FileMaker Server can take advantage of certain external services to help centralize the management of information such as server location and user authentication credentials. If you or your organization maintains such services, you can configure FileMaker Server to use them. You can use external services to centralize two types of information:
Suppose that you work with a large organization, where the network is divided into several subnets, and there are a number of instances of FileMaker Server running on different machines throughout the network. For a user on one subnet to access a FileMaker server on another, the user must know the machine name or IP address of the server, and must add that information to her list of favorite servers.
Rather than ask users and administrators to keep track of multiple machines and machine names, its possible to use a directory server to maintain this information in a central location. The FileMaker Pro or FileMaker Advanced client and the SAT can both be configured to look for available servers via a directory server. As soon as the client or the SAT is configured to work through a directory server, any new FileMaker servers registered with the directory server automatically become visible to those clients.
FileMaker Server is capable of registering itself with directory servers that implement LDAP (Lightweight Directory Access Protocol). Such servers include Active Directory (Windows), Open Directory (Mac OS), and OpenLDAP (UNIX/Linux).
Configuring the interaction with a directory server has three steps:
Configure the directory server.
Configure an instance of FileMaker Server to register itself with the directory server.
Configure one or more copies of FileMaker Pro, FileMaker Advanced, or the SAT to search the directory server for available instances of FileMaker Server.
The registration process is relatively complex, and is best attempted by administrators with experience in managing the type of directory server in question. Well walk through the critical steps in this section, without pretending to give a full introduction to the complex world of LDAP.
LDAP is a very flexible and very complex protocol. There are probably a great many ways to configure an LDAP server in such a way as to enable registration of FileMaker Server instances. Well show you just one way, which involves creating a new organizational unit (OU) on the LDAP server and registering servers beneath it. We use Windows Active Directory to illustrate the process.
To register a FileMaker Server with an Active Directory server, begin by adding a new organizational unit to the server. Choose Start, Programs, Administrative Tools, Active Directory Users and Computers. In the new window, right-click on the name of the LDAP server machine and choose New, Organization Unit. This operation is shown in Figure 25.8. Give the new OU a name; we call ours fmp-ldap/.
You need to associate a user with the new OU. You may want to create a new user just for this purpose. In that case, right-click the Users directory and choose New, User. This operation is shown in Figure 25.9. Take note of the username and password; theyll be necessary later when accessing the directory server remotely.
You next need to delegate certain privileges over the new OU to the user you just created. Right-click on the OU name and choose Delegate Control. You then see the Delegation of Control Wizard. On the second screen, choose the new user you just created. On the following screen, labeled Tasks to Delegate, choose the Create a Custom Task to Delegate radio button. On the following screen, choose to delegate control of This Folder, Existing Objects in This Folder, and Creation of New Objects in This Folder. On the next screen, titled Permissions, choose Full Control in the Permissions area. On the screen that follows, click Finish to complete the act of delegation. That completes the configuration of the Active Directory server.
Note
It is probably possible to create a workable configuration by delegating less than Full Control to the user in question. If you create a user specifically for this purpose, though, and grant him minimal or no rights elsewhere on the server, there is probably little risk in giving that user full rights to the OU.
With the Active Directory configuration complete, you next need to register one or more FileMaker servers with the directory server. You use the SAT to do this. In the SAT, connect to the server you want to register and go to the Directory Service tab. Figure 25.10 shows the necessary configuration. Here are the important settings:
After youve filled these settings in, the SAT automatically tries to register the FileMaker server with the Active Directory server. This is the moment of truth!
One good way to check on the success of this operation is to look at the event log for the server you e trying to register. A registration failure generates only one or two eventsone of them an error. A common error is one of insufficient privileges. This error may mean that you didn supply the right logon credentials (bad username or password). It may also mean that you didn delegate sufficient privileges over the OU to the chosen user. Such an error is shown in Figure 25.11.
If registration did succeed, you should see quite a long list of events as each piece of information about the directory service is communicated to the server, culminating in an event with EventID 206, "Registration with directory service succeeded."
Successful registration also is visible on the Active Directory server, although it can take a while for the change to be visible there. Each registered server appears below the OU in which you registered it. The result is shown in Figure 25.12.
Tip
In the Mac OS version of the SAT, you can set up a preferred LDAP configuration. Choose FileMaker Server Admin, Preferences, and then choose LDAP Directory Service from the pop-up menu in the resulting dialog. You are given a screen where you can enter a default server address, port, search base, and login credentials.
After youve successfully registered your FileMaker server with the Active Directory server, you can then use the Active Directory server when looking for hosts from FileMaker Pro, FileMaker Pro Advanced, or the SAT.
In FileMaker Pro, for example, if you choose File, Open Remote, you can then choose Hosts Listed by LDAP from the View menu. You can then click the Specify button to specify a directory service to connect to. Fill in the service information in the Specify LDAP Directory Service dialog. Possible settings are shown in Figure 25.13.
The settings are very similar to those you used when registering a FileMaker server. For Search Base, fill in the same string you supplied in the Distinguished Name field in the SAT when registering the FileMaker server earlier.
If all has gone well, the Open Remote File dialog should now show a list of all FileMaker servers registered with the chosen directory server. From here, you may work directly with those servers, or click Add to Favorites to add them to your list of preferred servers. These choices are shown in Figure 25.14.
There are quite a few things that can go wrong in the complex process of configuring and connecting to an LDAP server. To learn about some of them, see "Trouble with LDAP" in the "Troubleshooting" section at the end of this chapter. |
You can configure FileMaker Server to work with external authentication services. If your organization maintains a directory of usernames and passwords, and youd like to be able to reuse these credentials, its possible to configure FileMaker Server to do so. The mechanics of configuring both FileMaker Pro and FileMaker Server to do this are covered in Chapter 12, "Implementing Security."
For a discussion of how to configure external authentication, see "External Authentication," p. 346. |