The RushFiles service supports full AD integration through LDAP including replication of users through groups and/or organization units between RushFiles and the AD. We now also support Single Sign On (SSO) and auto arranging users into the same groups in RushFiles as they are in the AD.
There are two AD structures that RushFiles supports:
✔ Multi-tenant AD’s, where multiple companies (Organizational units / OU’s) are present on the same AD
✔ Single-tenant AD’s, where each company has their own AD. This can be on the same location but will most likely be on multiple locations or networks.
In this article:
1) About the integration
The integration consists of 4 elements:
✔ The RushFiles API
✔ The AD Replicator
✔ The RushFiles system
✔ Your AD
These can be distributed on different servers depending on your installation.
The AD Replicator is setup to a single reseller. This means that if you are a sub reseller on the same setup, you will need your own replicator, on a different server than the setup.
These elements are connected with these two steps:
✔ Creating the AD Setup.
✔ The configuration of the company.
Each AD Setup is basically a connection to a Domain Controller, which you then connect to one or more companies, and specify for each of these companies which groups and/or Organization Units you wish to have replicated to the given company.
2) How to create an AD Setup
You can configure the AD Setup in the reseller interface:
1. Login to your reseller interface.
2. Navigate to the AD Configurations tab.
3. Select Create Setup.
4. Fill out the fields in the popup.
1. Name: This is the name you want to give to the AD Setup.
2. Validation IP: This is the IP that the server that hosts the domain master needs to contact the server that holds your AD. Typically the Public IP of the server that hosts your AD.
3. Replicator IP: This is the IP that the server that runs the RfAdReplicatorService needs to contact the AD. Typically the same as the Validation IP.
4. Domain Path: This is the general Domain Path for all companies using this AD configuration. Example for domain "rushfiles.com": DC=rushfiles,DC=com
5. Domain: This is the domain of your RushFiles solution. You can see this in the URLs tab in the reseller interface if you are in doubt.
6. Admin User: This is the logon name for an AD user that has at least read rights to the AD. This user is used to retrieve users and groups from the AD.
7. Password: This is the password for the AD user specified above in point 6.
8. Save: Click on Save when you are done!
3) How to setup an individual company with AD
You are now ready to setup a connection between a company and the AD setup created in the previous section:
1. Go to the companies tab in the reseller interface.
2. Click on the company you want to setup with AD.
3. Scroll down to the Active Directory Settings section.
4. Click on CHANGE under Current AD configuration.
5. Select one of your AD Setups.
6. Fill out the Domain Path field. This is an individual domain path (addition), which is only used when replicating this company.
6.a Users in OU's:
This can be used to go into Organization Units (OU) in the AD. It is not mandatory to navigate into an OU, and it is only possible to navigate directly into a single OU.
Example setting: a parent OU called "RushFiles", with a child OU called "Sales":
6.b Users in Groups:
There is also the option to only take users from specific groups. This is done by specifying the groups after potential OU's.
Example setting: an OU called "RushFiles" that contains a Group called "Sales":
Example setting: an OU called "RushFiles" that contains two Groups called "Sales", and "Development":
You need to whitelist the domain of the users' email addresses. This is needed to ensure that the owner of the domain is the one adding the users. It is possible to have multiple whitelisted domains on a single company, and it's also possible to have the same whitelist across companies. The whitelisted domains are separated by a single comma, and are case sensitive.
8. Example of a correct AD setup of a company:
This will replicate all users that are:
-Under the Domain Path specified in the AD Setup "Rushfiles AD beta.rushfiles.com".
-AND part of OU "Rushfiles".
-AND part of any of the groups "Sales" OR "Development" OR "Management".
-AND have "rushfiles.com" as the domain of their email address specified in the AD.
9. Click on the newly-appeared Save button at the top of the page when you are done!
4) The replication service
The AD replicator is a windows service (RfAdReplicator service) installed with the domain master and is set to run once every 30 minutes, so it may take up to 30 minutes for AD users to be replicated into the RushFiles system.
4.a) Requirements for the replication service
For the replication service to access the AD through LDAP, ports 389 and 636 need to be opened on the server with the AD.
Therefore, before creating an AD Setup, ensure that the domain master server is able to call the Validation IP on these 2 ports.
If the replication service is installed on a different server, ensure that that server is able to call the AD server on the same ports with the Replication IP.
4.b) Requirements for the AD users
The AD users to be integrated need to have a valid email address. By default, this email is taken from the field “mail” on the AD, the name of the user is taken from the field “displayname” and the alias which the RushFiles system uses to login, is taken from the field “userPrincipalName".
These fields are editable in the configuration file "UserSetup.cfg" located in the folder of the RfAdReplicator service (default is C:\RushFiles\RfAdReplicator\).
The configuration is in JSON and the texts FullName, Email and LoginAlias should not be changed and it is important to keep the quotation marks ( " ) around the name of the variable.
The variables are not type safe and if changed to wrong/non-existing values will probably be retrieved incorrectly or maybe not at all.
4.c) Requirements for communication
|389||TCP and UDP|
4.d) AD and RushFiles Groups
You can replicate AD groups into the RushFiles system. To enable auto arranging of users into groups, you will first need to enable this setting in your Replication Service's configuration file.
✔ The default path to the config file is: C:\Rushfiles\RfAdReplicator\AdConfig.cfg
✔ Open it with Notepad, make sure that "AddUsersToGroups" is set to true, and save the file.
✔ Create Groups on the company with the same name as the Groups in the AD that will be replicated.
If you have a group in the AD called "Sales", you just need to create a group called "Sales" for the company as well. All users that are part of "Sales" in the AD will be part of "Sales" in RushFiles.
✔ During the next run of the replicator, replicated users will be placed into their matching groups in RushFiles.
✔ The replicator has to do 2 runs in order to place newly replicated users into groups. The first run creates the users, while the second one places them into groups.
5) One Domain Controller with multiple companies
If you have one Domain controller for your companies (also if it’s just some or one), you will need to create an AD Setup to that Domain controller and connect the given companies to it.
On each company you can then specify a selected Organization Unit and/or Group(s) that should be replicated to the given company.
6) Multiple Domain Controllers with multiple companies
If you have multiple Domain controllers for your companies (also if it’s just some or one), you will need to create an AD Setup for each of the Domain controllers and connect the given companies to the correct AD Setup. You can then, on each company, specify an Organization Unit and/or Group(s) that should be replicated to the given company.