Introduction


The RushFiles service supports full AD integration through LDAP including replication of users through groups and/or organization units between RushFiles and the AD. We now also support Single Sign On (SSO) and auto arranging users into the same groups in RushFiles as they are in the AD.

There are two AD structures that RushFiles supports:

✔    Multi-tenant AD’s, where multiple companies (Organizational units / OU’s) are present on the same AD

✔    Single-tenant AD’s, where each company has their own AD. This can be on the same location but will most likely be on multiple locations or networks.




In this article:

1. About the integration

2. How to create an AD Setup

3. How to setup an individual company with AD

4. The replication

    4.a Requirements for the replication service

    4.b Requirements for the AD users

    4.c Requirements for communication

    4.d AD and RushFiles Groups

5. One Domain controller with multiple companies

6. Multiple Domain controllers with multiple companies






1) About the integration




The integration consists of 4 elements:

✔    The RushFiles API

✔    The AD Replicator

✔    The RushFiles system

✔    Your AD



These can be distributed on different servers depending on your installation.


The AD Replicator is setup to a single reseller. This means that if you are a sub reseller on the same setup, you will need your own replicator, on a different server than the setup.



These elements are connected with these two steps:

✔    Creating the AD Setup.

✔    The configuration of the company. 



Each AD Setup is basically a connection to a Domain Controller, which you then connect to one or more companies, and specify for each of these companies which groups and/or Organization Units you wish to have replicated to the given company.






2) How to create an AD Setup


You can configure the AD Setup in the reseller interface:

1. Login to your reseller interface.

2. Navigate to the AD Configurations tab.



3. Select Create Setup.

4. Fill out the fields in the popup.





    1. Name:  This is the name you want to give to the AD Setup.

    2. Validation IP:  This is the IP that the server that hosts the domain master needs to contact the server that holds your AD. Typically the Public IP of the server that hosts your AD.

    3. Replicator IP:  This is the IP that the server that runs the RfAdReplicatorService needs to contact the AD. Typically the same as the Validation IP.

    4. Domain Path:  This is the general Domain Path for all companies using this AD configuration. Example for domain "rushfiles.com": DC=rushfiles,DC=com

    5. Domain:  This is the domain of your RushFiles solution. You can see this in the URLs tab in the reseller interface if you are in doubt.

    6. Admin User:  This is the logon name for an AD user that has at least read rights to the AD. This user is used to retrieve users and groups from the AD.

    7. Password:  This is the password for the AD user specified above in point 6.

    8. Save:  Click on Save when you are done!





NoteIf you are accessing an LDAPS instance, the Validation IP and Replicator IP must be suffixed with the port ":636" , like "ad.rushfiles.com:636". Additionally, the Admin User must be prefixed with the domain, like "rushfiles\administrator" where "rushfiles" is the domain. 
 
If you get an error when saving, the configuration is most likely incorrect. Please double-check the settings in point 1-7.
 







3) How to setup an individual company with AD


You are now ready to setup a connection between a company and the AD setup created in the previous section:


1. Go to the companies tab  in the reseller interface.

2. Click on the company you want to setup with AD.

3. Scroll down to the Active Directory Settings section.

4. Click on CHANGE under Current AD configuration.

5. Select one of your AD Setups.

6. Fill out the Domain Path field. This is an individual domain path (addition), which is only used when replicating this company.

  6.a Users in OU's:

This can be used to go into Organization Units (OU) in the AD. It is not mandatory to navigate into an OU, and it is only possible to navigate directly into a single OU.


Example setting: a parent OU called "RushFiles", with a child OU called "Sales":


  6.b Users in Groups:

There is also the option to only take users from specific groups. This is done by specifying the groups after potential OU's.


Example setting: an OU called "RushFiles" that contains a Group called "Sales":


Example setting: an OU called "RushFiles" that contains two Groups called "Sales", and "Development":


Important Leaving the Domain Path blank will cause all AD users with a valid email address under the Domain Path specified in the AD Setup to be replicated!
 


7. Whitelist

You need to whitelist the domain of the users' email addresses. This is needed to ensure that the owner of the domain is the one adding the users. It is possible to have multiple whitelisted domains on a single company, and it's also possible to have the same whitelist across companies. The whitelisted domains are separated by a single comma, and are case sensitive.


8. Example of a correct AD setup of a company:



This will replicate all users that are:

-Under the Domain Path specified in the AD Setup "Rushfiles AD beta.rushfiles.com".

-AND part of OU "Rushfiles".

-AND part of any of the groups "Sales" OR "Development" OR "Management".

-AND have "rushfiles.com" as the domain of their email address specified in the AD.


NOTE: The replicator retrieves all users from the AD that are part of the last OU specified in the AD config, even if you navigate into a CN afterwards. In the example above, all users from the OU "Rushfiles" would be retrieved.


Users in the AD that are:

- Part of this last OU

- But not part of the specified CN(s)

- And for which a matching user is found in the RushFiles company


Will be removed from the company, regardless of their AD enabled status in RushFiles.

Therefore, it is advised that:

- the CN(s) contain all users that will be using RushFiles

- or that you do not navigate into a CN, if all users of the parent OU will be using RushFiles


Similarly, users found by the LDAP lookup that are disabled in the AD will be removed from RushFiles automatically.


9. Click on the newly-appeared Save button at the top of the page when you are done!







4) The replication service


The AD replicator is a windows service (RfAdReplicator service) installed with the domain master and is set to run once every 30 minutes, so it may take up to 30 minutes for AD users to be replicated into the RushFiles system.






4.a) Requirements for the replication service


For the replication service to access the AD through LDAP, ports 389 and 636 need to be opened on the server with the AD. 


Therefore, before creating an AD Setup, ensure that the domain master server is able to call the Validation IP on these 2 ports. 


If the replication service is installed on a different server, ensure that that server is able to call the AD server on the same ports with the Replication IP.






4.b) Requirements for the AD users


The AD users to be integrated need to have a valid email address. By default, this email is taken from the field “mail” on the AD, the name of the user is taken from the field “displayname” and the alias which the RushFiles system uses to login, is taken from the field “userPrincipalName".


These fields are editable in the configuration file "UserSetup.cfg" located in the folder of the RfAdReplicator service (default is C:\RushFiles\RfAdReplicator\).


The configuration is in JSON and the texts FullName, Email and LoginAlias should not be changed and it is important to keep the quotation marks ( " ) around the name of the variable.


The variables are not type safe and if changed to wrong/non-existing values will probably be retrieved incorrectly or maybe not at all.



Note The service can be restarted manually, but you will need to ensure that it’s not already running (look if there is a new log with a growing file size and/or a timestamp within a few minutes of your current time) 
 
After a restart it should take about 5-10 seconds for it to start replicating.
 
If AD Integration is active on your system, the RfAdReplicator service should be monitored and if stopped started again.
 







4.c) Requirements for communication



PortDescription
389TCP
636TCP







4.d) AD and RushFiles Groups


You can replicate AD groups into the RushFiles system. To enable auto arranging of users into groups, you will first need to enable this setting in your Replication Service's configuration file.


✔    The default path to the config file is: C:\Rushfiles\RfAdReplicator\AdConfig.cfg

✔    Open it with Notepad, make sure that "AddUsersToGroups" is set to true, and save the file.


✔    Create Groups on the company with the same name as the Groups in the AD that will be replicated.


Example: 

If you have a group in the AD called "Sales", you just need to create a group called "Sales" for the company as well. All users that are part of "Sales" in the AD will be part of "Sales" in RushFiles.


✔    During the next run of the replicator, replicated users will be placed into their matching groups in RushFiles.

✔    The replicator has to do 2 runs in order to place newly replicated users into groups. The first run creates the users, while the second one places them into groups.



Note Removing a user from a group in AD will not remove the user from the same group in RushFiles. The user has to be removed manually.
 






5) One Domain Controller with multiple companies


If you have one Domain controller for your companies (also if it’s just some or one), you will need to create an AD Setup to that Domain controller and connect the given companies to it.

On each company you can then specify a selected Organization Unit and/or Group(s) that should be replicated to the given company.



 


6) Multiple Domain Controllers with multiple companies


If you have multiple Domain controllers for your companies (also if it’s just some or one), you will need to create an AD Setup for each of the Domain controllers and connect the given companies to the correct AD Setup. You can then, on each company, specify an Organization Unit and/or Group(s) that should be replicated to the given company.