Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP (Active Directory) Group Permissions

DerekLechner_
Champ on-the-rise
Champ on-the-rise

‎06-13-2014 12:11 PM

Fast Track 5.9.3

Ok, I setup basic LDAP authentication with our Active Directory.

The only file I configured is the default-ldap-users-directory-config.xml

In the userManager section, I manually have the defaultAdministratorId set to my AD useraccount, which grants me Admin access.
/> I also have the defaultGroup set to members, which gives everyone else access, as members.

So far so good, but here is what I want.

I have 3 Groups created in my AD, I would like these mapped to corresponding groups within Nuxeo.

  • NuxeoAdmin - Administrators
  • NuxeoPower - PowerUsers
  • NuxeoUser - Members

If you are a member of the NuxeoAdmin group, when you log into Nuxeo you will be an Admin in Nuxeo.

If you are a member of the NuxeoPower group, when you log into Nuxeo you will be in the Power Users group in Nuxeo.

If you are a member of the NuxeoUser group, when you log into Nuxeo you will be a member in Nuxeo.

Is this the right way of thinking about this? To me this seems to be the easiest, and most straight-forward. I don't need any permissions to be updated, managed through Nuxeo, as we can can do everything through AD.

Thanks

5 REPLIES 5

miCRoSCoPiC_eaR
Champ in-the-making
Champ in-the-making

‎06-16-2014 12:13 PM

Hi DerekLechner - I'm facing serious issues with integrating with AD. I've followed the example .xml file in Nuxeo docs and modified it to suit our environment. But all AD logins are failing. It appears that you've managed to get that part working. It'll be great if you can guide me here / share the XML file. Thank you.

0 Kudos

DerekLechner_
Champ on-the-rise
Champ on-the-rise

‎06-16-2014 12:57 PM

I couldn't find a good way to copy/paste the XML into the forum, so I uploaded a very lightly modified copy of the config to a website. Let me know if you have questions. I have setup LDAP for other solutions (VMWare, SAN, etc) so I know it was working. It was best to enable debugging then monitor the log files within Linux/Nuxeo to see where it saw the problem. The only real change I had to make was changing the following

0 Kudos

DerekLechner_
Champ on-the-rise
Champ on-the-rise

‎06-18-2014 11:33 AM

Here is my config file.....slightly modified

0 Kudos

miCRoSCoPiC_eaR
Champ in-the-making
Champ in-the-making
In response to DerekLechner_

‎06-18-2014 02:15 PM

Thank you very much Derek. I was able to get it up and running right-away following your example. Our config files were pretty much the same - only mistake I was making was to pass the bind username in nuxeo@domain format, which is the norm for binding AD with most third-party apps. Changing it to the CN=nuxeo,DC=blah,DC=blah format it worked perfectly.

0 Kudos

DerekLechner_
Champ on-the-rise
Champ on-the-rise

‎07-16-2014 11:38 AM

I guess there isn't a way to do this.

The defaultGroup is Members, so everyone with a domain account can log in and view whatever a member can.

Then if we need to elevate a specific user's permissions: Within Nuxeo, we search for the user, and add them to the appropriate Nuxeo group (Administrators, PowerUsers, ContentReview, etc).

This works for us, and takes the overhead off of our Network Admins and onto our Training Staff to administer permissions (which is either good or bad), but we are a smaller organization.

0 Kudos
Getting started

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2024 Khoros, LLC