):

    • Password (for LDAP proxy user):

    • Directory Type:

    • Guid attribute:

    • Filr account name attribute:

    • LDAP attribute mappings:

Users tab:

  1. Make as many copies of the Users tab section as needed to identify all of the non-nested organizational units (OUs) in your directory that contain users. (Nested OUs are covered by subtree searching.)

  2. Using the information in LDAP Search dialog (User Version) in the Filr 4: Administrative UI Reference, record the following information for each OU that contains user objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

    • Number of Users

      NOTE:A dark-gray background with white text indicates a formulaic field.

      Type the number of users if you want the worksheet to use it in estimating hardware resource needs.

    • Home-Directory Net Folder Configuration method

Groups tab:

For help, see Groups tab in the Filr 4: Administrative UI Reference.

IMPORTANT:It is critical that you import LDAP groups as well as users. See Filr Must Synchronize Both LDAP Users and Groups:.

  1. If your LDAP structure contains group objects in non-nested organizational units (OU), make as many copies of the Groups tab section as needed to identify them all.

  2. Using the information in LDAP Search Dialog (Group Version) in the Filr 4: Administrative UI Reference, record the following information for each OU that contains group objects within its substructure.

    • Base DN

    • Filter (auto-generated should work in most cases)

    • Search subtree

Table 4-2 Worksheet 4—Active Directory LDAP Server

Heading, Label, or Topic:

Information and Instructions:

Forest Name:

  1. Record the name of the forest in which the Active Directory server is located.

Configuration Details:

  1. Note any important details about how the directory is configured.

Server Information

  1. Identify and record the following information.

Server Information tab:

  1. Using the information in Server Information tab in the Filr 4: Administrative UI Reference, record information for the following:

    • LDAP server URL:

    • User DN (LDAP proxy user):

    • Password (for LDAP proxy user):

    • Directory Type:

    • Guid attribute:

    • Filr account name attribute:

    • LDAP attribute mappings:

Users tab:

For help, see Users tab in the Filr 4: Administrative UI Reference.

  1. If your LDAP structure contains user objects in non-nested organizational units (OU), make as many copies of the Users tab section as needed to identify them all.

  2. Using the information in LDAP Search dialog (User Version) in the Filr 4: Administrative UI Reference, record the following information for each OU that contains user objects within its substructure.

    • Base DN

    • Filter

      IMPORTANT:Ensure to set a filter so that only the licensed users are provisioned to the Filr server.

    • Search subtree

    • Number of Users

      NOTE:A dark-gray background with white text indicates a formulaic field.

      Type the number of users if you want the worksheet to use it in estimating hardware resource needs.

    • Home-Directory Net Folder Configuration method

Groups tab:

For help, see Groups tab in the Filr 4: Administrative UI Reference.

IMPORTANT:It is critical that you import LDAP groups as well as users. See Filr Must Synchronize Both LDAP Users and Groups:.

  1. If your LDAP structure contains group objects in non-nested organizational units (OU), make as many copies of the Groups tab section as needed to identify them all.

  2. Using the information in LDAP Search Dialog (Group Version) in the Filr 4: Administrative UI Reference, record the following information for each OU that contains group objects within its substructure.

    • Base DN

    • Filter

      IMPORTANT:Ensure to set a group filter so that only the licensed users are provisioned to the Filr server.

    • Search subtree

Table 4-3 Worksheet 4—Duplicate User and Group Accounts

Heading, Label, or Topic:

Information and Instructions:

Duplicate User or Group Accounts

Sometimes, organizations that utilize both eDirectory and Active Directory as identity stores, have accounts for the same individuals or groups of individuals in both directory services.

If you are importing users and groups from eDirectory and from Active Directory, be aware that Filr doesn’t allow duplicate accounts. For example, joe_user in both eDirectory and Active Directory will not be allowed, but joe_user and j_user will. If you have duplicate accounts that need to be imported, you will need to change the name in one of the directory services.

  1. Identify any users and/or groups that have the same name in both eDirectory and Active Directory.

  2. Copy as many rows as needed. For help, see Adding Rows in Worksheet Sections.

  3. Identify which directory service to change the name in and record the change in the applicable table cell.

Table 4-4 Worksheet 4—User Names with Unsupported Characters

Heading, Label, or Topic:

Information and Instructions:

User Names with unsupported Characters

For LDAP user names to be usable in Filr, they must contain only alpha-numeric characters:

  • Upper- and lower-case letters

  • Numerals 0 - 9

If they contain ASCII or special characters, such as / \ * ? " < > : | , then although they will synchronize as Filr user names, the associated users won’t be able to log in.

Filr uses synchronized user names to set paths to each user workspace in the file system. However, Linux and Windows file systems don’t support special characters, rendering Filr’s path statements unresolvable.

Do the following:

  1. Identify any user names that contain special characters.

  2. Record a revised name and context.

  3. Identify other services affected by the change.

  4. Notify users of pending name changes.

  5. Change the names in the directory service.

  6. Resolve any issues with other services.

Table 4-5 Worksheet 4—Non-LDAP Users

Heading, Label, or Topic:

Information and Instructions:

Non-LDAP Users

  1. Identify and record the non-LDAP users that you will need to create manually.

    For example, plan to include industry partners or others who are outside of your organization.

Table 4-6 Worksheet 4—Non-LDAP Groups

Heading, Label, or Topic:

Information and Instructions:

Non-LDAP Groups

  1. Identify and record the non-LDAP groups that you will need to create manually.

  2. You can create two types of non-LDAP groups:

    • Static groups consist of users and groups and you specifically assign. Group membership only changes as you add or remove users or groups.

    • Dynamic groups are populated by LDAP queries that you specify. As LDAP changes, group membership changes as well.

  3. For more information, see Static Membership for Group dialog and Edit Dynamic Membership dialog in the Filr 4: Administrative UI Reference.

Table 4-7 Worksheet 5—LDAP Synchronization

Heading, Label, or Topic:

Information and Instructions:

Nested Groups:

  1. Determine whether your LDAP identity stores include nested groups (groups inside other groups), then mark the appropriate option on the planning sheet.

  2. If you have groups that are contained in other groups, you must plan to synchronize LDAP at least two or more times until all of the nested groups and their users are synchronized.

  3. After this initial synchronization, standard settings will keep nested groups synchronized.

Frequency of LDAP Changes:

  1. Consult with the LDAP administrator to determine how often LDAP information changes so that it needs to be synchronized with Filr. This will inform the schedule plans you make in the next row.

LDAP Synchronization

  1. Your LDAP integration plan must include LDAP synchronization.

  2. The synchronization schedule you set here applies to all of your LDAP servers. For most organizations, daily synchronizations are sufficient, for others they aren’t.

  3. Filr must synchronize with its LDAP directory stores to know about changes to

    • User and group lists

    • Password changes

    • File and folder access rights

  4. For more information, see Synchronization Schedule tab in the Filr 4: Administrative UI Reference