Sitecore 8.1 and Active Directory 1.3 Integration

Sitecore 8.1 AD 1.3 Module Integration

Integrating the Active Directory module with Sitecore allows you to import, authenticate and manage the AD users, roles and profiles inside the Sitecore.

 

Let’s assume that we want to accomplish the following:

–        We have a Sitecore Instance already running and we want to integrate the AD users, roles and profiles of our company for authenticating and managing permissions on the Sitecore items

–        So we need to first import the users, roles and profiles list inside Sitecore user manager, role manager and then assign appropriate permissions to the users.

–        So let’s try to accomplish this

o    First lets integrate the AD

o   Assign proper permissions to the AD users to access Sitecore Items

 

ð  AD Integration:

–        First we will have to setup an Sitecore instance if we are starting from scratch else we can use an existing instance.

–        Then we will install the “Active directory Module 1.3”(for Sitecore 8.2). Sitecore provides a matrix as if which AD module works with which Sitecore version.

–        After installing proper AD module,  we will configure, verify and test the AD integration.

–        Note : Please backup your existing instance source files, databases, configs in case a rollback is needed.

 

1-     First of all Setup a banana Sitecore Installation using The 8.2 Sitecore Installer from (if starting from scratch)- https://dev.sitecore.net/Downloads/Sitecore_Experience_Platform/82/Sitecore_Experience_Platform_82_Update2.aspx

(Use the web installer Sitecore web application installer)

 

2-     InstallAD 1.3 Module” package  from –

https://dev.sitecore.net/Downloads/Active_Directory/1_3/Active_Directory_1_3.aspx (Use Active Directory 1.3 rev.161017)

o   After installation verify the following changes to the Sitecore website folder

  • App_ConfigIncludeldap.config – provides LDAP Confuguration
  • BinLightLDAP.dll – LDAP DLLs
  • BinLightLDAPClient.dll – LDAP DLLs
  • SitecoreadminLDAPLogin.aspx – Single sign-on page
  • SitecoreadminProviderStatus.aspx – AD status page

 

3-     Perform the following Configuration changes for AD to work with Sitecore :

  1. ConnectionStrings.config

Add LDAP Connection string under <connectionStrings> section.

Note: ‘mydomain.mywebsite.com’ the AD server name.

<add name=”LDAP_CONN” connectionString=”LDAP://mydomain.mywebsite.com:389/DC=mywebsite,DC=com” />

  1. Domains.config

Add a new domain under <Domain> section.

Note: “usa” is the domain name.

           <domain name=”usa” ensureAnonymousUser=”false” />

  1. Sitecore.config

Update the <switchingProviders> section.

In the switching provider section you have to provide additional settings for membership, role manager and

profile settings specifying what the new AD providers are. See the bold entries below

<switchingProviders>

<membership>

<provider providerName=”sql” storeFullNames=”true” wildcard=”%” domains=”*” />

      <provider providerName=”ad” storeFullNames=”false” wildcard=”*” domains=”usa” />

</membership>

<roleManager>

<provider providerName=”sql” storeFullNames=”true” wildcard=”%” domains=”*” ignoredUserDomains=”” allowedUserDomains=”” />

<provider providerName=”ad” storeFullNames=”false” wildcard=”*” domains=”usa” />

</roleManager>

<profile>

<provider providerName=”sql” storeFullNames=”true” wildcard=”%” domains=”*” ignoredDomains=”” />

</profile>

</switchingProviders>

  1. Web.config

Update the <membership>, <rolemanager> and <profile> sections as below.

These settings specify 2 things- one who is the new membership, role or profile provider and second that you are switching the provider from SQL to the one you are adding.

<membership defaultProvider=”sitecore” hashAlgorithmType=”SHA1″>

<providers>

<clear />

<add name=”sitecore” type=”Sitecore.Security.SitecoreMembershipProvider, Sitecore.Kernel” realProviderName=”switcher” providerWildcard=”%” raiseEvents=”true” />

<add name=”switcher” type=”Sitecore.Security.SwitchingMembershipProvider, Sitecore.Kernel” applicationName=”sitecore” mappings=”switchingProviders/membership” />

<add name=”sql” type=”System.Web.Security.SqlMembershipProvider” connectionStringName=”core” applicationName=”sitecore” minRequiredPasswordLength=”1″ minRequiredNonalphanumericCharacters=”0″ requiresQuestionAndAnswer=”false” requiresUniqueEmail=”false” maxInvalidPasswordAttempts=”256″ />

<add name=”ad” type=”LightLDAP.SitecoreADMembershipProvider” connectionStringName=”LDAP_CONN” applicationName=”sitecore” minRequiredPasswordLength=”1″ minRequiredNonalphanumericCharacters=”0″ requiresQuestionAndAnswer=”false” requiresUniqueEmail=”false” connectionProtection=”Secure” connectionUsername=”LDAP-Server-UserName” connectionPassword=” LDAP-Server-Password” attributeMapUsername=”sAMAccountName” enableSearchMethods=”true” enablePasswordReset=”false” />

</providers>

</membership>

<roleManager defaultProvider=”sitecore” enabled=”true”>

<providers>

<clear />

<add name=”sitecore” type=”Sitecore.Security.SitecoreRoleProvider, Sitecore.Kernel” realProviderName=”switcher” raiseEvents=”true” />

<add name=”switcher” type=”Sitecore.Security.SwitchingRoleProvider, Sitecore.Kernel” applicationName=”sitecore” mappings=”switchingProviders/roleManager” />

<add name=”sql” type=”System.Web.Security.SqlRoleProvider” connectionStringName=”core” applicationName=”sitecore” />

<add name=”ad” type=”LightLDAP.SitecoreADRoleProvider” connectionStringName=”LDAP_CONN” applicationName=”sitecore” attributeMapUsername=”sAMAccountName” cacheSize=”2MB” username=” LDAP-Server-UserName ” password=” LDAP-Server-Password” />

</providers>

</roleManager>

 

<profile defaultProvider=”switcher” enabled=”true” inherits=”Sitecore.Security.UserProfile, Sitecore.Kernel”>

<providers>

<clear />

<add name=”sql” type=”System.Web.Profile.SqlProfileProvider” connectionStringName=”core” applicationName=”sitecore” />

<add name=”switcher” type=”Sitecore.Security.SwitchingProfileProvider, Sitecore.Kernel” applicationName=”sitecore” mappings=”switchingProviders/profile” />

</providers>

<properties>

<clear />

<add type=”System.String” name=”SC_UserData” />

</properties>

</profile>

4-     Verify AD Integration:

  1. Execute page – http://sitename/sitecore/admin/ProviderStatus.aspx(e.g. http://testad/sitecore/admin/ProviderStatus.aspx )
  2. It will show which Provider is active for which domain

See snapshot

 

 

 

5-     Verify from Sitecore admin:

  • Open Sitecore user manager and role manager to verify that you have successfully imported the AD users and roles.

 

6-     Filtering the AD users to get selective users:

  • In the “ad” provider stringers in the membership, role manager or profile strings you can add this extra filter.
  • The highlighted filter will only pull “members of Lead developers from Developers Group from the AD Organization”

<add name=”ad” type=”LightLDAP.SitecoreADMembershipProvider” connectionStringName=”LDAP_CONN” applicationName=”sitecore” minRequiredPasswordLength=”1″ minRequiredNonalphanumericCharacters=”0″ requiresQuestionAndAnswer=”false” requiresUniqueEmail=”false” connectionProtection=”Secure” connectionUsername=”LDAP-Server-UserName” connectionPassword=” LDAP-Server-Password” attributeMapUsername=”sAMAccountName” enableSearchMethods=”true” enablePasswordReset=”false” customFilter=”(memberOf=CN=Lead Developers,OU=Developers Group,OU=USA,DC=mywebsite,DC=com)” />

 

ð  Assigning permissions to users:

–        There are multiple ways to assign permissions to the Sitecore items to these users. It would be a different topic to discuss.

–        But let me provide an example how I can add permissions using a Sitecore PowerShell script.

–        The script(e.g. this script assigns permissions of “Sitecore Author” to all Lead developers)

$userIdentity = “usaLead Developers

$userPassword = “SitecorePassword”

$users = Get-User $userIdentity -ErrorAction SilentlyContinue

foreach ($user in users) {

if($user -eq $null) {

Add-Rolemember -Rolename “sitecoreAuthor” -MemberName $users

}

}