Sitecore Active Directory Indirect Membership

3
votes

We have Sitecore 6.5 with AD Module 1.0.4.

Users who are in the AD group for DEPARTMENT\SitecoreUsers can login to Sitecore, but users who are in DEPARTMENT\Sitecore_Role1 group cannot login even though the DEPARTMENT\Sitecore_Role1 group is a member of Sitecore_Users.

The LDAP.IncludeIndirectMembership is set to true and all the groups that have membership in DOMAIN\SitecoreUsers show up in the role manager. I have tried adding Sitecore_Role1 role as a member of sitecore\Sitecore Client Users, but that still did not allow Sitecore_Role1 members to login.

Do all of our AD users have to be added to both their Sitecore_Role group and the Sitecore_Users group? I thought that belonging to member groups should allow them to login to Sitecore. Can someone please set me straight?

I have worked though the Sitecore AD Module Admin guide and think that I have set it up correctly, but here is what I think are relevant settings for review.

The connection string being used is:

<add name="WUDOSISConnectionString" connectionString="LDAP://wudosis.wustl.edu:389/DC=department,DC=ourorg,DC=edu"/>

and our AD is set up like 

- Department
    + Groups
        * Sitecore
            - Sitecore_Users
            - Sitecore_Role1 (Member of Sitecore_Users)
            - Sitecore_Role2 (Member of Sitecore_Users)

The items in system.web/membership/prividers, roleManager, and profile all have a customFilter = (memberOf=CN=Sitecore_Users,OU=Sitecore,OU=Groups,DC=department,DC=ourorg,DC=edu)

1
active-directoryldapsitecoresitecore6
Hi Daniel, Setting up this can be quite frustrating. I normally use an AD browser to see if I get the right roles/user from the AD. Something like this: technet.microsoft.com/en-us/sysinternals/bb963907.aspx Can you see the roles, using the same credentials as your connection string and custom filters?Jens Mikkelsen
Thanks, Jens. I got the AD Explorer and can see the users added directly to the group and the groups that are members, but not any members of the 'groups-in-group'. I am trying to figure out a better filter that will get all the users, but it is pretty confusing.Daniel Govier
@JensMikkelsen, you set me on the right path of getting the right ldap filter. The right one was (|(&amp;(objectCategory=group)(cn=Sitecore_Users))(memberof:1.2.840.113556.1.4.1941:=CN=Sitecore_Users,OU=Sitecore,OU=Groups,DC=department,DC=ourorg,DC=edu)) I would give you credit for an answer if I knew how.Daniel Govier
I don't know how. I think you can just upvote my comment. As mine wasn't the answer, I think you should answer yourself with the correct connection and then mark it as an answer. :)Jens Mikkelsen

1 Answers

1
votes

The correct syntax for getting the descendent members of an AD group is:

(memberof:1.2.840.113556.1.4.1941:=CN=Sitecore_Users,OU=Sitecore,OU=Groups,  
DC=department,DC=ourorg,DC=edu)

If you want to include the group itself in the result along with its members and members of member-groups, use:

(|(&amp;(objectCategory=group)(cn=Sitecore_Users))  
(memberof:1.2.840.113556.1.4.1941:=CN=Sitecore_Users,OU=Sitecore,OU=Groups,  
DC=department,DC=ourorg,DC=edu))

Note that the & value replaces the normal ampersand because the line is included in the site's web.config and ampersands are not valid xml characters.

The comment that @JensMikkelsen made led me to change my thinking from how was the Sitecore AD Module working to thinking about how LDAP filters work. More research on stackoverflow led to this stackoverflow answer which had a link to some LDAP documentation. An additional google search lead to more LDAP syntax documentation.

The key to the solution was to realize that memberOf did not work the way I thought. Rather than cascading down through the group membership, it only returns direct members. In order to get further down the membership chain using LDAP_MATCHING_RULE_IN_CHAIN was necessary. That looks like this:

(memberof:1.2.840.113556.1.4.1941:=(cn=Group1,OU=groupsOU,DC=x))

Using Jen's idea of using an Active Directory browser to work out the correct filter led me to the values above. I used both the Active Directory Browser because it allowed me to change the user and Active Directory Administration Center because it was easier to figure out how to enter the ldap filter the same way I would use it as a customFilter value in the Sitecore AD Module.