topic Re: LDAP (Active Directory) Group Permissions in Nuxeo Forum

LDAP (Active Directory) Group Permissions

DerekLechner_ — Fri, 13 Jun 2014 16:11:29 GMT

Fast Track 5.9.3

Ok, I setup basic LDAP authentication with our Active Directory.

The only file I configured is the default-ldap-users-directory-config.xml

In the userManager section, I manually have the defaultAdministratorId set to my AD useraccount, which grants me Admin access.
/> I also have the defaultGroup set to members, which gives everyone else access, as members.

So far so good, but here is what I want.

I have 3 Groups created in my AD, I would like these mapped to corresponding groups within Nuxeo.

NuxeoAdmin - Administrators
NuxeoPower - PowerUsers
NuxeoUser - Members

If you are a member of the NuxeoAdmin group, when you log into Nuxeo you will be an Admin in Nuxeo.

If you are a member of the NuxeoPower group, when you log into Nuxeo you will be in the Power Users group in Nuxeo.

If you are a member of the NuxeoUser group, when you log into Nuxeo you will be a member in Nuxeo.

Is this the right way of thinking about this? To me this seems to be the easiest, and most straight-forward. I don't need any permissions to be updated, managed through Nuxeo, as we can can do everything through AD.

Thanks

Re: LDAP (Active Directory) Group Permissions

miCRoSCoPiC_eaR — Mon, 16 Jun 2014 16:13:03 GMT

Hi DerekLechner - I'm facing serious issues with integrating with AD. I've followed the example .xml file in Nuxeo docs and modified it to suit our environment. But all AD logins are failing. It appears that you've managed to get that part working. It'll be great if you can guide me here / share the XML file. Thank you.

Re: LDAP (Active Directory) Group Permissions

DerekLechner_ — Mon, 16 Jun 2014 16:57:40 GMT

I couldn't find a good way to copy/paste the XML into the forum, so I uploaded a very lightly modified copy of the config to a website. Let me know if you have questions. I have setup LDAP for other solutions (VMWare, SAN, etc) so I know it was working. It was best to enable debugging then monitor the log files within Linux/Nuxeo to see where it saw the problem. The only real change I had to make was changing the following

Re: LDAP (Active Directory) Group Permissions

DerekLechner_ — Wed, 18 Jun 2014 15:33:32 GMT

Here is my config file.....slightly modified

Re: LDAP (Active Directory) Group Permissions

miCRoSCoPiC_eaR — Wed, 18 Jun 2014 18:15:00 GMT

Thank you very much Derek. I was able to get it up and running right-away following your example. Our config files were pretty much the same - only mistake I was making was to pass the bind username in nuxeo@domain format, which is the norm for binding AD with most third-party apps. Changing it to the CN=nuxeo,DC=blah,DC=blah format it worked perfectly.

Re: LDAP (Active Directory) Group Permissions

DerekLechner_ — Wed, 16 Jul 2014 15:38:23 GMT

I guess there isn't a way to do this.

The defaultGroup is Members, so everyone with a domain account can log in and view whatever a member can.

Then if we need to elevate a specific user's permissions: Within Nuxeo, we search for the user, and add them to the appropriate Nuxeo group (Administrators, PowerUsers, ContentReview, etc).

This works for us, and takes the overhead off of our Network Admins and onto our Training Staff to administer permissions (which is either good or bad), but we are a smaller organization.