Active Directory/LDAP Backend Access - General Discussions - General Discussions - Progress Community
 General Discussions

Active Directory/LDAP Backend Access

  • Active Directory/LDAP Backend Access
  • I must be missing something or just missunderstanding how AD integration works.  I have an Active Directory group defined.  I have LDAP integration all set up great.  In Sitefinity I can see LDAP users and LDAP groups.  I can even see my one test user is part of my LDAP group.  I have gone through the Roles/Group setup (Administration/Roles/LdapRoles/Permissions) and given my group access to ALL of the Backend global permissions.  BUT when that user attempts to log into the backend I get an error stating "You do not have a permission to access "/sitefinity/"."

    If I go edit the user directly (Administration/Users/Ldapusers) and click the checkbox for "This user can access site backend" then the user can log in. 

    So if I understand it correctly, I cannot have a group for Administrators in AD that will allow me to just add a user and they will have access.  I still need to go to each user individually and grant them access to log in to the /sitefinity backend?  The rest of it seems to work fine.  Once they are logged in I am seeing the menu items that I am expecting that were defined for the AD group in Sitefinity.  I'm just wondering if I am missing a checkbox somewhere that will allow everyone in that group to log in?


  • You can...it's in settings->security->administrative roles

    Just make your provider be your AD role provider, then the role name
  • Is there a way to grant an AD group (under roles) backend access, but still limit the pieces they can use? (ie. Content menu is accessible, but eCommerce is not)

  • Hello John,

     You can assign blanket permissions to roles by visiting administration > permissions. Your AD roles should be represented. LdapUsers, or whichever roles you have established, needs to have backend access checked on them. To enable the role provider go to Security > Roles Providers, select the “LdapRoles” provider and check the “Enabled” check box and save your settings. You can then assign the new roles in the aforementioned permissions section to allow/deny them the ability to view, edit, change permissions on the individual modules.

    Greetings,
    Patrick Dunn
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Hi there. I am getting the exact same issue even with the enabled checkbox checked. 
    I can see the users and the role but even with my permissions for the role set I still have to go in to each unique LDAP user and click the "can access backend" checkbox. How do I apply that control to the role?
  • Hello Darcy,

     Once you have accepted the LDAP groups as roles, restart your APP pool, make sure that your groups are being pulled, then you can visit Administration > Permissions and set global permissions. You can go into the Roles Administration > Users > Roles and change each role to have "Access the backend".

    I hope this helps.

    Regards,
    Patrick Dunn
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • That's the weird thing. The roles all have access the back-end enabled already.
  • Hi Darcy,

     Thank you for contacting us.

    When your users log in through the backend /Sitefinity are they shown any errors? Do you see anything pop up in the ~/App_Data/Sitefinity/Logs? Also, are they selecting LDAP as their provider and not logging in with a similar account through the default or SQL membership providers?

    Greetings,
    Patrick Dunn
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  • Is there any update on this?  I have sitefinity 6 and I'm still having the issue.
  • Hi,

    We have addressed the matter in the support ticket you have open on the same issue. You can check our response there, and for your convenience please find below a quote of the response, too:

    'I am afraid that there is no setting in the backend of Sitefinity you could mark in order your LDAP users to be able to log in in Sitefinity. You have the ability to map one LDAP role to Sitefinity role you could go to Administration -> Settings -> Advanced -> Security -> AdministrativeRoles and map these roles. Then the changes could be seen in your SecurityConfig.config file. For instance:
    <administrativeRoles>
        <role roleProvider="LdapRoles" roleName="RoleOne" />
        <role roleProvider="LdapRoles" roleName="RoleTwo" />
    </administrativeRoles>

    For non-administrators you need to get your LDAP users by code and assign them a role. For example BackendUsers:
                     var userManager = UserManager.GetManager("LdapUsers");
                var users = userManager.GetUsers().ToList();
                RoleManager roleManager = RoleManager.GetManager("AppRoles");
                roleManager.Provider.SuppressSecurityChecks = true;
                var role = roleManager.GetRole("BackendUsers");
                foreach (var item in users)
                
                    roleManager.AddUserToRole(item, role);
                    roleManager.SaveChanges();
                

    Please note that there are three providers: AppRoles, LdapRoles and Default provider. If you do not specify a provider it will get the default one.

    AppRoles contains the following roles:
        [0]: Role "Editors", Id=a4f170a2-dc31-43d0-b61f-1f594d5f9782
        [1]: Role "Everyone", Id=b7210e90-5a45-4073-9d0e-35c3d1849219
        [2]: Role "BackendUsers", Id=842c900e-1db1-46df-94df-3949c505ccf4
        [3]: Role "Authenticated", Id=146ce21d-8a5e-491c-875e-4702b0a7bf7d
        [4]: Role "Anonymous", Id=325b1c5b-98db-4c6a-811e-78170cc25843
        [5]: Role "Administrators", Id=e6529888-9fa0-490f-b8d4-80fbb675c2bd
        Devil: Role "Authors", Id=413b3b3e-a237-4125-a873-89cf2d201968
        [7]: Role "Owner", Id=ec5f81f5-f129-4f18-9b6b-aa144f5c7692
        Music: Role "Users", Id=10cd1139-4154-458b-b140-b7f0ec1f7432
        [9]: Role "Designers", Id=ce349fe5-29c0-4bf3-98d7-f2511cd56e4c

    I have created a feature request for you. You could track its status and vote for its popularity in PITS on the following URL.
    '

    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items