LDAP OVERVIEW & SETTINGS

Applies to: CrashPlan PROe

Overview
Leverage your organization's existing directory services environment by enabling LDAP integration in CrashPlan PROe.

Advantages
LDAP integration provides the following advantages in Active Directory, OpenDirectory, or LDAP environments:
Simplifies the rollout and ongoing administration of your organization's users and devices.
Simplifies the user experience because the users existing LDAP username and password are used to log into CrashPlan PROe.

With LDAP integration enabled:

The master server handles all communication with the LDAP server. Devices never communicate with the LDAP server directly,
which means your directory services environment can remain behind your firewall.
An LDAP-integrated master server is only allowed to perform search and retrieval operations. LDAP entries in your directory
services environment are never modified by CrashPlan PROe.

The following illustration shows the authentication path between devices, the master server, and directory services:

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by

User Management
Password Changes
Once LDAP authentication is enabled, any password changes for LDAP-enabled users must be accomplished using the
LDAP server.

Enabling LDAP integration enhances user management by:

Adding flexibility
Simplifying onboarding and offboarding
Automating user management

A single Code42 environment can utilize a mix of authentication methods on a per organization basis:
Local accounts
LDAP
Single Sign-on (SSO) (http://support.code42.com/Administrator/3/Configuring/Security#Single_Sign-On)

This provides great flexibility for customizing each organization's environment and simplifies the processes of adding,
removing, or suspending user privileges.

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by

Example
The parish that oversees two private high schools has deployed a single CrashPlan PROe environment for both schools.
The parish IT staff manage the CrashPlan PROe deployment. However, each school has its own, separate Active
Directory environment.
Admins have configured the CrashPlan PROe environment so that the faculty at the boys' school are placed into the
boys' school organization and authenticate against the boys' school's Active Directory server. The faculty at the girls'
school are placed into the girls' school organization and authenticate against the girls' school's Active Directory server.
The admins are thus able to manage a single CrashPlan PROe environment without sacrificing flexibility or functionality.

Synchronization
The master server synchronizes with the defined LDAP servers on a regular basis, according to the customizable
synchronization schedule (http://support.code42.com/Administrator/3/Configuring/LDAP#Overview_2). When the master
server synchronizes with an LDAP server, it compares the list of active users in its internal database with the entries in
the LDAP directory, and applies rules to determine which users should be deactivated, which org a user should be
placed in, and which roles to assign to users. CrashPlan PROe never changes any LDAP entries or attributes.
By default, synchronization automatically deactivates users who are not in the set of users returned by the search filter
(http://support.code42.com/Administrator/3/Configuring/LDAP#Add). In addition, you can configure your master server to
perform other user management operations based upon user LDAP information.

User Creation With LDAP

LDAP integration helps to manage users, but it does not create them on its own. Create CrashPlan PROe users alongside
LDAP integration in one of three ways:
Self-service: when users install the CrashPlan app and sign in for the first time, their accounts are automatically
created. If their organizations are configured to use LDAP, then they must use their LDAP credentials.
Deploy custom installers: deploy preconfigured custom installers (http://support.code42.com/Administrator/
3.6_And_4.0/Configuring/Customizing_The_CrashPlan_App) with software like Microsoft System Center Configuration
Manager (http://www.microsoft.com/en-us/server-cloud/products/system-center-2012-r2-configuration-manager/
default.aspx#fbid=YKXj4UloVvA) or JAMF Software's Casper Suite (http://www.jamfsoftware.com/products/caspersuite/)
Create users manually: administrators can create users manually or by uploading a CSV list
(http://support.code42.com/Administrator/3.6_And_4.0/Monitoring_And_Managing/Users#Add_A_New_User).

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by

JavaScript To Automate User Management Functions

You can automate the following user management tasks with customizable JavaScript entries
(http://support.code42.com/Administrator/3/Monitoring_And_Managing/User_Management_With_LDAP_Integration):
User deactivation, using the Active script (http://support.code42.com/Administrator/3/Configuring/LDAP#Attribute_Mapping)
Organization assignment, using the Org name script (http://support.code42.com/Administrator/3/Configuring/
LDAP#Attribute_Mapping)
Role assignment, using the Role script (http://support.code42.com/Administrator/3/Configuring/LDAP#Attribute_Mapping)

LDAP Settings In The Administration Console

Item

Description

LDAP Servers

Add
(http://support.code42.com/
Administrator/3/
Add a new LDAP server.
Configuring/
LDAP#Add)

Registrants not
found

List of your configured LDAP servers. Click the name to edit.

Defines how the CrashPlan PROe handles cases where a user attempts to register a new
account, but is not found in the LDAP search. Options are to Deny Registration or to place
the user into an organization that does not use LDAP for authentication.

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by

Item

Description

Every

Defines the LDAP synchronization schedule for the CrashPlan app. The CrashPlan app will
communicate with the defined LDAP servers according to this schedule. Users who no
longer match the search filter, or who are flagged as inactive by the Active Script
(http://support.code42.com/Administrator/3/Monitoring_And_Managing/
User_Management_With_LDAP_Integration), will be deactivated during synchronization. If
the Never checkbox is selected, the CrashPlan app will never synchronize and run the
Active, Org name, or Role name scripts automatically, although initial authentication will still
occur.

Last Sync

Displays how long ago the most recent LDAP sync ran.

History

View results of previous LDAP sync jobs.

Synchronize
now

Initiate LDAP synchronization immediately. Users and associated devices that no longer
match the search filter, or which are flagged by the Active Script, will be deactivated
immediately.

Simulate
Synchronize

Perform the LDAP synchronization search, but does not deactivate users. Run this job to
see who would be deactivated if the sync actually ran right now.

Add

Item

Description

Server Name

Label used to describe this LDAP server.

URL and
search base

The protocol, host, and port used to communicate with the LDAP server, plus the search
base within the LDAP structure where LDAP queries will begin.

Reachable/
Unreachable

Result of the connection test to verify that the LDAP server is accessible on the defined
protocol, host, and port. Possible values are Reachable or Unreachable.

Bind
Anonymously

Disabled by default. Enable this option to perform LDAP binds without authenticating.

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by

Item

Description

Bind DN

Used when Bind Anonymously is disabled. Enter the full DN for the LDAP user that will bind
and perform LDAP queries.

Bind password

Password of the LDAP user (e) performing the bind.

Bindable/Bind
failed

Results of the test used to verify that the bind user is actually able to bind to LDAP server.
Possible values are Bindable or Bind failed.

Search filter

Defines which LDAP attribute CrashPlan PROe uses to search for users. This value is used
as the CrashPlan PROe username.

Matches

Count of LDAP users that match your LDAP search parameters.

Timeout
seconds

How long the authority server should wait for a response before the LDAP lookup times out.

Attribute Mapping
Attribute mapping defines how users' LDAP attributes relate to CrashPlan PROe users.

Item

Description

Search results

LDAP search results populate on the right of the window to show how the user's LDAP
information maps to the CrashPlan PROe account information.

Username

Attribute used to determine the CrashPlan PROe username. Value is taken from the
Search filter field (h).

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by

Item

Description

Email

Select which LDAP attribute to set as the user's email address.

First name

Select which LDAP attribute to set as the user's first name.

Last name

Select which LDAP attribute to set as the user's last name.

Active script

Javascript that deactivates or activates users based on LDAP attributes. For

example, you may want users with an LDAP attribute of terminated=true
deactivated within CrashPlan PROe during the synchronization process.

The Active script must not be left blank. The default entry is function(entry)

{ return true; }
q

Org name script

(Optional) Javascript that defines the organization a user belongs to.

Role name
script

(Optional) Javascript that defines which roles a user is granted: e.g., grant the Org Admin
role to any user with the LDAP attribute employeeType=admin.

Distinguished
name

The full distinguished name of the user presented in the search results.

Username
search

Search for a specific username within the returned LDAP query results.

Search
pagination

Page through search results.

History
History shows the results of past synchronization instances, including which users were deactivated during the sync.

Related Topics
Configuring Device Backup Settings (http://support.code42.com/Administrator/3/Administration_Console_Reference/
Configuring_Device_Backup_Settings)
My Profile Overview & Settings (http://support.code42.com/Administrator/3/Administration_Console_Reference/
My_Profile_Overview_And_Settings)
Organizations Overview & Settings (http://support.code42.com/Administrator/3/Administration_Console_Reference/
Organizations_Overview_And_Settings)

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by

 Security Overview & Settings (http://support.code42.com/Administrator/3/Administration_Console_Reference/

Security_Overview_And_Settings)
Top-Level Organization Overview & Settings (http://support.code42.com/Administrator/3/Administration_Console_Reference/TopLevel_Organization_Overview_And_Settings)

http://support.code42.com/Administrator/3/Administration_Console_Reference/LDAP_Overview_And_Settings (http://support.code42.com
Updated: Tue, 23 Jun 2015 13:27:23 GMT
Powered by