Where: Settings - Site - Directory Services
Active Directory is Microsoft’s name for the specialization of LDAP (Lightweight Directory Access Protocol), a software protocol for enabling anyone to locate organizations, individuals, and other resources such as files and devices in a network, whether on the public Internet or on a corporate intranet. FotoWeb supports Microsoft's Active Directory implementation.
The intent of adding directory integration with FotoWeb is primarily to alleviate users and permissions management by allowing FotoWeb to import this information directly from a domain.
There are two main purposes for the directory service integration with FotoWeb:
1. Manage users and groups in one place
2. To let the directory authenticate a user logging in to FotoWeb
With FotoWeb directory service integration, the administrator can simply import users from the AD to the FotoWeb user database. The information about the user will be equal on both sides. If a user is disabled in the directory, he/she will no longer be able to log on to FotoWeb.
Authenticating a user through the directory gives each user the benefit of having the same password as they use for accessing their local network. Additionally, the administrator can manage password expiry policies, extending these onto FotoWeb. When a user logs on to FotoWeb using directory services, his/her credentials are passed through to the directory service for validation. As far as user names go, the user can log on either using his account shortname (e.g. user) or the full domain logon (e.g. user@company.com).
Directory service integration is configured on a per-site basis, meaning you can allow one site to fully integrate with the local network, while you have another site, i.e. for testing purposes, where users are not allowed this type of access.
Initially, you have to enable directory service integration by placing a checkmark at the top left screen. This enables directory integration with FotoWeb.
Next, fill in the required information that FotoWeb needs in order to communicate with the directory.
Server/domain: Specifies a server name, or a domain name to which FotoWeb should connect i.e. server.domain.com or simply domain.com
TCP Port: The default port for communication with Active Directory is 389. This value is pre-entered once the Active Directory option page is enabled, and can be modified for special users whom use a different port for security reasons.5
Username: Login name of a user with enough privileges to list the contents of the directory. Note that this is a domain user name, and not a local FotoWeb user account.
Password: Type in the password corresponding to the username that you supplied.
Test Connection: After having filled out the necessary credentials for connecting to Active Directory, this button will be enabled for you to attempt a connection to the directory. You will then receive a success message if the connection tot he AD was successfully established.
To add AD groups to your FotoWeb configuration, go to the Groups tab in the FotoWeb configuration and click on the Import groups button. A search dialog appears where you must type in part of the name of the group to search for. When the group appears, select it and click on OK to add it to FotoWeb.
Tip: FotoWeb Directory Services support importing users directly from a primary group, typically "Domain Users", although you may also ceate individual groups specific for use with FotoWeb.
To set up Active Directory integration in FotoWeb, follow these steps. Note that in the below scenario we create special groups for use with FotoWeb.
1. Create rights groups in Active Directory for the roles you want defined in FotoWeb, e.g. 'FotoWeb Archive Administrators', 'FotoWeb Users with Upload', 'FotoWeb Read Only Users' and add the groups/users you want into these groups.
2. Set up the integration in FotoWeb and import the groups created in the step above.
3. Set up your archives and access lists using these groups
4. Log in using your AD username and password (or Single-Sign-On). The account will be created in FotoWeb and all groups will be updated. Note that only selected groups from step 2 will be synced, all intermediate groups will only exist in Active Directory.
Now, when modifying the access lists on an archive you will be able to choose the Active Directory groups you imported and assign access rights to them.
Then, when a new user logs in to FotoWeb, his account will be imported from the AD. For this reason, the first login can take a little longer than subsequent logons. The user will also be added to the correct FotoWeb group. On subsequent logins, the user's group memberships will be revalidated and updated accordingly in FotoWeb's groups.
For the sake of illustration, picture the following group hierarchy in your Active Directory:
- All Company Employees
- Norway Branch
- Development
- Marketing
- Sales
Scenario 1: Selecting All Company Employees for import
All users in the Development, Marketing and Sales groups will be allowed to log on and will be put in the All Company Employees group.
Scenario 2: Selecting All FotoWare Employees and the Marketing group
All users in the Development, Marketing and Sales groups will be allowed to log on and will be put in the All Company Employees group
Users in the Marketing group will be put in BOTH Marketing and All groups. Access lists can then be set up to give Marketing users upload and edit rights, while all others get read only, for example.
The following is a list of the data that is copied from the directory service to FotoWeb:
Users
Login name
Email address
Given name
Initial
Surname
Company name
Street Address
State name
Zip Code
Country name
Description
Home page address ( URL )
Profession ( title )
Telephone number
LDAP object name (X500)
In addition, the user’s locked out property is synchronized. If a user is disabled in the network, it will also become locked out in FotoWeb.
Groups
Group Name
Group Description
Users that belong to the group
LDAP Object name