Setting Up LDAP Authentication

By default, Crashplan PRO lets users create their own username (usually email) and password, which are stored internally to the PRO Server, but are not synchronized with any usernames or passwords anywhere else. Use the LDAP link on the Settings navigation menu to instruct CrashPlan PRO to authenticate against your LDAP server.

You can also migrate from your existing CrashPlan database to your LDAP server.

This article assumes you are familiar with basic LDAP principles or have reviewed the information in the LDAP Integration In CrashPlan article.

Even if you have already begun backing up with CrashPlan PRO and have users in your CrashPlan PRO database you can switch to LDAP authentication. From the LDAP Settings page you can assign and test LDAP lookup expressions to verify that the existing users can be authenticated in the LDAP database.

1. Choose Settings > Edit Server Settings.
   
2. On the navigation menu, choose LDAP.
3. On the LDAP Settings page, check the Authenticate with LDAP check box.
4. Enter your LDAP URL.
   If you don't know the URL, ask your LDAP administrator. It will look something like this:
   

   ldap://myaod.mydomain.com:389/dc=mydomain,dc=com

5. Enter the interval after which deactivate CrashPlan PRO users not found in the LDAP server will be deactivated.
   Enter zero if you do not want to synchronize.
6. Unless instructed by Support, verify that the Follow Referrals check box is cleared.
7. (optional) Clear the Bind Anonymously check box to display the bind fields.
   Many servers allow you to search the directory anonymously so you may not need an authorization and a password.
   • In the Bind DN field, enter the Distinguished Name (DN).
     If your bind DN has spaces in it (like between Admin and Group) replace the spaces with %20.
     

     uid=admin,ou=Admin Group,dc=example,dc=com 

   • In the Password field, enter the password.
     The password is stored encrypted in your CrashPlan PRO database so it won't be easily hacked.
8. Click Save to save your settings.
   After you click Save, you see links for mapping attributes and testing the lookup expression.

If CrashPlan PRO is unable to connect, you see the raw error message to help you debug the problem. See Troubleshooting.

From the LDAP Settings page you can assign and test LDAP lookup expressions to verify that the existing users can be authenticated in the LDAP database.

The process involves:

• mapping LDAP attributes to the CrashPlan PRO fields
• entering a lookup expression
• testing the lookup expression

These steps assume:

• You have an LDAP server configured
• You have entered LDAP connection information

After specifying the location of your LDAP server, you can use lookup expressions to verify users.

You'll use the Person Search String to test the lookup. The other fields are used during registration.

1. Under the LDAP Person Fields, in the Person Search String box, enter the expression for looking up a user.
   Examples:

   (mail=?) 
   (uid=?)
   (&(objectClass=inetOrgPerson)(mail=?))  

2. Click Submit.

1. Under Directory Lookup, in the Lookup Value box enter a uid or mail value that you know exists in your LDAP database.
2. Enter a password if you know it.
3. Click Test Lookup.
   If successful the found values appear next to the Person fields below. A correct password displays “match” in green next to the password field.

• Existing users who are not in the LDAP server become deactivated, resulting in them being unable to backup and restore their files.
• If you delete a user from your LDAP directory, PRO Server makes note of that (it checks every few hours) and blocks that user from backing up in the future.
• New users not in the LDAP server still need to use the “New Account” account registration option.
• When migrating to LDAP authentication the old passwords remain in the CrashPlan PRO database, but are not used unless you turn off LDAP. Any new users registered after LDAP is enabled will have a random password stored in the PRO Server database and they will need to make a request a new password.

• If you are unable to connect, try connecting to your LDAP server with a standard LDAP tool like ldapsearch (command-line), the free Apache Directory Studio, or another LDAP browser.
• The standard LDAP ports are 389 for non-SSL, and 636 for SSL, although some LDAP servers defaults have 8 or 10 prepended. (10389, 8389, 10636, 8636)
• For SSL, make sure you use the “ldaps:” prefix (notice the “s” stuck in there). The URL will look something like this:

  ldaps://myaod.mydomain.com:636/dc=mydomain,dc=com

  or this for non-SSL:

  ldap://myaod.mydomain.com:389/dc=mydomain,dc=com

• If you can connect via an LDAP tool, but can't connect using PRO Server, email our support center

PRO Server can assign a user to an organization when they register. Once they are registered you can use the admin console to move users to a different organization. Once assigned, PRO Server does not move users between organizations (even if their org changes in LDAP) without manual intervention.

• You can make multiple custom installers with different organization codes. That's a good option if you have a handful of orgs and are pushing out the installation to one organization at a time. Here's the custom installer page
• If your directory has a person attribute that specifies the org name, you can do push installs and have the users registered into a CrashPlan org with the same name. At least one of our big customers is doing it that way. They use the “l” (location”) person attribute for their org name.
• If each user is listed in an LDAP groupOfNames object that correlates to your org mappings you can use an attribute from that groupOfNames object for their org name. The downside is that if the user is in multiple groupOfNames objects PRO Server will just use the first one it finds for the users org.

• LDAP Integration In CrashPlan
• Reference - LDAP Settings
• Connect to Active Directory