Telerik Active Directory Providers
Telerik Active Directory Membership and Telerik Active Directory Role providers enable working with LDAP to connect to Active Directory as a data source. That provides the
ability for a Web application to work with users defined in the domain.
The membership provider is based on System.Web.Security.ActiveDirectoryMembershipProvider and only overrides the username format, cleaning the domain name from
it.
The role provider works in a way very similar to the WindowsTokenRoleProvider, but extends its functionality in order to provide the needed methods for users’
administration. It is configurable, giving ways to easily change any domain-specific query strings. See Role Providers.
Both providers can be extended in order to customize any needed functionality.
Telerik.Security.ActiveDirectory.TelerikADMembershipProvider is used as a membership provider while
Telerik.Security.ActiveDirectory.TelerikADRoleProvider is used as a role provider.
TelerikADRoleProvider
The Telerik Active Directory Role Provider inherits the class System.Web.Security.RoleProvider and works with Active Directory data source.
Using Telerik AD membership and Telerik AD role providers is the easiest combination when working with Active Directory data source in Sitefinity.
 |
The most commonly used AD role provider is the WindowsTokenRoleProvider. However, it is limited
and its functionality is not sufficient to use it in Sitefinity administration. TelerikADRoleProvider provides the same functionality as well
as some extra methods mandatory for roles management. |
To have an Active Directory connection, you must first specify the connection string in the web.config file:
| Add AD Connection String |
 Copy Code |
|
<add name="ActiveDirectory" connectionString="yourConnectionString”
|
where yourConnectionString is a valid connection string for LDAP (for example, LDAP://telerik.com)
Following is the code for an AD RoleProvider in the system.web tag:
| AD Role Provider |
Copy Code |
|
<roleManager enabled="true" cacheRolesInCookie = "true" defaultProvider = "Sitefinity">
<providers>
<clear/>
<add name="Sitefinity"
applicationName="/"
description="Telerik Role provider for Active Directory"
authenticationType="Secure"
userSearchFilter="(&(sAMAccountType=805306368)(sAMAccountName={0}))"
roleSearchFilter="(&(objectClass=group)(sAMAccountName={0}))"
userDefinitionFilter="sAMAccountType=805306368"
groupDefinitionFilter="(objectClass=group)"
connectionStringName="ActiveDirectory"
type="Telerik.Security.ActiveDirectory.TelerikADRoleProvider, Telerik.Security"
connectionUsername="username"
connectionPassword="password"
groupMaps="group1, group2, group3"
domainName="telerik.com"
searchScope="subtree"
/>
</providers>
</roleManager>
|
Following is a description of each attribute for the Sitefinity provider:
| applicationName |
not used |
| description |
description of the provider. It is derived from the base provider class System.Configuration.Provider.ProviderBase |
| authenticationType |
the System.DirectioryServices.authenticationTypes type of the authentication against Active Directory
|
| userSearchFilter |
the filter for querying AD for a user entry. Used to check if the searched AD object is a user and his/her ID equals the given ID. Has to contain {0} to
be replaced with the actual username |
| groupSearchFilter |
the filter for querying AD for a group entry. Used to check if the searched AD object is a group and its ID equals the given ID. Has to contain {0} to be
replaced with the actual group name |
| userDefinitionFilter |
the filter for querying AD for users. Used to check if an AD object is a user |
| groupDefinitionFilter |
the filter for querying AD for groups. Used to check if an AD object is a group |
| connectionStringName |
used to specify the AD connection string name that would be used |
| connectionUserName |
the username that will be used for AD authentication
|
| connectionPassword |
the password that will be used for AD authentication |
| groupMaps |
a comma-separated list of roles, which is used by the provider. The option to set specific roles enables administrators to choose which roles to manage. If this
list is not set, all windows groups available in the current domain are used as roles. |
| domainName |
specifies if a domain name should be present in the connection string or a serverless connection could be established. The default value is empty string, which
means that serverless connection will be used internally in the provider. |
| searchScope |
specifies the search scope used when querying the domain for all groups and all users in a group. Possible values are:
- subTree - searches the entire subtree
- oneLevel - searches only the first level below the object provided in the connection string
- base - searches only the object provided in the connection string
|
If connectionUserName and connectionPassword are not set, the IIS account will be used. If impersonation is used (set to true
in the identity tag, as the following example shows), the current user credentials will be used in the process. Otherwise, the default IIS account will be used (ASPNET for IIS
5.1, Network Service for IIS 6.0 ).
<_innovasys3a_widgetproperty name="Title" layout="inline">Impersonation
<_innovasys3a_widgetproperty name="Content" layout="block"><identity impersonate="true" />
<_innovasys3a_widgetproperty name="LanguageName" layout="inline">ASP.NET
The GetRolesForUser(string username) method is used to retrieve a list of groups for the provided username. It uses the userSearchFilter
property for a search string.
Scenario
The Active Directory role provider gives information only about which user belongs to which Windows groups. The permissions for these roles are not managed by the role
provider.
Lets assume an administrator is a user that belongs to an unrestricted role. For example, in the Telerik domain there are the following groups: Sitefinity team, WinForms team,
Reporting team. If a user belongs to the "Sitefinity team" group and needs to be an administrator (have unrestricted rights), the following should be set in the
web.config file:
| web.config |
Copy Code |
|
<Telerik>
...
<security>
<roles>
...
<add name="Sitefinity team" permission="Unrestricted"/>
|
Once a Sitefinity team member logs in, he/she can give any permissions to the WinForms and Reporting teams.
This Sitefinity administrator would only be able to give permissions to the windows groups from the site domain. So, if there"s a team that could only edit pages, the domain
administrator should add these people to a windows group, let’s say “Editors”. Also, if there"s a team that could only add content to pages, the administrator should add these
people to a let"s say "Contributors" windows group. Then, in Sitefinity"s Admin part, the administrator will give both roles (which represent their
respective windows group - “Editors” or "Contributors") the corresponding permissions - for editing pages or adding content only.
TelerikADMembershipProvider
The Telerik Active Directory Membership Provider works with Active Directory as data source. Using Telerik AD membership and Telerik AD role providers is the easiest
combination when working with Active Directory in Sitefinity. TelerikADMembershipProvider can be used for both windows and forms authentication.
 |
Both TelerikADMembershipProvider and ActiveDirectoryMembershipProvider (the Active Directory membership provider provided
by the .Net framework) operate with users in the Active Directory. However, TelerikADMembershipProvider only changes the username format of
ActiveDirectoryMembershipProvider. Sitefinity works with clean usernames (like John, instead of John@domain.com or domain\John) and overrides the GetUser() method.
|
To use an Active Directory connection, you have to specify the connection string in the web.config file:
| Add AD Connection String |
Copy Code |
|
<add name="ActiveDirectory" connectionString="yourConnectionString”
|
See Also