+1-888-365-2779
Try Now
More in this section

Forums / General Discussions / Active Directory/LDAP Backend Access

Active Directory/LDAP Backend Access

10 posts, 1 answered
  1. John
    John avatar
    2 posts
    Registered:
    22 Oct 2012
    24 Oct 2012
    Link to this post
    I must be missing something or just missunderstanding how AD integration works.  I have an Active Directory group defined.  I have LDAP integration all set up great.  In Sitefinity I can see LDAP users and LDAP groups.  I can even see my one test user is part of my LDAP group.  I have gone through the Roles/Group setup (Administration/Roles/LdapRoles/Permissions) and given my group access to ALL of the Backend global permissions.  BUT when that user attempts to log into the backend I get an error stating "You do not have a permission to access "/sitefinity/"."

    If I go edit the user directly (Administration/Users/Ldapusers) and click the checkbox for "This user can access site backend" then the user can log in. 

    So if I understand it correctly, I cannot have a group for Administrators in AD that will allow me to just add a user and they will have access.  I still need to go to each user individually and grant them access to log in to the /sitefinity backend?  The rest of it seems to work fine.  Once they are logged in I am seeing the menu items that I am expecting that were defined for the AD group in Sitefinity.  I'm just wondering if I am missing a checkbox somewhere that will allow everyone in that group to log in?


  2. Steve
    Steve avatar
    3037 posts
    Registered:
    03 Dec 2008
    24 Oct 2012 in reply to John
    Link to this post
    You can...it's in settings->security->administrative roles

    Just make your provider be your AD role provider, then the role name
    Answered
  3. Mark
    Mark avatar
    20 posts
    Registered:
    15 Oct 2012
    20 Feb 2013
    Link to this post

    Is there a way to grant an AD group (under roles) backend access, but still limit the pieces they can use? (ie. Content menu is accessible, but eCommerce is not)

  4. Patrick Dunn
    Patrick Dunn avatar
    237 posts
    Registered:
    03 Nov 2014
    25 Feb 2013
    Link to this post
    Hello John,

     You can assign blanket permissions to roles by visiting administration > permissions. Your AD roles should be represented. LdapUsers, or whichever roles you have established, needs to have backend access checked on them. To enable the role provider go to Security > Roles Providers, select the “LdapRoles” provider and check the “Enabled” check box and save your settings. You can then assign the new roles in the aforementioned permissions section to allow/deny them the ability to view, edit, change permissions on the individual modules.

    Greetings,
    Patrick Dunn
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  5. Darcy
    Darcy avatar
    10 posts
    Registered:
    28 Feb 2012
    03 Apr 2013
    Link to this post
    Hi there. I am getting the exact same issue even with the enabled checkbox checked. 
    I can see the users and the role but even with my permissions for the role set I still have to go in to each unique LDAP user and click the "can access backend" checkbox. How do I apply that control to the role?
  6. Patrick Dunn
    Patrick Dunn avatar
    237 posts
    Registered:
    03 Nov 2014
    05 Apr 2013
    Link to this post
    Hello Darcy,

     Once you have accepted the LDAP groups as roles, restart your APP pool, make sure that your groups are being pulled, then you can visit Administration > Permissions and set global permissions. You can go into the Roles Administration > Users > Roles and change each role to have "Access the backend".

    I hope this helps.

    Regards,
    Patrick Dunn
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  7. Darcy
    Darcy avatar
    10 posts
    Registered:
    28 Feb 2012
    25 Apr 2013 in reply to Patrick Dunn
    Link to this post
    That's the weird thing. The roles all have access the back-end enabled already.
  8. Patrick Dunn
    Patrick Dunn avatar
    237 posts
    Registered:
    03 Nov 2014
    29 Apr 2013
    Link to this post
    Hi Darcy,

     Thank you for contacting us.

    When your users log in through the backend /Sitefinity are they shown any errors? Do you see anything pop up in the ~/App_Data/Sitefinity/Logs? Also, are they selecting LDAP as their provider and not logging in with a similar account through the default or SQL membership providers?

    Greetings,
    Patrick Dunn
    the Telerik team
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
  9. Andrew
    Andrew avatar
    15 posts
    Registered:
    28 Dec 2012
    11 Jun 2013
    Link to this post
    Is there any update on this?  I have sitefinity 6 and I'm still having the issue.
  10. Stefani Tacheva
    Stefani Tacheva avatar
    718 posts
    Registered:
    06 Dec 2016
    13 Jun 2013
    Link to this post
    Hi,

    We have addressed the matter in the support ticket you have open on the same issue. You can check our response there, and for your convenience please find below a quote of the response, too:

    'I am afraid that there is no setting in the backend of Sitefinity you could mark in order your LDAP users to be able to log in in Sitefinity. You have the ability to map one LDAP role to Sitefinity role you could go to Administration -> Settings -> Advanced -> Security -> AdministrativeRoles and map these roles. Then the changes could be seen in your SecurityConfig.config file. For instance:
    <administrativeRoles>
        <role roleProvider="LdapRoles" roleName="RoleOne" />
        <role roleProvider="LdapRoles" roleName="RoleTwo" />
    </administrativeRoles>

    For non-administrators you need to get your LDAP users by code and assign them a role. For example BackendUsers:
                     var userManager = UserManager.GetManager("LdapUsers");
                var users = userManager.GetUsers().ToList();
                RoleManager roleManager = RoleManager.GetManager("AppRoles");
                roleManager.Provider.SuppressSecurityChecks = true;
                var role = roleManager.GetRole("BackendUsers");
                foreach (var item in users)
                {
                    roleManager.AddUserToRole(item, role);
                    roleManager.SaveChanges();
                }

    Please note that there are three providers: AppRoles, LdapRoles and Default provider. If you do not specify a provider it will get the default one.

    AppRoles contains the following roles:
        [0]: Role "Editors", Id={a4f170a2-dc31-43d0-b61f-1f594d5f9782}
        [1]: Role "Everyone", Id={b7210e90-5a45-4073-9d0e-35c3d1849219}
        [2]: Role "BackendUsers", Id={842c900e-1db1-46df-94df-3949c505ccf4}
        [3]: Role "Authenticated", Id={146ce21d-8a5e-491c-875e-4702b0a7bf7d}
        [4]: Role "Anonymous", Id={325b1c5b-98db-4c6a-811e-78170cc25843}
        [5]: Role "Administrators", Id={e6529888-9fa0-490f-b8d4-80fbb675c2bd}
        [6]: Role "Authors", Id={413b3b3e-a237-4125-a873-89cf2d201968}
        [7]: Role "Owner", Id={ec5f81f5-f129-4f18-9b6b-aa144f5c7692}
        [8]: Role "Users", Id={10cd1139-4154-458b-b140-b7f0ec1f7432}
        [9]: Role "Designers", Id={ce349fe5-29c0-4bf3-98d7-f2511cd56e4c}

    I have created a feature request for you. You could track its status and vote for its popularity in PITS on the following URL.
    '

    Regards,
    Stefani Tacheva
    Telerik
    Do you want to have your say in the Sitefinity development roadmap? Do you want to know when a feature you requested is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items
10 posts, 1 answered