The intent of adding directory integration with FotoWeb is primarily to facilitate user and permissions management by allowing FotoWeb to import this information directly from an authentication provider.
There are two main purposes for the directory service integration with FotoWeb:
- manage users and groups in one place
- let the directory authenticate a user logging in to FotoWeb
With FotoWeb directory service integration, the administrator can import users from the authentication provider to the FotoWeb user database. The information about the user will be equal on both sides. If a user is disabled in the directory, they can no longer log on to FotoWeb.
Authenticating a user through the directory gives each user the benefit of having the same password as they use for accessing their local network. Additionally, the administrator can manage password expiry policies, extending these onto FotoWeb. When users log on to FotoWeb using an authentication provider, their credentials are passed to the provider for validation.
Directory services are configured per site
Directory service integration is configured per site, meaning you can allow one site to fully integrate with the local network while you have another site, i.e., for testing purposes, where users are not allowed this type of access.
- From the Tools menu (cogwheel icon), go to Site Configuration > Security > Single Sign-on.
- On the General tab, turn on the Enable Single Sign-on toggle.
- From the Authentication provider drop-down list, select Windows Active Directory.
- Next, enter the required information that FotoWeb needs to communicate with the directory:
- Host: Specifies a server name or a domain name to which FotoWeb should connect, i.e., server.domain.com or simply domain.com
- Port: The default port for communication with Active Directory is 389. This value is pre-entered once the Active Directory option page is enabled and can be modified for special users who use a different port for security reasons.
- The AD server must accept incoming traffic on this port using both TCP and UDP, so this port must be opened in the firewall for both protocols. No additional ports must be opened in the FotoWeb server for AD support.
- Username: Login name of a user with enough privileges to list the directory's contents. Note that this is a domain user name and not a local FotoWeb user account.
- Password: Enter the password corresponding to the username that you supplied.
- Test Connection: After entering the necessary credentials for connecting to Active Directory, this button will be activated for you to attempt a connection to the directory. You will then receive a success message if the connection to the AD was successfully established.
Steps to set up AD integration in FotoWeb
To set up Active Directory integration in FotoWeb, follow these steps. Note that we create special groups for use with FotoWeb in the following scenario.
- Create rights groups in Active Directory for the roles you want to be defined in FotoWeb, e.g., FotoWeb Archive Administrators, FotoWeb Users with Upload, FotoWeb Read Only Users, and add the groups/users you want into these groups.
- Enable AD integration as described at the beginning of this topic. Then, import the AD groups created in the step above.
- Set up your archives with access lists based on these groups.
- Log in using your AD username and password (or Single-Sign-On). The account will be created in FotoWeb, and all groups will be updated. Only selected groups from step 2 will be synced; all intermediate groups will only exist in Active Directory.
Now, when modifying the access lists on an archive, you can choose the Active Directory groups you imported and assign access rights to them.
Then, when a new user logs in to FotoWeb, their account will be imported from the AD. For this reason, the first login can take a little longer than subsequent logons. The user will also be added to the correct FotoWeb group. On subsequent logins, the user's group memberships will be revalidated and updated accordingly in FotoWeb's groups.
Tip: FotoWeb Directory Services support importing users directly from a primary group, typically Domain Users, although you may also create individual groups specific for use with FotoWeb.
For the sake of illustration, picture the following group hierarchy in your Active Directory:
- All Company Employees
- Norway Branch
Scenario 1: Selecting All Company Employees for import
All users in the Development, Marketing, and Sales groups will be allowed to log on and will be put in the All Company Employees group.
Scenario 2: Selecting All FotoWare Employees and the Marketing group
All users in the Development, Marketing, and Sales groups will be allowed to log on and will be put in the All Company Employees group
Users in the Marketing group will be placed in BOTH Marketing and All groups. Access lists can then be set up to give Marketing users upload and edit rights while all others get read-only, for example.
Fields that are synchronized
User data is updated live when a user logs in, and there is no background process that syncs data at given intervals.
The following is a list of the data that is copied from the directory service to FotoWeb:
Home page address ( URL )
Profession ( title )
LDAP object name (X500)
In addition, the user’s locked-out property is synchronized. If a user is disabled in the network, it will also become locked out in FotoWeb.
Users that belong to the group
LDAP Object name