Detailed explanation of the perfect integration solution between Serv-U FTP and AD

I logged into the backend to check the solution that the company is currently using. The FTP server used is Server-u FTP, and the authentication method selected is Windows Authentication. The file server uses Windows' native NTFS permissions for allocation, while the mail server uses IBM's Domino.

Now that you know the current solution and related software, let's integrate them. I found that the latest version of Server-U FTP supports AD and LDAP authentication. I also found that domino also supports AD, but I heard that the configuration is very complicated. I will explain the integration of AD and Domino in the next article. This time we will only explain AD and Server-U FTP.

To integrate Server-U with AD, we have the following requirements:

1. Be very familiar with Server-U and be able to configure Server-U skillfully.

2. Must be very familiar with AD and be able to independently install, configure, and operate AD.

3. Be aware of NTFS permission configuration and be able to perform relevant configuration as required.

All of our following experiments were conducted on the server Windows Server 2003 Enterprise Edition, with an IP of 192.168.128.133, and the client was XP, with an IP of 192.168.128.134.

First of all, we need to install and configure AD. You can search on Baidu or Google for information about AD installation and configuration. I will not go into details here.

The above is the relevant display information of the correct AD configuration. After the configuration is completed, we need to establish the corresponding organizational unit. The name of the organizational unit must not be in Chinese. Please remember this. Otherwise, you will not be able to log in via FTP after integration with Server-U.

Here we create a new organizational unit, the screenshot is as follows:

Then, we create a new user "erxian1" and "ceshi1" under the two organizations "erxian" and "ceshi" respectively:

The relevant configurations in AD are completed. The following is mainly the configuration in Server-U.

After installing Server-U, you will be prompted to create a new domain (PS: this domain is different from the domain in AD), as shown below:

Fill in the form according to the prompts. After completion, you will be prompted to create a new user again, as shown below:

At this time we click "No", then go to the control panel and find "Configure Windows Authentication Settings" under the "User" option:

In the pop-up window, click "Enable Windows Authentication", as shown below:

Then fill in the AD domain name in the pop-up window, as shown below:

After saving, click "Configure OU Group" and fill in the name that is the same as the AD organizational unit structure in the pop-up window as shown below:

During the configuration process, we can create the corresponding access directory and the corresponding directory access permissions:

OK, after the above settings are completed. We start to set up the FTP related access directories. Our current FTP root directory is C:\testFTP, which contains several other directories. As shown below:

The NTFS permissions for the "testFTP" directory are:

Ordinary domain users have read and view permissions

The members of the directories "Test Department" and "Second Line Department" who belong to their respective organizational units can exercise all permissions for their respective directories. As shown below:

You may ask, why don’t we see separate user access permissions in this picture? That’s because the “second line” in the picture is a group, and this is a group in AD. The permissions in the above figure mean that all members of the Second Line Department group in AD can perform related operations on the directory "Second Line Department".

Why do we do this? It is mainly for the convenience of operation for us in the future. If a new person comes, we just need to create a new account and add him to the group. We don't need to configure his permissions in the future.

OK, the above configuration is finally completed. Let's log in to the client and perform relevant tests.

From the above screenshots, we can see that the "erxian1" user can now log in to FTP and create new folders under the "Second Line Department" directory. Then we switch to the "Test Department" directory to see if we can get in.

You can see that there is no permission to access. That means our goal has been achieved. FTP service is provided by Server-U, accounts are provided by AD, and permissions are set by NTFS.

PS: Actually, there is another question, that is, both Server-U and NTFS can set permissions, so what are the final permissions?

For this problem, after my test, the final permissions are superimposed...