How Directory Services relate to FotoWeb
The intent of adding directory integration with FotoWeb is primarily to facilitate users and permissions management by allowing FotoWeb to import this information directly from an authentication provider.
There are two main purposes for the directory service integration with FotoWeb:
1. Manage users and groups in one place
2. To let the directory authenticate a user logging in to FotoWeb
With FotoWeb directory service integration, the administrator can import users from the autnetication provider to the FotoWeb user database. The information about the user will be equal on both sides. If a user is disabled in the directory, he/she will no longer be able to log on to FotoWeb.
Authenticating a user through the directory gives each user the benefit of having the same password as they use for accessing their local network. Additionally, the administrator can manage password expiry policies, extending these onto FotoWeb. When a user logs on to FotoWeb using authentication provider, his/her credentials are passed through to the provider for validation.
Directory services are configured per site
Directory service integration is configured on a per-site basis, meaning you can allow one site to fully integrate with the local network, while you have another site, i.e. for testing purposes, where users are not allowed this type of access.
Initially, you have to enable directory service integration in the Site Settings under Services - Directory server by ticking the Enable Active Directory integration option shown in the screenshot above. This enables directory integration with FotoWeb.
Next, fill in the required information that FotoWeb needs in order to communicate with the directory.
Server/domain: Specifies a server name, or a domain name to which FotoWeb should connect i.e. server.domain.com or simply domain.com
Port: The default port for communication with Active Directory is 389. This value is pre-entered once the Active Directory option page is enabled, and can be modified for special users who use a different port for security reasons.
The AD server must accept incoming traffic on this port using both TCP and UDP, so this port must be opened in the firewall for both protocols. No additional ports need to be opened in the FotoWeb server for AD support.
Username: Login name of a user with enough privileges to list the contents of the directory. Note that this is a domain user name, and not a local FotoWeb user account.
Password: Type in the password corresponding to the username that you supplied.
Test Connection: After having filled out the necessary credentials for connecting to Active Directory, this button will be enabled for you to attempt a connection to the directory. You will then receive a success message if the connection tot he AD was successfully established.
Having verified that the connection is in order, you can import groups from the AD and then assign archive permissions using those groups.
Steps to set up AD integration in FotoWeb
To set up Active Directory integration in FotoWeb, follow these steps. Note that in the below scenario we create special groups for use with FotoWeb.
1. Create rights groups in Active Directory for the roles you want defined in FotoWeb, e.g. 'FotoWeb Archive Administrators', 'FotoWeb Users with Upload', 'FotoWeb Read Only Users' and add the groups/users you want into these groups.
2. Enable AD integration as described at the beginning of this topic. Then import the AD groups created in the step above.
3. Set up your archives with access lists based on these groups.
4. Log in using your AD username and password (or Single-Sign-On). The account will be created in FotoWeb and all groups will be updated. Note that only selected groups from step 2 will be synced, all intermediate groups will only exist in Active Directory.
Now, when modifying the access lists on an archive you will be able to choose the Active Directory groups you imported and assign access rights to them.
Then, when a new user logs in to FotoWeb, his account will be imported from the AD. For this reason, the first login can take a little longer than subsequent logons. The user will also be added to the correct FotoWeb group. On subsequent logins, the user's group memberships will be revalidated and updated accordingly in FotoWeb's groups.
Tip: FotoWeb Directory Services support importing users directly from a primary group, typically "Domain Users", although you may also ceate individual groups specific for use with FotoWeb.
Example
For the sake of illustration, picture the following group hierarchy in your Active Directory:
- All Company Employees
- Norway Branch
- Development
- Marketing
- Sales
Scenario 1: Selecting All Company Employees for import
All users in the Development, Marketing and Sales groups will be allowed to log on and will be put in the All Company Employees group.
Scenario 2: Selecting All FotoWare Employees and the Marketing group
All users in the Development, Marketing and Sales groups will be allowed to log on and will be put in the All Company Employees group
Users in the Marketing group will be put in BOTH Marketing and All groups. Access lists can then be set up to give Marketing users upload and edit rights, while all others get read only, for example.
Fields that are synchronized
User data updated live when a user logs in, and there is no background process that syncs data at given intervals.
The following is a list of the data that is copied from the directory service to FotoWeb:
Users
-
Login name
-
Email address
-
Given name
-
Initial
-
Surname
-
Company name
-
Street Address
-
State name
-
Zip Code
-
Country name
-
Description
-
Home page address ( URL )
-
Profession ( title )
-
Telephone number
-
LDAP object name (X500)
In addition, the user’s locked out property is synchronized. If a user is disabled in the network, it will also become locked out in FotoWeb.
-
Groups
-
Group Name
-
Group Description
-
Users that belong to the group
-
LDAP Object name