Authentication

Administrators may authenticate with MFT Server using a variety of different authentication protocols.  To view the current authentication method used go to Settings > MANAGER SERVICE > Authentication > Authentication > Service. Below are the authentication Service options to choose from.

 

Local Authentication

Database Authentication

Database Query Authentication

LDAP Authentication

LDAP Query Authentication (and its associated filters - LDAP Filter Grammar)

NTLM Authentication

PAM Authentication

RADIUS Authentication

Custom Authentication

Multiple Authentication

 

See also:

 

Multi-Factor Authentication

Web Single Sign-on

 

Local Authentication

 

Local Authentication is the most basic form of authentication, authenticating against local administrative accounts created using MFT Server Manager.

 

 

Database Authentication

 

Database Authentication allows you to authenticate an administrator based on whether the user has credentials to connect to a database.  When connecting to the supplied JDBC URL the username and password provided at time of login are used to login to the JDBC URL. If user authenticates successfully with the JDBC URL then user is considered a valid administrator of the MFT Server service.

 

 

JDBC URL - The JDBC URL used to connect to the database.  Libraries for JDBC drivers must be placed in the libs/jdbc directory of your MFT Server installation, the MFT Server Service must be restarted in order for the database to be accessible to MFT Server.  

 

Create user if not found using role - This allows for administrative accounts to be created automatically upon successful authentication.  If selected, an administrator will be created automatically (if it does not exist already) using the specified Role.

 

Convert username before creation to - If enabled, the username supplied will be converted to specified case prior to creation.

 

Database Query Authentication

 

Database Query Authentication allows you to authenticate an administrator based on the results of a database query. If one or more records are returned from the query then the administrator is successfully authenticated.

 

 

JDBC URL - The JDBC URL used to connect to the database.  Libraries for JDBC drivers must be placed in the libs/jdbc directory of your MFT Server installation, and the MFT Server Service must be restarted in order for the database to be accessible to MFT Server.

 

User - The username to connect with when authenticating with JDBC database.

 

Password - The password to connect with when authenticating with JDBC database.

 

SQL query - The query to perform to authenticate the user.   There are two special variables that may be used when performing the database query %username% and %password% which refer the username and password passed in during the authentication process.  Note, SQL queries and stored procedures may be used, however stored procedures which make use of output parameters may not be used.  The variables %username% and %password% are treated as strings so must be enclosed in single quotes.

 

Password hash class - The Java class to use for hashing password before passing to SQL query.  If no class is specified then password will be passed to SQL query in clear text.

 

Create user if not found using role - This allows for administrators to be created automatically upon successful authentication.  If selected, an administrator will be created automatically (if it does not exist already) using the specified Role.

 

Convert username before creation to - If enabled, the username supplied will be converted to specified case before passing username to SQL query and Role.

 

LDAP Authentication

 

LDAP Authentication allows you to authenticate an administrator based on whether the user has the credentials to connect to the LDAP or Active Directory service.

 

 

Host - The hostname or IP address of the LDAP service.

 

Port - The port of the LDAP service.

 

Timeout - The connection timeout when connecting to LDAP service.

 

User DN - The users distinguished name for authenticating with the LDAP service. The variable %username% may be used which refers to the username passed in during the authentication process.

 

Use SSL connection - Connect to LDAP server using SSL connection.

 

Allow anonymous binding - Sets whether user can bind anonymously to LDAP directory.

 

Use failover server - If enabled and primary LDAP server is inaccessible then authentication will be attempted against failover server.

 

Create user if not found using role - This allows for administrative accounts to be created automatically upon successful authentication.  If selected, an account will be created automatically (if it does not exist already) using the specified Role.

 

Convert username before creation to - If enabled, the username supplied will be converted to specified case before passing username to specified Role.

 

LDAP Query Authentication

 

LDAP Query authentication allows you to authenticate an administrator user based on the results of a LDAP query and is a two step  authentication process.

 

  1. User is authenticated against LDAP server using the User DN field and the password supplied by user when authenticating against MFT Server file transfer service.

  2. Query is performed using credentials supplied in Search user DN and Password fields. Note, these credentials may be different than the credentials used in Step 1. For example, a case where these might be different is where the User DN does not have the needed permissions to perform the query but the Search User DN does.

 

If one or more records are returned from the query then the user is successfully authenticated.

 

 

Host - The hostname or IP address of the LDAP service.

 

Port - The port of the LDAP service.

 

Timeout - The connection timeout when connecting to LDAP service.

 

User DN - The users distinguished name for authenticating with the LDAP service.

 

Search user DN - The user distinguished name used for performing LDAP search query.

 

Password - The user password for performing LDAP search query.

 

Base DN - The base distinguished name in which to perform the filter.

 

Filter - The filter to execute using the LDAP filter syntax.  There are two special variables that may be used when performing the database query, %username% and %password% which refer the username and password supplied by the user during the authentication process.

 

Hash password class - The Java class to use for hashing password before passing to filter.  If no class is specified then password will be passed to Filter in clear text.

 

Use SSL connection - Connect to LDAP server using SSL connection.

 

Use failover server - If enabled and primary LDAP server is inaccessible then authentication will be attempted against failover server.

 

Create user if not found using role - This allows for administrative users to be created automatically upon successful authentication.  If selected, an administrative account will be created automatically (if it does not exist already) using the specified Role.

 

Convert username before creation to - If enabled, the username supplied will be converted to specified case before passing username to specified Role.

 

See also

 

Setting authentication preferences

 

LDAP Filter Grammar

 

When using LDAP Query Authentication you must define a filter that will be used to identify the record you are searching for.  The syntax of LDAP filters are defined in RFC 2254.  The table below provides a list of valid expressions and their meanings.

 

Symbol Filter Example Example matches

=

Equality

(sn=Smith)

Surname of Smith only.

>

Greater than

(sn>Smith)

Any surname that alphabetically follows Smith.

>=

Greater than or equal to

(sn>=Smith)

Any surname that includes or alphabetically follows Smith.

<

Less than

(sn<Smith)

Any surname that alphabetically precedes Smith.

<=

Less than or equal to

(sn<=Smith)

Any surname that includes or alphabetically precedes Smith.

=*

Presence

(sn=*)

All surnames (all entries with the sn attribute).

=*

Substring

(sn=Smi*)

Any matching substring of Smith.

&

And

(& (sn=Smith) (cn=John) )        

Surname of Smith and common name of John.

|

Or

(| (sn=Smith) (sn=Jones) )

Surname of Smith or Jones.

!

Not

(! (sn=Smith))

Surname not equal to Smith.

 

NTLM Authentication

 

Using NTLM authentication you may authenticate against an existing Windows domain.

 

 

Host - The IP address of Windows domain controller.

 

Windows domain - The name of the Windows domain to which users belong.

 

Create user if not found using role - This allows for accounts to be created automatically upon successful authentication.  If selected, an account will be created automatically (if it does not exist already) using the specified Role.

 

Convert username before creation to - If enabled, the username supplied will be converted to specified case before passing username to specified Role.

 

PAM Authentication

 

Using PAM authentication you may authenticate against an existing UNIX PAM user repository.  In order to use the PAM Authentication module you must install some native libraries that allow MFT Server to communicate with your PAM user repository.

 

  1. Download the JPam library for your operating system.

  2. Copy the native library to the Java Native Libary Path. See the Native Library Installation Location table for details. Note, Step 1 in the JPam instructions should be ignored as the jpam.jar file already exists in the libs directory of your MFT Server installation. Additionally, JPam instructions state you may optionally place native library in same directory as the jpam.jar file instead of the Java Native Library Path. This is incorrect. For JPam to work with MFT Server you must place native library in the Java Native Library Path and not in the libs directory of MFT Server.

  3. Configure JPam for use by editing the net-sf-jpam file and copying it to to /etc/pam.d directory.

  4. Restart MFT Server Service.

  5. Using MFT Server Manager go to the Settings > MANAGER SERVICE > Authentication > Authentication tab and set the Service field to PAM authentication and enable other options. See the image below.

  6. Click Test Parameters button to test.

 

 

Enable debug to file system_output.log - Sends debugging information to file system_output.log in installation directory.

 

Create user if not found using role - This allows for accounts to be created automatically upon successful authentication.  If selected, an account will be created automatically (if it does not exist already) using the specified Role.

 

Convert username before creation to - If enabled, the username supplied will be converted to specified case before passing username to specified Role.

 

RADIUS Authentication

 

Using RADIUS authentication you may authenticate against an existing RADIUS server.

 

 

Local address - The local UDP address for socket binding.

 

Server address - The server address of RADIUS server.

 

Server port - The server port of RADIUS server.

 

Timeout - The timeout in seconds for connecting to RADIUS server.

 

Max retransmit attempts - The maximum number of retransmission attempts when there is no response from the RADIUS server

 

Identifier - The identifier value of the RADIUS server.

 

Shared secret - The shared secret value of the RADIUS server.

 

Create account if not found using role - This allows for accounts to be created automatically upon successful authentication.  If selected, an account will be created automatically (if it does not exist already) using the specified Role.

 

Convert username before creation to - If enabled, the username supplied will be converted to specified case before passing username to specified Role.

 

Custom Authentication

 

Using custom authentication you may define your own custom authentication class.  To do so perform the following.

 

  1. Create a class which implements the com.jscape.inet.mft.subsystems.administrator.authentication.AuthenticationService class.

     

  2. Overload the public void authenticate(AuthenticationCredentials creds) method, throwing a com.jscape.inet.mft.subsystems.administrator.authentication.OperationException exception if authentication fails or returning the username of administrator if authentication passes.

     

  3. Create a JAR file that contains the compiled version of your com.jscape.inet.mft.subsystems.administrator.authentication.AuthenticationService implementation. To compile your authentication class you will need to include the ftpserver.jar library in your classpath.  The ftpserver.jar library may be found in the libs directory for MFT Server.

     

  4. Place the JAR file created in Step 3 as well as any needed 3rd party JAR files into the libs/ext directory of your MFT Server installation.

     

  5. Restart the MFT Server Service.

     

  6. Open MFT Server Manager and go to Settings > MANAGER SERVICE > Authentication > Authentication and change the Service to custom authentication and click Apply.

 

An example implementation com.jscape.inet.mft.subsystems.administrator.authentication.TestAuthenticationService is also found in the ftpserver.jar file for testing.

 

 

Example

 

The following example is taken directly from the TestAuthenticationService example provided in ftpserver.jar library. There are two exception types that MAY be thrown as part of this example UnsupportedCredentialsTypeException and InvalidCredentialsException. In the event that UnsupportedCredentialsTypeException is thrown MFT Server will pass the credentials up and attempt to validate against local credentials stored within MFT Server instead of using the logic provided in custom authentication class. If InvalidCredentialsException is thrown then credentials will not be passed up and user will immediately be denied access.

 

package com.jscape.inet.mft.adapter;

 

import java.util.Scanner;

 

public class TestAuthenticationService

 

        implements AuthenticationService {

 

 

 

    @Override

 

    public String authenticate(AuthenticationCredentials credentials)

 

            throws OperationException {

 

        if (credentials instanceof PasswordCredentials) {

 

            return authenticate((PasswordCredentials) credentials);

 

        } else if (credentials instanceof TokenCredentials) {

 

            return authenticate((TokenCredentials) credentials);

 

        }

 

        throw new UnsupportedCredentialsTypeException(credentials);

    }

 

 

 

    private String authenticate(PasswordCredentials credentials)

 

            throws OperationException {

 

        assertPasswordValid(credentials.username, credentials.password, credentials);

 

        return credentials.username;

 

    }

 

 

 

    private String authenticate(TokenCredentials credentials)

 

            throws OperationException {

 

        try {

 

            Scanner scanner = new Scanner(credentials.token).useDelimiter(":");

 

            String username = scanner.next();

 

            String password = scanner.skip(":").nextLine();

 

 

 

            assertPasswordValid(username, password, credentials);

 

 

 

            return username;

 

        } catch (InvalidCredentialsException e) {

 

            throw e;

 

        } catch (Exception e) {

 

            throw new InvalidCredentialsException(credentials);

 

        }

 

    }

 

 

 

    private void assertPasswordValid(String username, String password, AuthenticationCredentials credentials)

 

            throws InvalidCredentialsException {

 

        if (!username.equals(password)) {

 

            throw new InvalidCredentialsException(credentials);

 

        }

 

    }

 

}

 

Multiple Authentication

 

Multiple Authentication allows you to authenticate Administrators using multiple authentication service types. If the 1st authentication type does not succeed, the next authentication type in the ordered list is used. This continues until a successful authentication occurs, or the list is exhausted and the authentication fails.

 

 

Note: Multiple authentication is NOT 2-factor authentication or multi-factor authentication.

 

When you choose Multiple Authentication, you need to define at least 2 types of authentication. You will not be able to save what you enter for Multiple Authentication if you only define 1 authentication service type. Click on the Add button (which was done in the image above) and select a service you wish to configure from the droplist list (two have already been configured). You are allowed to configure up to 5 authentication service types. You can use the same type more than once, using different parameters. The configuration details of each service type are the same as those described above.

 

When authenticating, the Admin is first authenticated against the 1st service (the Order column will display 1st, 2nd, etc., as depicted in the image above). If authentication is successful, the Admin is granted access using the 1st service. If the authentication fails, a second authentication attempt is made using the 2nd service. If successful, the Admin is granted access. If the 2nd authentication service fails, what happens next depends on whether another service has been configured. If no other service has been configured, the Admin will be denied access. If a third authentication service is configured, that will be used next. The same pattern will continue, for each service configured. The system goes down the ordered list, but stops when it can authenticate the Admin. If none of the authentication services succeed, the Admin will not be granted access. The Move Up and Move Down buttons allow you to change the order of your 2 or more services.

 

Note: For purposes of IP disabling and raising of Administrator Login event, this should only happen either after successful login OR after all authentication methods have been attempted.