Microsoft Active Directory Authentication

Microsoft Active Directory is LDAP-compliant, so the LDAP authentication plugin that FileRun comes with can be used to authenticate users against an existing AD server.

You can easily activate and configure the plugin directly from FileRun's control panel, under Users » More » Authentication.


This is the user principal name (usually username@domain) of the service account.

If you leave the field empty, the bind will be made anonymously.

Most Microsoft Active Directory servers do no allow anonymous access, and even if it might seem that it allowed the connection, FileRun will not be able to proceed with finding the user's record.

This takes the username the user typed into the FileRun login form (without the domain) and uses it to construct the bind DN.

Some examples:

  • uid={USERNAME},DC=domain,DC=tld,DC=tld
  • {USERNAME}@domain.tld
{USERNAME} will be replaced with the username the user has typed.

This is your domain's base DN, where the user record search will start from.

Usually looks like this: DC=domain,DC=tld,DC=tld

Set this to (sAMAccountName={USERNAME})

If set to yes, FileRun will retrieve the list of groups the user is member of, when these groups are organized in a hierarchy. Enabling this will disable the use of Groups search filter.

This option is in use only when Use LDAP-MATCHING-RULE-IN-CHAIN to retrieve nested groups is set to no.

It is used to find a user's list of groups, based on the configured Groups member attribute.

This filter can be used with AD: (objectCategory=group)

A comma separated list of group names, if you don't wish to import all group names that are found.

Note that FileRun automatically creates a group named LDAP where all users that were authenticated via LDAP are members of.

Set this to memberof

If set to yes and the AD user records are configured with homeDirectory, FileRun will use this path for the user's home folders. Please note that this must be a fully qualified local path including the drive letter.

Set to yes allows users that are authenticated on the local domain using Windows Integrated Authentication to get automatically signed into FileRun, without having to type in any username or password.

This requires an IIS server configured with Windows Integrated Authentication and a browser that is configured with the trusted domain.

Set this to givenName

Set this to sn

Set this to mail

This field is optional.

Set this to company

This field is optional.