FTP and LDAP - Part 2: How to Set Up an Active Directory Lightweight Directory Services (AD LDS) Server

This blog is designed as a complement to my FTP and LDAP - Part 1: How to Use Managed Code (C#) to Create an FTP Authentication Provider that uses an LDAP Server blog post. In this second blog, I'll walk you through the steps to set up an Active Directory Lightweight Directory Services (AD LDS) server, which you can use with the custom FTP LDAP Authentication provider that I discussed in my last blog.

In This Blog

• Step 1: Installing AD LDS
  • Adding the AD LDS Role
  • Creating an AD LDS instance
• Step 2: Using ADSI Edit to add Users and Groups
  • Connecting to your AD LDS Server
  • Adding a User Object
  • Adding Users to Groups
• More Information

Step 1: Installing AD LDS

The following steps will walk you through installing Active Directory Lightweight Directory Services on a computer that is running Windows Server 2008.

Adding the AD LDS Role

1. Open the Windows Server 2008 Server Manager, click Roles in the navigation pane, and then click Add Roles.
   
2. Check the box for Active Directory Lightweight Directory Services, and then click Next.
   
3. Read the information on the Introduction to Active Directory Lightweight Directory Services page, and then click Next.
   
4. Verify the Confirmation Installation Settings, and then click Next.
   
5. The installation will start; this may take several minutes to complete.
   
6. When the installation has completed, click Close.
   

Creating an AD LDS instance

Note: Before completing these steps I created a local user account named "LdapAdmin" that I would specify the administrative account for managing my LDAP instance. This user account was only a member of the local "Users" group, and not a member of the local "Administrators" group.

1. Click Start, then click Administrative Tools, and then click Active Directory Lightweight Directory Services Setup Wizard.
   

2. When the Active Directory Lightweight Directory Services Setup Wizard appears, click Next.
   

3. Select A unique instance, and then click Next.
   

4. Enter a name for your instance, for example "MyTestInstance," and then click Next.
   

5. Verify the port numbers for LDAP connections, and then click Next.
   

6. Choose Yes, create an application directory partition, and then enter a unique partition name by using X.500 path syntax. For example: "CN=MyServer,DC=MyDomain,DC=local". When you have finished entering your partition name, click Next.
   

7. Verify the paths to the AD LDS files for this instance, and then click Next.
   

8. Choose an account for your service account. (Note: Because I was creating a standalone LDAP server, I chose to use the network service account.) Once you have chosen an account, click Next.
   

9. If you choose to use the network service account, the AD LDS wizard will prompt you about replication. Click Yes to continue.
   

10. Choose an account as your AD LDS administrator. (Note: In my situation I chose the LdapAdmin account that I had created earlier; I did this so that I wouldn't be storing the credentials for an administrative account.) Once you have chosen an account, click Next.
    

11. Choose one of the following LDIF files to import; these will be used to create user accounts.

    • MS-User.LDF
      
    • MS-InetOrgPerson.LDF
      

    Note: I tested my FTP LDAP authentication provider with both LDIF files.

12. Verify your installation options, and then click Next.
    

13. When prompted for your AD LDS credentials, enter the credentials for the account that you chose to administer your AD LDS instance.
    

14. The wizard will begin to install the requisite files and create your instance; this may take several minutes to complete.
    
    

15. When the wizard has completed, click Finish.
    

Step 2: Using ADSI Edit to add Users and Groups

Connecting to your AD LDS Server

1. Click Start, and then Administrative Tools, and then ADSI Edit.
2. Click Action, and then click Connect to...
   
3. When the Connection Settingsdialog box is displayed:

   • Enter the LDAP path for your AD LDS server in the Select or type a Distinguished Name or Naming Contexttext box. For example:

     • CN=MyServer,DC=MyDomain,DC=local

   • Enter the server name and port in the Select or type a domain or servertext box. For example:

     • MYSERVER:389

   • The preceding steps should create the following path in the Pathtext box:

     • LDAP://MYSERVER:389/CN=MyServer,DC=MyDomain,DC=local

      

   • Click the Advanced button; when the Advanceddialog box is displayed:

     • Check the Specify Credentials box.
     • Enter the user name and password for your AD LDS server.
     • Click OK.
4. Click OK.

Adding a User Object

1. Expand the tree until you have highlighted the correct LDAP path for your server. For example:
   • CN=MyServer,DC=MyDomain,DC=local.
2. Click Action, and then New, and then Object...
   
3. Highlight the appropriate user class, and then click Next.
   
4. Enter the common name for your user, and then click Next. For example: enter FtpUser for the common name.
   
5. Click Finish.
   
6. Right-click the user that you created, and then click Properties.
   
7. Select msDS-UserAccountDisabled in the list of attributes, and then click Edit.
   
8. Select False, and then click OK.
   
9. Select userPrincipalName in the list of attributes, and then click Edit.
   
10. Enter your user's common name for the value, and then click OK. For example: enter FtpUser for the common name.
    
11. Click OK to close the user properties dialog box.
12. Right-click the user that you created, and then click Reset Password...
    
13. Enter and confirm the password for your user.
    
14. Click OK.

Adding Users to Groups

1. Retrieve the Distinguished Name (DN) for a user:
   • Right-click the user that you created, and then click Properties.
     
   • Select distinguishedName in the list of attributes, and then click View.
     
   • Copy the value, and then click OK. For example: CN=FtpUser,CN=MyServer,DC=MyDomain,DC=local.
     
   • Click OK to close the user's properties dialog box.
2. Add the user to a group:
   • Expand the tree until you have highlighted a group in your server. For example, you could use the built-in CN-Users group.
     
   • Right-click the group, and then click Properties.
     
   • Select member in the list of attributes, and then click Edit.
     
   • When the editor dialog box is displayed, click Add DN...
     
   • When the Add Distinguished Name (DN) dialog box appears, paste the user DN syntax that you copied earlier. For example: CN=FtpUser,CN=MyServer,DC=MyDomain,DC=local.
     
   • Click OK to close the Add DN dialog box.
     
   • Click OK to close the group's properties dialog box.

More Information

For additional information about working with AD LDS instances, see the following URLs:

• Manage an AD LDS Instance Using ADSI Edit
  https://technet.microsoft.com/en-us/library/cc794959.aspx
• Managing Directory Security Principals in the .NET Framework 3.5
  https://msdn.microsoft.com/en-us/magazine/cc135979.aspx

Enabling the Custom FTP LDAP Authentication Provider for an FTP site

While this is technically outside the scope of setting up the LDAP server, I'm reposting the notes from my last blog about adding the FTP LDAP Authentication provider and adding authorization rules for FTP users or groups.

1. Add the custom authentication provider for an FTP site:
   • Open an FTP site in the Internet Information Services (IIS) Manager.
   • Double-click FTP Authentication in the main window.
   • Click Custom Providers... in the Actions pane.
   • Check FtpLdapAuthentication in the providers list.
   • Click OK.
2. Add an authorization rule for the authentication provider:
   • Double-click FTP Authorization Rules in the main window.
   • Click Add Allow Rule... in the Actions pane.
   • You can add either of the following authorization rules:
     • For a specific user:
       • Select Specified users for the access option.
       • Enter a user name that you created in your AD LDS partition.
     • For a role or group:
       • Select Specified roles or user groups for the access option.
       • Enter the role or group name that you created in your AD LDS partition.
     • Select Read and/or Write for the Permissions option.
   • Click OK.

Once these settings are configured and users connect to your FTP site, the FTP service will attempt to authenticate users from your LDAP server by using the custom FTP LDAP Authentication provider.

Comments

• Anonymous
  July 15, 2014
  Hi Rob, This tutorial has been great and I just had a couple questions of how to authenticate the users information from a remote client. For example, I've created my AD LDS instance on a windows 2012 server and now I'm trying to use python-ldap to connect to this AD LDS instance from another computer to check user credentials. Can you explain to me how to do this? Thanks a lot, Jeff

• Anonymous
  July 15, 2014
  Hi Jeff, I've never tried to access AD LDS from Python, so I'm a bit out-of-context on what it might take to get that working, but most of the problems that I have seen regarding issues when connecting to AD LDS have been related to security problems of one sort or other (e.g. authenticating to AD LDS, etc.) With that in mind, I found the following thread on Stack Overflow that might help: stackoverflow.com/.../authenticating-against-active-directory-using-python-ldap

• Anonymous
  July 15, 2014
  I've followed the steps that you posted in setting up the AD LDS and I've managed to connect to it using ADSI and ldp.exe, I was just wondering if there was a way that I can remotely access the AD LDS instance with all the user credentials and check them? It doesn't have to be python. Thanks a lot, Jeff

• Anonymous
  July 18, 2014
  Hello rob, How do you set a password for your application directory partition so I can increase the security of binds to it.