Active Directory/LDAP Backend Access

I must be missing something or just missunderstanding how AD integration works.  I have an Active Directory group defined.  I have LDAP integration all set up great.  In Sitefinity I can see LDAP users and LDAP groups.  I can even see my one test user is part of my LDAP group.  I have gone through the Roles/Group setup (Administration/Roles/LdapRoles/Permissions) and given my group access to ALL of the Backend global permissions.  BUT when that user attempts to log into the backend I get an error stating "You do not have a permission to access "/sitefinity/"."

If I go edit the user directly (Administration/Users/Ldapusers) and click the checkbox for "This user can access site backend" then the user can log in. 

So if I understand it correctly, I cannot have a group for Administrators in AD that will allow me to just add a user and they will have access.  I still need to go to each user individually and grant them access to log in to the /sitefinity backend?  The rest of it seems to work fine.  Once they are logged in I am seeing the menu items that I am expecting that were defined for the AD group in Sitefinity.  I'm just wondering if I am missing a checkbox somewhere that will allow everyone in that group to log in?

You can...it's in settings->security->administrative roles

Just make your provider be your AD role provider, then the role name

Is there a way to grant an AD group (under roles) backend access, but still limit the pieces they can use? (ie. Content menu is accessible, but eCommerce is not)

Hello John,

 You can assign blanket permissions to roles by visiting administration > permissions. Your AD roles should be represented. LdapUsers, or whichever roles you have established, needs to have backend access checked on them. To enable the role provider go to Security > Roles Providers, select the “LdapRoles” provider and check the “Enabled” check box and save your settings. You can then assign the new roles in the aforementioned permissions section to allow/deny them the ability to view, edit, change permissions on the individual modules.

Hi there. I am getting the exact same issue even with the enabled checkbox checked. 
I can see the users and the role but even with my permissions for the role set I still have to go in to each unique LDAP user and click the "can access backend" checkbox. How do I apply that control to the role?

Hello Darcy,

 Once you have accepted the LDAP groups as roles, restart your APP pool, make sure that your groups are being pulled, then you can visit Administration > Permissions and set global permissions. You can go into the Roles Administration > Users > Roles and change each role to have "Access the backend".

I hope this helps.

That's the weird thing. The roles all have access the back-end enabled already.

Hi Darcy,

 Thank you for contacting us.

When your users log in through the backend /Sitefinity are they shown any errors? Do you see anything pop up in the ~/App_Data/Sitefinity/Logs? Also, are they selecting LDAP as their provider and not logging in with a similar account through the default or SQL membership providers?

Is there any update on this?  I have sitefinity 6 and I'm still having the issue.

Hi,

We have addressed the matter in the support ticket you have open on the same issue. You can check our response there, and for your convenience please find below a quote of the response, too:

'I am afraid that there is no setting in the backend of Sitefinity you could mark in order your LDAP users to be able to log in in Sitefinity. You have the ability to map one LDAP role to Sitefinity role you could go to Administration -> Settings -> Advanced -> Security -> AdministrativeRoles and map these roles. Then the changes could be seen in your SecurityConfig.config file. For instance: