Recursive AD Synchronisation with Sitecore Active Directory Module

-
Sitecore's Active Directory connector provides functionality to allow users to perform Single Sign-on to the Sitecore client transparently using their Active Directory accounts.  It is easy for content authors to use, all they need to do is point their browser at the following URL on their Sitecore content management server:
/sitecore/admin/ldaplogin.aspx
However users can only login to Sitecore in this way if they have been synchronised using the Active Directory connector configuration.  All the gory details of setting up Sitecore configuration can be found in the module's Administration Guide, but the two that I want to talk about in this post are the LDAP connection string, and custom filters.  Together these settings control which groups (roles) and users are synchronised from AD into Sitecore.

LDAP Connection String

The LDAP connection string is configured in the Sitecore ConnectionString.config file, it provides the details for connecting to Active Directory including the server name and location in the AD tree to connect.
<connectionStrings>
 <add name="ManagersConnString"
 connectionString="LDAP://ADServer:389/OU=Corporate,DC=MyCompany,DC=local" />
</connectionStrings>
This setting is reasonably straight forward, but make sure that the OU you connect to is high enough in the AD structure to contain all the groups and users that you want to synchronise.

Custom Filters

If you simply provide an LDAP connection string, all the groups and users within the org unit that you specify will be synchronised into Sitecore.  Depending on the AD structure this could be hundreds (or more) or groups and users.  At the very least this makes using the Sitecore user and role manager tools extremely painful!

To only synchronise a subset of users and groups, customFilters can be specified in the membership and role provider configurations.  This customFilter is specified in LDAP query syntax.  The Admin Guide gives the following example of a customFilter that will synchronise only a group and all its users into Sitecore.
customFilter=”(memberOf=CN=testgroup,OU=Groups,DC=devtest,DC=sitecore,DC=net)”
The customFilter used in both the membership and role providers must be the same.

Supporting multiple roles and their users

In my experience, the need in an enterprise installation of Sitecore is to import a number of roles with all the users contained in one or more of them.  Even in the simplest of cases there is a content author role and a content approver role, and depending on the governance structures in place there can also be other roles required such as legal review which either have access to specific workflow states and actions, or to content is specific parts of a site.  To support this more advanced requirement, I follow the following pattern:
  • Have an AD group for each of the Sitecore roles being mapped (the users for each role are managed by placing them in the appropriate group in AD)
  • Create a "Sitecore Groups" group in AD 
At this point, you will have a structure in AD that looks something like this, where you want all the groups under Sitecore Groups to be mapped into Sitecore as roles, and all the users in those groups to be mapped as Sitecore users.


  • Specify a custom filter for both the membership and role providers using LDAP_MATCHING_RULE_IN_CHAIN syntax
The LDAP_MATCHING_RULE_IN_CHAIN syntax is a magical operator that you can insert into your LDAP query.  I say magical because it is a great example of the hated magic number!  Here is an example of this syntax:
(memberOf:1.2.840.113556.1.4.1941:=CN=Sitecore Groups,OU=Corporate,DC=MyCompany,DC=local)
The  :1.2.840.113556.1.4.1941: is that magic number for LDAP_MATCHING_RULE_IN_CHAIN, and instructs the LDAP query to recurse through the tree of groups/users under the targeted group and match everything that it finds.  

 This will synchronize all the groups (in the case of the roles provider) and users (in the case of the membership provider) in the Sitecore Groups group and all sub-groups beneath it.  If you open the Sitecore user and role managers you should now see only these roles and users in the Sitecore mapped "ad" domain.


Comments

Post a Comment

Popular posts from this blog

Cloud hosting Sitecore - High Availability

-
Image
The approach to hosting web facing systems has changed significantly over the last few years, with virtual machines almost completely replacing physical infrastructure.  These private cloud virtual server farms allowed server instances to be built and run on consolidated hardware, simplifying purchasing for IT departments.  This cloud computing pattern is generally known as Infrastructure as a Service (IaaS), and it simplified the way that physical hardware was purchased, whilst supporting the same approach to building and deploying applications that had been used before.  Public cloud hosted IaaS platforms remove the purchasing requirements, whilst providing a high degree of flexibility in how services are hosted, however IT teams still had to install and configure operating systems and other system software like content management and database systems the same way as with traditional environments.   Amazon Web Services and Microsoft Azure are currently the two leading IaaS cloud
Read more

Sitecore - multi-site or multi-instance?

-
Image
I have been asked by a number of different people recently about when it is appropriate to maintain a number of different websites on a single Sitecore instance, versus deploying multiple Sitecore instances (on the same or separate hardware) to keep sites separate. As is usually the case, the answer is "it depends", but there are some key conditions that can lead to a clear choice between one over the other. Single Instance In the single instance approach, there is a single installation of Sitecore that hosts all of an organisations sites. This means that there is one IIS website hosting Sitecore per server all sharing the same Sitecore configuration and content. Pros Single set of user access credentials for access to all sites If you are not using LDAP integration for login to your Sitecore instance (or using some other customisation such as federated security through something like ADFS), having a single instance lets you use the same set of Sitec
Read more

Setting up TDS to work with Azure DevOps

-
Image
We recently had the challenge of moving across a legacy project, that we inherited, to run on Azure DevOps.  This project is five or six years old and still leverages TDS for packaging Sitecore items. Helpfully the code repository already had a copy of the nuget package contents checked in and referred to by the TDS project files, however this was designed to use an older version of visual studio (2015) than we had available as a part of the default Microsoft supplied build agent (2019).  In addition we needed to make sure the build agent was able to use our TDS license keys. Setting up the TDS license The old HedgeHog documentation has some good info on how to set up TDS to run on a build server.  This states to set up two environment variables: TDS_Owner and TDS_Key with the license information that the TDS tool will look for at runtime. Our first attempt to follow this instruction for DevOps was to create a powershell task to set the variables - task: PowerShell@2 displayName:
Read more