Working with External Services

FileMaker Server can take advantage of certain external services to help centralize the management of information such as server location and user authentication credentials. If you or your organization maintain such services, you can configure FileMaker Server to use them. You can use external services to centralize two types of information:

• Information about the location of machines running FileMaker Server. You can use one or more directory servers to maintain information about the names and locations of FileMaker Servers throughout your organization, rather than having your users keep track of server names or addresses.

• Information about user credentials. You can use the authentication services built into Windows and the Mac OS to map users' network credentials directly onto FileMaker accounts and privileges.

Registering with an LDAP Server

Suppose you work with a large organization, where the network is divided into several subnets, and there are a number of instances of FileMaker server running on different machines throughout the network. For a user on one subnet to access a FileMaker Server on another, the user must know the machine name or IP address of the server, and must add that information to her list of favorite servers.

Rather than ask users and administrators to keep track of multiple machines and machine names, it's possible to use a directory server to maintain this information in a central location. The FileMaker Pro or FileMaker Developer client and the SAT can both be configured to look for available servers via a directory server. As soon as the client or the SAT is configured to work through a directory server, any new FileMaker Servers registered with the directory server automatically become visible to those clients .

FileMaker Server is capable of registering itself with directory servers that implement LDAP (Lightweight Directory Access Protocol). Such servers include Active Directory (Windows), Open Directory (Mac OS), and OpenLDAP (Unix/Linux).

Configuring the interaction with a directory server has three steps:

The registration process is relatively complex, and is best attempted by administrators with experience in managing the type of directory server in question. We'll walk through the critical steps in this section, without pretending to give a full introduction to the complex world of LDAP.

LDAP is a very flexible and very complex protocol. There are probably a great many ways to configure an LDAP server in such a way as to enable registration of FileMaker Server instances. We'll show you just one way, which involves creating a new organizational unit on the LDAP server and registering servers beneath it. We use Windows Active Directory to illustrate the process.

Configuring an Active Directory Server

To register a FileMaker Server with an Active Directory server, begin by adding a new Organizational Unit (OU) to the server. Choose Start, Programs, Administrative Tools, Active Directory Users and Computers. In the new window, right-click on the name of the LDAP server machine and choose New, Organization Unit. This operation is shown in Figure 25.8. Give the new OU a name; we call ours fmp-ldap .

You need to associate a user with the new OU. You may want to create a new user just for this purpose. In that case, right-click the Users directory and choose New, User. This operation is shown in Figure 25.9. Take note of the username and password; they'll be necessary later when accessing the directory server remotely.

Figure 25.9. You'll probably want to create a new user to whom you want to delegate rights over the new OU.

You next need to delegate certain privileges over the new OU to the user you just created. Right-click on the OU name and choose Delegate Control. You then see the Delegation of Control Wizard. On the second screen, choose the new user you just created. On the following screen, labeled Tasks to Delegate, choose the Create a Custom Task to Delegate radio button. On the following screen, choose to delegate control of This Folder, Existing Objects in This Folder, and Creation of New Objects in This Folder. On the next screen titled Permissions, choose Full Control in the Permissions area. On the screen that follows , click Finish to complete the act of delegation. That completes the configuration of the Active Directory Server.

Registering with an Active Directory Server

With the Active Directory configuration complete, you next need to register one or more servers with the directory server. You use the SAT to do this. In the SAT, connect to the server you want to register and go to the Directory Service tab. Figure 25.10 shows the necessary configuration. Here are the important settings:

• Directory server name ” The host name or IP address of the Active Directory server you just configured.

• LDAP port ” Use the default port of 389 unless your server has been configured differently.

• Distinguished name ” It's important to get this exactly right. In Figure 25.10 Active Directory is configured with an OU, so the distinguished name looks like ou=<your OU name> and then a series of dc= directives, which refer to the individual components of the machine name. If your machine name is adserver.mycompany.com and your OU is named fmp-ou , the distinguished name would be ou=fmp-ou,dc=adserver,dc=mycompany,dc=com .

• Login settings ” Choose to use Windows authentication. For the account name, it's important to use the form <account-name>@<server-name> .

Figure 25.10. You need to do a bit of work to fill in all the items necessary to register FileMaker Server with an LDAP server.

After you've filled these settings in, the SAT automatically tries to register the FileMaker Server with the Active Directory Server. This is the moment of truth!

One good way to check on the success of this operation is to look at the event log for the server you're trying to register. A registration failure generates only one or two events ”one of them an error. A common error is one of insufficient privileges. This error may mean that you didn't supply the right logon credentials (bad username or password). It may also mean that you didn't delegate sufficient privileges over the OU to the chosen user. Such an error is shown in Figure 25.11.

If registration did succeed, you should see quite a long list of events as each piece of information about the directory service is communicated to the server, culminating in an event with EventID 206, "Registration with directory service succeeded."

Successful registration also is visible on the Active Directory server, though it can take a while for the change to be visible there. Each registered server appears below the OU in which you registered it. The result is shown in Figure 25.12.

Figure 25.12. After FileMaker Server is successfully registered with the Active Directory server, the FileMaker server appears under the OU in Active Directory.

Looking for Servers via LDAP

After you've successfully registered your FileMaker Server with the Active Directory server, you can then use the Active Directory server when looking for hosts from FileMaker Pro, FileMaker Developer, or the SAT.

In FileMaker Pro, for example, if you choose F ile, Open Re m ote, you can then choose Hosts Listed by LDAP from the View menu. You can then click the Specify button to specify a directory service to connect to. Fill in the service information in the Specify LDAP Directory Service dialog. Possible settings are shown in Figure 25.13.

The settings are very similar to those you used when registering a FileMaker Server. For Search Base, fill in the same string you supplied in the Distinguished Name field in the SAT when registering the FileMaker Server earlier.

If all has gone well, the Open Remote File dialog should now show a list of all FileMaker Servers registered with the chosen directory server. From here, you may work directly with those servers, or click Add to Favorites to add them to your list of preferred servers. These choices are shown in Figure 25.14.

There are quite a few things that can go wrong in the complex process of configuring and connecting to an LDAP server. To learn about some of them, see "Trouble with LDAP" in the Troubleshooting section at the end of this chapter.

Using External Authentication Services

You can configure FileMaker Server to work with external authentication services. If your organization maintains a directory of usernames and passwords, and you'd like to be able to reuse these credentials, it's possible to configure FileMaker Server to do so. The mechanics of configuring both FileMaker Pro and FileMaker Server to do this are covered in Chapter 12, "Implementing Security."