LDAP (Active Directory) Group Permissions
Fast Track 5.9.3
Ok, I setup basic LDAP authentication with our Active Directory.
The only file I configured is the default-ldap-users-directory-config.xml
In the userManager section, I manually have the defaultAdministratorId set to my AD useraccount, which grants me Admin access.
I also have the defaultGroup set to members, which gives everyone else access, as members.
So far so good, but here is what I want.
I have 3 Groups created in my AD, I would like these mapped to corresponding groups within Nuxeo.
- NuxeoAdmin - Administrators
- NuxeoPower - PowerUsers
- NuxeoUser - Members
If you are a member of the NuxeoAdmin group, when you log into Nuxeo you will be an Admin in Nuxeo.
If you are a member of the NuxeoPower group, when you log into Nuxeo you will be in the Power Users group in Nuxeo.
If you are a member of the NuxeoUser group, when you log into Nuxeo you will be a member in Nuxeo.
Is this the right way of thinking about this? To me this seems to be the easiest, and most straight-forward. I don't need any permissions to be updated, managed through Nuxeo, as we can can do everything through AD.
I guess there isn't a way to do this.
The defaultGroup is Members, so everyone with a domain account can log in and view whatever a member can.
Then if we need to elevate a specific user's permissions: Within Nuxeo, we search for the user, and add them to the appropriate Nuxeo group (Administrators, PowerUsers, ContentReview, etc).
This works for us, and takes the overhead off of our Network Admins and onto our Training Staff to administer permissions (which is either good or bad), but we are a smaller organization.
Moreover, for some reason it won't connect to my ADs over SSL. ldaps at port 636 simply won't work with Nuxeo, though it works with all other services. I use a CA signed cert. for my DCs - so trust issue isn't a factor here.
Anyway, many many thanks :)
I used Softerra LDAP Browser 4.5 to create my LDAP connection with my AD to verify my username/password was all correct. This was a program I previously had installed on one of my Windows boxes for performing other LDAP troubleshooting.
Here is my config
I'm not performing any Create, so I removed that from the file. I also removed most of the comments to only get to what's needed.