Active Directory Users & Roles
Hi Telerik,
I am trying Sitefinity 4.0 RC to connect my enterprise Active Directory, but I can not figure out the correct settings for membership providers, role providers and the LDAP settings.
In a new installation I enabled the LdapRoles and LdapUsers providers (Administration -> Settings menu) and fill out the DefaultLdapConnection in the LDAP Connection section:
Server Name: the domain controller IP address
ConnectionDomain: the target domain
ConnectionUsername: domain\Administrator
ConnectionPassword: password
UserDns: ou=...,dc=...,dc=...
RolesDns: ou=...,dc=...,dc=...
In the Administration -> Users menu appear a new tab 'LdapUsers', but there are no users under it, and in the Administration -> Roles menu appear a new tab 'LdapRoles', but there are no roles under it.
What am I miss?
Thanks.
Hi György,
Most probably the LDAP is not configured properly or it is not responding due to some reason. Could you also check the HttpRequests and HttpResponse of web services used to get your users when you click on LDAP button.
Below is sample configuration of the LDAP - App_Data\Sitefinity\Configuration\SecurityConfig.config
<LdapConnections> <connections> <LdapConnection name="DefaultLdapConnection" serverName="host.com" connectionDomain="host" connectionUsername="HostUser" connectionPassword="password" maxReturnedUsers="200" usersDN="OU=UsersGroup,OU=MyUnit,DC=host,DC=com" userFilter="(&(objectClass=user)(!(objectClass=computer)))" maxReturnedRoles="200" rolesDns="OU=UsersGroup,OU=BG,DC=host,DC=com" roleFilter="(objectClass=group)" /> </connections> <ldapMapping> <typesMapping> <type name="RoleMapping"> <propertiesMapping> <mapping propertyName="Name" ldapField="sAMAccountName" /> <mapping propertyName="Id" ldapField="objectGUID" /> <mapping propertyName="LastModified" ldapField="whenChanged" /> </propertiesMapping> </type> <type name="UserMapping"> <propertiesMapping> <mapping propertyName="Id" ldapField="objectGUID" /> <mapping propertyName="Comment" ldapField="info" /> <mapping propertyName="FirstName" ldapField="givenName" /> <mapping propertyName="UserName" ldapField="sAMAccountName" /> <mapping propertyName="Email" ldapField="mail" /> <mapping propertyName="LastName" ldapField="sn" /> <mapping propertyName="LastActivityDate" ldapField="whenChanged" /> <mapping propertyName="LastLoginDate" ldapField="lastLogon" /> <mapping propertyName="CreationDate" ldapField="whenCreated" /> <mapping propertyName="LastModified" ldapField="whenChanged" /> <mapping propertyName="memberOf" ldapField="memberOf" /> <mapping propertyName="IsApproved" ldapField="userAccountControl" /> </propertiesMapping> </type> </typesMapping> </ldapMapping> </LdapConnections>Hi Ivan,
Thanks for the replay. I can connect our Active Directory, so I am happy. :)
Next question: We have two domains. Is it possible to connect the two domains in the same time?
I can create two LDAP connections, but how can I bind these connections to each membership and role providers?
Thanks.
Hi György,
It is possible
1. Crate a new mebership provider of type Telerik.Sitefinity.Security.Ldap.LdapMembershipProvider
2. Create two parameters - applicationName and connection. - you can copy the applicationName from the default provider. The important part here
is conneciton parameter.
3. Go to LDAP settings and create a new Ldap connection with all parameter
4. Return back to your provider parameters and set the connection
Greetings,
Ivan Dimitrov
the Telerik team
Hi Ivan,
Thanks for the suggestion. I tried it, but I am not happy. :(
I created a new (second) membership and role provider and a new (second) LDAP connection. To the providers I created an applicationName and a connection parameter. In the connection parameter's value filed I wrote the newly created LDAP connection's name.
When I get the users (Administration -> Users) from the first provider it is working correctly, but from the second provider there is no user. Wen I get the roles (Administration -> Roles) from the first povider it is working correctly, but from the second provider I get the same roles as from the first provider.
If I clear the default LDAP connection setting (Administration -> Settings, LDAP Connections section) I get no users and roles from any providers.
This seems to me only the default provider working correctly.
Here is my SecurityConfig.config snippet:
<roleProviders> <add connection="LdapConnection1" applicationName="LdapBackend/" enabled="True" name="LdapRoles1" /> <add connection="LdapConnection2" applicationName="LdapBackend/" enabled="True" name="LdapRoles2" /> </roleProviders> <membershipProviders> <add connection="LdapConnection1" applicationName="LdapBackend/" enabled="True" name="LdapUsers1" /> <add connection="LdapConnection2" applicationName="LdapBackend/" enabled="True" name="LdapUsers2" /> </membershipProviders> <LdapConnections defaultLdapConnection="LdapConnection1"> <connections> <LdapConnection serverName="host.local" serverPort="389" connectionDomain="host" connectionUsername="UserName" connectionPassword="password" useSSL="False" resultCacheExpiration="0" maxReturnedUsers="10" usersDN="OU=ou1,DC=host,DC=local" userFilter="(&(!(objectClass=computer))(objectClass=person))" maxReturnedRoles="10" rolesDns="OU=ou1,DC=host,DC=local" roleFilter="(objectClass=group)" connectWithLogonCredentials="False" authenticationType="Basic" name="LdapConnection1" /> <LdapConnection serverName="host.local" serverPort="389" connectionDomain="host" connectionUsername="UserName" connectionPassword="password" useSSL="False" resultCacheExpiration="0" maxReturnedUsers="10" usersDN="OU=ou2,DC=host,DC=local" userFilter="(&(!(objectClass=computer))(objectClass=person))" maxReturnedRoles="10" rolesDns="OU=ou2,DC=host,DC=local" roleFilter="(objectClass=group)" connectWithLogonCredentials="False" authenticationType="Basic" name="LdapConnection2" /> </connections> </LdapConnections>Hello György,
Could you try to use different applicationName for the second LDAP provider.
Kind regards,
Ivan Dimitrov
the Telerik team
Hi Ivan,
I renamed the applicationName parameter at the second newly created providers. The Roles working properly (there are roles under the two LDAP roles tab), but Users does not work (only one ldap users connection works, the other still gets 'No records').
Here is my scenario:
- I created a new project with Sitefinity Project Manager (4.0.941.0)
- I went the new project's Administration -> Setings menu
- I modified the default settings at the 'DefaultLdapConnection' in the 'LDAP connections' section to fit our infrastructure
- I enabled the built in 'LdapUsers' provider at the 'Membership providers' section and set the connection parameter to 'DefaultLdapConnection'
- I enabled the built in 'LdapRoles' provider at the 'Role providers' section and set the connection parameter to 'DefaultLdapConnection'
At this point everyting is worked perfectly, there are users in the Administration -> Users menu under the 'LdapUsers' tab and there are roles in the Administration -> Roles menu under the 'LdapRoles' tab.
Continue:
- I created a new LDAP connection at the 'LDAP connections' section
- I created a new provider at the 'Membership providers' section, set the connection parameter to the newly created LDAP connection and set the applicationName parameter othet then the first LDAP provider
- I created a new provider at the 'Role providers' section, set the connection parameter to the newly created LDAP connection and set the applicationName parameter othet then the first LDAP provider
At this point there are two LDAP tab in the Administration -> Roles menu and it works perfectly. In the Administration -> Users menu there are two LDAP tab, but only the first ('LdapUsers') tab gets users. Under the newly created tab I get 'No records'. If I switch the connection strings between the built in providers (LdapUsers, LdapRoles) and the newly created providers, still the built in providers gets users.
What am I miss?
Thanks.
Hi György,
Do you use a single LDAP with a different queries? If this is the case then there should not be a problem to see your users properly.
There is a problem if you have two or more LDAP but they are different types like Microsoft LDAP and OpenLDAP.
Kind regards,
Ivan Dimitrov
the Telerik team
I have followed similar steps (except just for a single AD provider), but do not see LdapUsers under Administration->Users or LdapRoles under Roles.
<roleProviders> <add connection="DefaultLdapConnection" enabled="True" name="LdapRoles" /> </roleProviders> <membershipProviders> <add connection="DefaultLdapConnection" enabled="True" name="LdapUsers" /> </membershipProviders> <LdapConnections> <connections> <LdapConnection serverName="dc.domain.com" connectionDomain="domain.com" connectionUsername="username" connectionPassword="password" usersDN="OU=...." rolesDns="OU.." name="DefaultLdapConnection" /> </connections> </LdapConnections></securityConfig>Hi Matt,
If the values are in the GUI they should be in the configuration. The Settings uses config files as a storage. You will not see users if
1. The settings to LDAP are not correct.
2. The application is not estarted and your changes are not applied.
Best wishes,
Ivan Dimitrov
the Telerik team