4. User administration

Regular users can be added to the system in two ways:

  1. explicitly via the administration panel, by the administrator
  2. implicitly on authentication against an existing LDAP/AD directory, after configuration by the administrator.

There’s an additional class of users, guest users, which are added directly by regular users when they give sync access (regardless of the read/write permissions granted) to external collaborators by providing their email addresses.

Guest users have access to a subset of the functionality of the Sync Appliance so as to minimize their impact on the system, yet allowing convenient ad-hoc collaboration.

4.1. Guest user restrictions

Guest users:

  1. cannot create new projects
  2. cannot invite other users
  3. have a very restrictive quota (can be as low as 1 MB)

4.2. Manual administration

The user admin panel allows direct addition of users by providing their username and password. It is also possible to edit the account type (change from Normal to Guest and vice versa), change the quota, or modify the email used for notifications and (if requested by the user) password reset, on a user basis.

If left unspecified, the quota for each user will be the default one according to the account type.

4.3. LDAP/AD integration

The LDAP/AD integration tab allows to enable authentication against an existing directory. The form uses an assistant that will try to infer the required parameters from those introduced so far. Configuration involves these steps:

  1. Enter LDAP server URL, either as hostname (the appliance will try to connect both to the standard LDAP 389 and LDAPS 636 TCP ports) or as a full ldap URL of the form:

    ldaps://hostname:123
    

    where the port is optional (standard one used if so).

  2. If the server is reached over LDAPS, it will be necessary to either supply the CA certificate the LDAP server’s is signed with, or to disable certificate validation (not recommended in production).

  3. The appliance will try to perform an anonymous bind and to look for users using a base DN inferred from the LDAP server URL. If required, provide the DN and password used to perform the bind operation against the LDAP server.

  4. When the connection parameters have been specified correctly, the appliance will look for users under the provided or inferred base DN, and display how many have been found, as well as offer the possibility to enable LDAP authentication.

4.3.1. Implicit user creation

On successful authentication with the LDAP/AD credentials, an internal user will be created and its details imported from the external directory. This user will be listed in the users tab.

Note

The newly created user can only log in using the LDAP/AD credentials, and cannot reset the password to log in with internal authentication.

Warning

If external LDAP/AD authentication is disabled, the corresponding users will no longer be able to log into the web service using those credentials. Their linked devices will however keep syncing.