LDAP (Active Directory) Group Permissions

Fast Track 5.9.3

Ok, I setup basic LDAP authentication with our Active Directory.

The only file I configured is the default-ldap-users-directory-config.xml

In the userManager section, I manually have the defaultAdministratorId set to my AD useraccount, which grants me Admin access.
I also have the defaultGroup set to members, which gives everyone else access, as members.

So far so good, but here is what I want.

I have 3 Groups created in my AD, I would like these mapped to corresponding groups within Nuxeo.

  • NuxeoAdmin - Administrators
  • NuxeoPower - PowerUsers
  • NuxeoUser - Members

If you are a member of the NuxeoAdmin group, when you log into Nuxeo you will be an Admin in Nuxeo.

If you are a member of the NuxeoPower group, when you log into Nuxeo you will be in the Power Users group in Nuxeo.

If you are a member of the NuxeoUser group, when you log into Nuxeo you will be a member in Nuxeo.

Is this the right way of thinking about this? To me this seems to be the easiest, and most straight-forward. I don't need any permissions to be updated, managed through Nuxeo, as we can can do everything through AD.

Thanks

1 votes

2 answers

1924 views

ANSWER

Hi DerekLechner - I'm facing serious issues with integrating with AD. I've followed the example .xml file in Nuxeo docs and modified it to suit our environment. But all AD logins are failing. It appears that you've managed to get that part working. It'll be great if you can guide me here / share the XML file. Thank you.
06/16/2014

I couldn't find a good way to copy/paste the XML into the forum, so I uploaded a very lightly modified copy of the config to a website. Let me know if you have questions. I have setup LDAP for other solutions (VMWare, SAN, etc) so I know it was working. It was best to enable debugging then monitor the log files within Linux/Nuxeo to see where it saw the problem. The only real change I had to make was changing the following:

<searchScope>subtree</searchScope>

I used Softerra LDAP Browser 4.5 to create my LDAP connection with my AD to verify my username/password was all correct. This was a program I previously had installed on one of my Windows boxes for performing other LDAP troubleshooting.

Here is my config

I'm not performing any Create, so I removed that from the file. I also removed most of the comments to only get to what's needed.

06/16/2014



I guess there isn't a way to do this.

The defaultGroup is Members, so everyone with a domain account can log in and view whatever a member can.

Then if we need to elevate a specific user's permissions: Within Nuxeo, we search for the user, and add them to the appropriate Nuxeo group (Administrators, PowerUsers, ContentReview, etc).

This works for us, and takes the overhead off of our Network Admins and onto our Training Staff to administer permissions (which is either good or bad), but we are a smaller organization.

0 votes



0 votes



Thank you very much Derek. I was able to get it up and running right-away following your example. Our config files were pretty much the same - only mistake I was making was to pass the bind username in nuxeo@domain format, which is the norm for binding AD with most third-party apps. Changing it to the CN=nuxeo,DC=blah,DC=blah format it worked perfectly.

Moreover, for some reason it won't connect to my ADs over SSL. ldaps at port 636 simply won't work with Nuxeo, though it works with all other services. I use a CA signed cert. for my DCs - so trust issue isn't a factor here.

Anyway, many many thanks :)

06/18/2014