Authentication: Directory Service

Import your organization's directory service users and groups into Aspera^®Faspex™.

1. Enter directory service details

   Go to Server > Authentication > Directory Services.

   

   To configure your directory service to work with Aspera Faspex, check Enable Directory Service and enter your configuration details (example displayed below).

   

   Option	Description
   Directory Service Name	Your name for this directory service.
   Enable Directory Service	Activate this directory service for Aspera Faspex.
   Directory Service Type	Select from one of the following options: 389/Red Hat/Fedora Directory Server Apple Open Directory Microsoft Active Directory (AD)
   Use secure mode (TLS)	Note: Aspera highly recommends turning this setting on to secure your server. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by enabling TLS. The port number will automatically change to 636 when TLS is enabled.
   Server	The directory server's address.
   Port	The directory server's port number. By default, unsecured LDAP uses port 389, unsecured global catalog uses port 3268, and global catalog over SSL uses port 3269. If TLS is enabled, then the port number will automatically change to 636.
   Treebase	The search treebase (e.g. dc=myCompany,dc=com for myCompany.com)
   Username Attribute	The attribute for the type of logon name for users of this directory service. For example, for Microsoft Active Directory, the mail attribute specifies the DS user logon should be an email address, and samaccountname specifies it should be a pre-Windows 2000 logon name.
   Login Method	Anonymous Provide Credentials If Provide Credentials is selected, then you are required to input your directory service login and password below.
   Login	Directory service user name, which is typically a Distinguished Name (DN) (e.g. CN=Administrator,CN=Users,DC=myCompany,DC=com).
   Password	Directory service password.

   When finished, click Save and Test. If Aspera Faspex successfully connects to your directory server, it displays the following information:

   Connected: YES
   Authenticated: YES
   Success

   Note: If the same user (identified by the username attribute) is a member of more than one directory, the user is only imported once from the first sync.  The duplicated user from the second directory is not imported, and a warning is logged in the sync history.
2. Import Directory Service (DS) groups
   Important:

   When Aspera Faspex Server imports AD groups, it is bounded by the AD server parameter "MaxValRange." If you would like to import a larger AD group, then please change the "MaxValRange" parameter on your AD server.

   When importing a Directory Service group, all users listed under that group are added into Aspera Faspex. To import a group, start by going to Accounts and select the Directory Service Group tab. Any DS groups that you have previously imported are shown in the list.

   

   From here, click the + New Group button and enter the directory service group attributes. Typing three characters or more brings up the group list with matching keywords.

   

   Important:

   You cannot import Directory Service groups that have the same name, regardless of whether or not they are on the same DS server. All DS groups must have unique names.

   To specify permissions for this DS group, click the Edit Additional Permissions link. The Edit Additional Permissions dialog appears:

   
   
   

   Permissions

   Option	Description
   Uploads allowed	Enable to allow the user to send file packages.
   Downloads allowed	Enable to allow the user to download packages that have been received. A user who does not have this marked will still receive packages, but will not be able to download the files.
   Forwarding allowed	Enable to allow the user to forward received file packages to other users. The package will be made accessible to the forwarded users within their Aspera Faspex accounts.
   Can create from remote	Enable to allow the user to send packages from remote file storage.
   Can send to external email	Allow or deny the user to send download links to external emails addresses (which are not Aspera Faspex users).
   Can send to all Aspera Faspex users	Enable to allow the user to send packages to all Aspera Faspex users (as opposed to only being able to send to the user's workgroup members).
   Allowed IP addresses for login	Specify the IP address(es) that an Aspera Faspex user can log in from to view his or her account. A wildcard (*) can be used in this option (e.g., 192.168.10.*., which allows the user to login from 192.168.10.1, 192.168.10.2, etc.). Separate multiple email addresses with commas (,).
   Allowed IP addresses for download	Specify the IP address(es) that an Faspex user can login from to download packages. A wildcard (*) can be used in this option (e.g., 192.168.10.*., which allows the user to login from 192.168.10.1, 192.168.10.2, etc.). Separate multiple email addresses with commas (,).
   Allowed IP addresses for upload	Specify the IP address(es) that an Aspera Faspex user can login from to upload packages. A wildcard (*) can be used in this option (e.g., 192.168.10.*., which allows the user to login from 192.168.10.1, 192.168.10.2, etc.). Separate multiple email addresses with commas (,).

   Package Deletion

   Scroll down the Edit Additional Permissions dialog to Package Deletion for options available after downloading a package:
   
   

   Option	Description
   Override server delete after download	The Aspera Faspex Server's current default auto-deletion settings are displayed just below this checkbox. Checking the box expands the dialog to let you override the default settings with one of the following policies: Do nothing (i.e., do not delete files after downloads) Delete files after any recipient downloads all files Delete files after all recipients download all files To update the default setting, see Package Storage.
   Allow user-specified delete after download	Follow the policy settings in the user's New Package screen. The user determines the file package's expiration rule when preparing it.

   Advanced Transfer Settings

   Aspera Faspex uses the transfer settings from the Aspera Central Server section by default. To override, scroll down the Edit Additional Permissions dialog to Advanced Transfer Settings. When Override default settings is checked, the dialog expands to allow you to set user-specific transfer settings, which will take precedence over the server-wide settings.

   Option	Description
   Initial Transfer Rate	Specify the initial upload and download transfer rate. When the option Lock minimum rate and policy is checked, the user will not be able to adjust transfer policy or minimum transfer rate.
   Maximum Allowed Rate	Specify the maximum upload and download transfer rate for this user.

   Click Done > Import when finished.

   When adding directory service groups, Aspera Faspex searches for groups recursively to import users. For example, if group A contains Group 1, importing Group A also imports Group 1's members. Once imported, the directory service group's members are added to your Aspera Faspex Server and the import page is updated with a link to view/edit the new group.

   
   
   

   Click the View link to go back to the Accounts screen. Your imported DS users will appear in the accounts list, along with the type column identification DS.

   
   
   

   Under the Directory Service Groups tab, you can administer a group by marking the corresponding row and clicking on the Actions button. The Actions button contains the following functions:

   • Manually Sync with the directory server. Note that Aspera Faspex auto-syncs with the directory server every hour.)
   • Deactivate and Activate disables or enables selected groups, respectively.
   • Remove deletes the group.

   

   Important:

   • Directory service syncing is accomplished through a Aspera Faspex background service that must be kept running.
   • When removing a directory service group, users in that group are deactivated instead of removed.
   • When a user exists in multiple directory service groups, removing one of the groups doesn't affect the user. The user is deactivated only when all the user's directory service groups are removed.
   • An activated directory service group is shown as "Active" in the status column. If it shows otherwise, click View Operation History to read the Active Directory operation log and identify the problem.

   To view the members of the DS group, update its workgroup memberships, or edit the DS users' Aspera Faspex settings and permissions, click the corresponding hyperlink to go to the Edit Directory Service Group screen.

   
   
   
3. Import individual DS users (in addition to, or rather than, DS groups)

   Start by going to Accounts > Users > +Add Account > Directory Service User.

   
   
   

   The Import User From Directory Service page opens:

   
   
   

   From the Directory Service dropdown box, first select the directory service that contains the users you want to import.

   Then, in the Search Term box, enter a search string or substring for the user you want. A list of DS user accounts containing that string is displayed.

   Select the name of the user to import. You can only import one user at a time.

   Then, click Edit Additional Permissions at the bottom of the page.

   In the page that appears, fill in the Account Details section, specifying whether this user is an admin, a manager, or a regular user. Then scroll down and fill in Permissions, Package Deletion, and other remaining sections, following the same procedure as described above for directory service groups (see Step 2 above).

   Important:

   Aspera Faspex syncs individual directory service users every hour. You cannot sync them manually.

   Once directory service users (or groups) are imported, the corresponding users can authenticate with and log in to Aspera Faspex Server. Directory service accounts are similar to Aspera Faspex user accounts, although options such as changing the login password are deactivated (since this information is configured on the directory server).