Merianstraße 30, 44801 Bochum

gb-logo
Popular Search ldapabbyybpmupdatemac
View Categories

Use AD groups?

3 min read

Table of Contents

This point also very well described in our product documentation.

Prerequisites #

  • configured LDAP provider, see other FAQ
  • user with read permissions for the target ldap server
  • test user assigned to at least one group
  • the group search path in the ldap structure

Objective #

  • during the user login, a selection of the users groups should be checked
  • the groups can be used for permission management or control access to BPM processes

Solution #

  • reconfigure authentication provider for group lookup
  • import the group in Admin webinterface
  • (assign a grant definition to the imported group)
  • (assign the group to a BPM actor)

Example #

  • start configuration tool as administrator
  • access configuration, switch to Advanced, MyModule, Authentication Provider
  • click the edit button for the desired authentication provider
  • Check the read groups checkbox
  • In the Group mapping section, edit the Base group path

    Example:
    Paths have to be written from left to right:
    If the base path of the ldap structure is DC=Local, DC=GeniusBytes the base paths has to be written as:
    DC=GeniusBytes,DC=local, if a user container exists it can be specified in the base user path, e.g. CN=Users
    The full user search path is the combination of base user path and base path (CN=Users, DC=GeniusBytes,DC=local)

    If a group container exists it can be specified in the base group path, e.g. OU=Groups
    The full group search path is the combination of base group path and base path (OU=Groups, DC=GeniusBytes,DC=local)
    The userDN is the distinguished name of the user, not his sAMaccountname, not his domain name, use the distinguished name:
    e.g.: cn=LDAPConnect,ou=Users,ou=MyBusiness,dc=GeniusBytesGmbh,dc=local
  • If you are unsure of the configuration, install an ldap browser (e.g. softerra ldap browser), connect with “current credentials (windows login), search for the ldap connect user and copy the DN)
  • Then search for a “typical user” of the customer and copy the base path
    The group path can be derived from the “memberOf” entries.
  • In this example the base group path is OU=Security Groups (base path: OU=MyBuisiness, DC=GeniusBytesGmbH,DC=local)
  • you can change and test configuratuion changes using the tool without saving changes, the visible configuration parameters are used
  • for the server the saved configuration which was available on the service start is used, so a settings change will require a service restart to be activated
  • From the tests menu perform the Query groups check (enter the group name)
  • From the tests menu perform the Query user groups check (enter a username)
    A result window will pop up and display all groups available for the entered user
  • The user “cddsadmin” is member of the group “cddsadmins”
  • Restart the Genius Server service if all tests have been successful

Admin webinterface #

  • access admin, authentication management, group
  • click new, search for the group name, select the group and press select to import the desired active directory group
    the group membership for this group will now be checked on a user login
  • assign an existing grant to the group if a suitable grant already exists
  • to create a new grant access admin, authentication management, grant
  • to create an administrative grant for example:
    assign roles, e.g. ROLE_EASY_ADMIN, ROLE_REPORTING _ADMIN and more
    every admin role allows the members of the group that is mapped to this grant to see and use one subtree of the admin section
  • back in the group section, select the imported group and assign the grant definition
  • to restrict privileges repeat the process but add restriction definitions instead of grant definitions to the imported group
  • every user connecting to Genius MFP will always be member of the “myDefaultGroup”, to remove unwanted permissions for all users, remove all Roles from myDefaultGrant which are not required
    another option to achieve this is to remove myDefaultGrant from myDefaultGroup
  • access admin, authentication management, used identity
  • search for the test user, select the test user and click delete cache
  • login with the test user (at this point if the configuration worked the admin section should be visible)
  • Successfully imported groups can be added to BPM, Actor to grant access to BPM Processes
    Access to BPM processes cannot be restricted using groups, however the myDefaultGroup can be removed from the myDefaultActor
    Ldap groups can be used in the myDefaultActor instead

Troubleshooting #

The user can login to the webinterface but no admin section is displayed

  • open the configuration tool, access authentication provider
  • check if the group can be found using the Test: Search Groups
  • check if the user is member of the group using the Test: Search by Username
  • if the groups have just been imported, please wait for the cache to be deleted, the cache is deleted after one hour of user inactivity in the environment (no print, no login on mfp, no login on webinterface or any other connected client)
  • has the service been restarted after the latest changes to the authentication provider? it is possible that the changes you see inside the configuration tool have not been applied to the server by restarting the service
  • in a cluster environment with multiple nodes all servers have to use the same configuration and all nodes have to be restarted to activate the latest configuration
Active Directory, Groups, LDAP

Powered by BetterDocs

Leave a Reply

Your email address will not be published. Required fields are marked *
Nach oben scrollen