Introduction

The RushFiles service supports full AD integration through LDAP including replication of users through groups and/or organization units between RushFiles and the AD, we now also supports Single Sign On (SSO) and auto arranging of users in same groups in RushFiles and the AD.

NOTE: The auto arranging of users in groups needs to be enabled on the replicator service and this is normally done while installing, contact our Support for help with this.


There are two AD structures that RushFiles support:

1) Multi-tenant AD’s, where multiple companies (Organizational units / OU’s) are present on the same AD

2) Single-tenant AD’s, where each company have their own AD. This can be on the same location but will most likely be on multiple locations or networks.

NOTE: if it's your first time using the AD integration on your own system, we will need to install the RfAdReplicator service, as it is not installed pr default.
Please submit a new ticket to have this done.


Setting up the system for AD integration:

This is a two-step process:


1. Create a link to AD Servers in the reseller interface

2. For each company that should have AD, add that information to the company page.


About the Integration


The integration consists of 4 elements, the RushFiles API, the AD Replicator, the RushFiles system and your AD. These can be distributed on different servers depending on your installation.
The replicator is setup to a single reseller, meaning if you are a sub reseller on the same setup you will need your own replicator, on another server than the Setup

These elements are connected via two steps. The AD Setup and the configuration of the company.
Basically each AD Setup is a connection to a Domain Controller, which you then then connect to one or more companies, and specify for each of these companies which groups and/or Organization Units you wish to have replicated to the given company.

 

 

1. How to create an AD Setup

The AD Setup is available via your reseller interface.

1. Login to your reseller interface

2. Navigate to the “AD Configurations” tab




 

3. Select “Create Setup”



 

 Here you will be presented with this page and you have to fill in the fields which is described below.


1. Name:

This is the name you wish to give the AD Setup you are about to create, for example “RushFiles AD”

2. Validation IP:

This is the IP which the server, hosting your domain master, needs to contact the AD. Typically it would be the public IP of the server that holds your AD. 

3. Replicator IP:

This is the IP which the server, running the RfAdReplicatorService, needs to contact the AD (this is most likely the same IP as the "Validation IP"). Typically it would be the public IP of the server that holds your AD. 

4. Domain Path:
This is the general Domain Path for all companies using this AD configuration.
It needs to be written like this: DC=rushfiles,DC=com if the domain path is rushfiles.com in my AD.

5. Domain:
This is the domain of your solution. Example: rushfiles.com would be our Domain. Note: If you are a reseller on rushfiles.net and login to the reseller panel there, the Domain should be set to: rushfiles.net.

6. Admin User:
This is the logon name for an AD user, which has read rights to the AD, this is used to retrieve users and groups from the AD.

7. Password:
This is the password for the AD user specified in point 6.

 

4. C    4. Click save at the bottom of the form. Important: If you get an error when saving, it’s most likely because the given AD user can't be validated, so the settings are not correct.

   


 

  

 

2. How to setup an individual company with AD

You are now ready to setup a connection between a company and the AD setup created in the previous step.

To do this login to the reseller configurator, go the companies tab and click on the company to setup.


Now locate the section “Active Directory Settings”, here you will be able to select the AD setup, whitelist domains and set organization units and groups for the company.


    1. Selecting the AD Setup    

    First thing to do is to select the AD Setup for this company.
    This is accomplished by clicking the “Change” button, where you will then be presented with a list of all your AD Setups. Select one of the AD configurations:


   

   


 

    2. Domain Path

    The domain path on the company is an individual domain path (addition), only used when replicating this company.


    Users in OU's:

    This can be used to go into Organization Units (OU) in the AD and is written like this:


“OU=RushFiles,OU=Sales”

    The example above shows a "parent" OU called "RushFiles" with a "child" OU called "Sales". This would only retrieve the users located in the OU “Sales” which is located in the OU “RushFiles”.


Note: It’s not mandatory to navigate into an OU and it’s only possible to navigate directly into one OU.


    Users in Groups:
    
There is also the option to only take users from specific groups, this is done by specifying the groups after potential OU’s. 


    The groups is added after the OU,  like in this example: “CN=Sales”. Example:


OU=RushFiles,CN=Sales


    Another possibility is to add multiple groups this is done by separating them with a , (comma), like this:


OU=RushFiles,CN=Sales,CN=Development,CN=Management

This domain path would retrieve all users who are a member of any of the groups specified (Sales, Development, Management) inside the OU “RushFiles” on the domain specified in the AD Setup.


NOTE: Leaving the domain path blank will cause all AD users with a valid email address under the Domain Path specified in the AD setup to be replicated!


    3. Whitelist

    Whitelist is the domain of the user's email addresses, which is needed to ensure that the owner of the domain is the one adding the users.
    Here it is possible to have multiple on a company and also the same Whitelist across companies. The Whitelist are separated by a , (comma)
    Example of a Whitelist:


RushFiles.com,RushFiles.net

    In this case both RushFiles.com and RushFiles.net would be Whitelisted for the company.


    4. Example

    Here is an example of the Active Directory Settings for a Company:

   


    5. Save
    After changing the company click on the save button at the top.


The replication

About the replication

The replication is a windows service installed with the domain master and it is set to run once an hour, so it may take up to 1 hour for AD users to be replicated into the RushFiles system.

Requirements for the replication service

For the replication service to access the AD through LDAP it needs port 389 and 636 opened to the server with the AD, so before creating an AD Setup ensure that the domain masters server are able to call the Validation IP on the 2 ports and if replication service is installed elsewhere, ensure that it is able to call the AD server on the same ports with the Replication IP.

Requirements for the AD users

The AD users to be integrated needs to have a valid email address, by default this is taken from the field “mail” on the AD, the name of the user is taken from the field “displayname” and the alias which the RushFiles system uses to login is taken from the field “userPrincipalName”.
These fields are editable in the configuration file called UserSetup.cfg located in the folder of the RfAdReplicator service (default is C:\RushFiles\RfAdReplicator\),
the configuration is in JSON and the texts FullName, Email and LoginAlias should not be changed and it is important to keep “ around the name of the variable. The variables are not type safe and if changed to wrong/non-existing values will probably be retrieved incorrectly or maybe not at all.

HINT: The service can be restarted manually, but you will need to ensure that it’s not already running (look if there is a new log with a growing file size and/or a timestamp within a few minutes of your current time)
After a restart it should take about 5-10 seconds for it to start replicating.
If AD Integration is active on your system, the RfAdReplicator service should be monitored and if stopped started again.

 

 

Examples

One Domain controller with multiple companies

If you have one Domain controller for your companies (also if it’s just some or one), you will need to create an AD Setup to that Domain controller and connect the given companies to it.
On each company you can then specify a selected Organization Unit and/or Group(s) that should be replicated to the given company.

Multiple Domain controllers with multiple companies

If you have multiple Domain controllers for your companies (also if it’s just some or one), you will need to create an AD Setup for each of the Domain controllers and connect the given companies to the correct AD Setup. On each company you can then specify a selected Organization Unit and/or Group(s) that should be replicated to the given company. 


Requirements

 

Communication

Port
Description
389
TCP and UDP
636
TCP

 

Replication

Valid e-mail address on AD user

Users Automatically added to the same Groups in Rushfiles

You are now able to have users added to the same group in your Rushfiles system as in the AD.

So if a user as an example are added to a Group called Sales in the AD and there is a Group in your Rushfiles solution, the user will automatically be added to the Group and in that way get access to any Share which the Group had.

 

NOTE: if your AdReplicator Service was installed prior to december 2015, you will most likely need an update. This is simply done by creating a new support ticket on our helpdesk called "Need RfAdReplicator updated" and one of our supporters will schedule a time for this with you.