LDAP Membership Provider

Release 1.2 - ...

Smartsite iXperion 1.2 has built-in support for LDAP servers, such as Novell e-Directory. A specific Membership Provider can be configured using the web.config to enable the support for LDAP servers.

Using the LDAP membership provider, users in an LDAP domain can log on to Smartsite iXperion (publication engine) through forms authentication, where the credentials provided will be validated against the configured LDAP server.

The same applies to the cms manager, however in that case the standard basic authentication dialog will be shown to the user to specify the credentials.

As is the case with Active Directory integration, the LDAP group membership is mapped to the Usergroups in Smartsite marked as Externally Managed. Also, the automated user management which comes with the Active Directory role- and membership providers, apply to the LDAP membership provider as well. This means, when an LDAP user logs on for the first time and group membership checks are passed, account information is copied to the AllUsers table.

Configuration

Connection string

The configuration/ConnectionStrings section in the web.config must contain the LDAP server address.

XML	Copy Code
<connectionStrings> <add name="LDAPConnection" connectionString="ip-address" /> </connectionStrings>

Membership provider

XML	Copy Code
<membership defaultProvider="ldap"> (...) <providers> <clear /> <add name="ldap" applicationName="Smartsite" type="Smartsite.Security.Authentication.LDAPMembershipProvider, Smartsite.Security" connectionStringName="LDAPConnection" connectionUsername="cn=adminusername,o=organization" connectionPassword="yourpassword" port="636" useSSL="true" bypassCertificateValidation="true" /> (... do not remove the SqlMembershipProvider ...) </providers> </membership>

XML

Copy Code

<membership defaultProvider="ldap">
      (...)
      <providers>
        <clear />
        <add name="ldap" applicationName="Smartsite"
            type="Smartsite.Security.Authentication.LDAPMembershipProvider, Smartsite.Security"
            connectionStringName="LDAPConnection"
            connectionUsername="cn=adminusername,o=organization"
            connectionPassword="yourpassword"
            port="636" useSSL="true"
            bypassCertificateValidation="true"
        />
        (... do not remove the SqlMembershipProvider ...)
      </providers>
</membership>

connectionStringName

ConnectionString name which must refer to a connection string within the connectionStrings section of the web.config.

connectionUsername, connectionPassword

An account with sufficient rights to query the LDAP server. The specified connectionUsername will be expanded to a distinguishedName using the specified SearchBase from the Smartsite.LDAPConfiguration settings (pattern: "cn=connectionUsername,SearchBase"), unless you already have specified a distinguishedName (connectionUsername starts with "cn=").

searchUserQuery (optional)

Specifies the query which should be used to search for an user. Defaults to "(&(ObjectClass=Person)(cn={0}))".

port (optional)

The port number to use. When useSSL has been set to true, port defaults to 636.

useSSL (optional)

Whether or not to use an SSL connection. Defaults to false.

bypassCertificateValidation (optional)

When using an SSL connection, the certificate validation can result in poor performance. Setting this property to true will cause the LDAP membership provider to bypass the certificate validation, resulting in a much better performance. Defaults to false.

certificateLocation (optional)

With this parameter, you can (optionally) specify the location of the (SSL) client certificate which should be used.

groupMembershipAttribute (optional)

The attribute name with which group membership can be queried. Defaults to groupMembership.

Settings

The Smartsite LDAP membership provider has its own config section in the configuration/configSections for further configuration settings:

XML	Copy Code
<configSections> (...) <section name="Smartsite.LDAPConfiguration" type="Smartsite.Security.ActiveDirectoryConfigurationSection, Smartsite.Security" /> </configSections>

Then, add the configuration/Smartsite.LDAPConfiguration section. At this time, the section contains settings for controlling access to Smartsite:

XML	Copy Code
<Smartsite.LDAPConfiguration> <settings> <add name="SmartsiteAccessGroup" value="groupname"/> <add name="ManagerAccessGroup" value="manager access groupname" /> <add name="StoreFullyQualifiedLoginName" value="false"/> <add name="SearchBase" value="ou=...,o=..." /> <add name="DatabaseId" value="database id" /> <add name="ProtocolVersion" value="2" /><!-- 1.3 build 3 and later --> </settings> <membershipMappings> <add name="mm1" domain="yourdomain" providerName="ldap" /> </membershipMappings> </Smartsite.LDAPConfiguration>

XML

Copy Code

<Smartsite.LDAPConfiguration>
    <settings>
      <add name="SmartsiteAccessGroup" value="groupname"/>
      <add name="ManagerAccessGroup" value="manager access groupname" />
      <add name="StoreFullyQualifiedLoginName" value="false"/>
      <add name="SearchBase" value="ou=...,o=..." />
      <add name="DatabaseId" value="database id" />
      <add name="ProtocolVersion" value="2" /><!-- 1.3 build 3 and later -->
    </settings>
    <membershipMappings>
      <add name="mm1" domain="yourdomain" providerName="ldap" />
    </membershipMappings> 
</Smartsite.LDAPConfiguration>

SmartsiteAccessGroup

Group that defines access to Smartsite. LDAP group membership must at least include this group to get access to smartsite.

ManagerAccessGroup

When LDAP user membership includes this group, the user will be created with the IsVisitor bit set to false and using a primary key number within the configured users range. Otherwise, the IsVisitor bit will be set to true and the primary key used will be in the configured visitors range.

VisitorGroup (deprecated)

When LDAP user membership includes this group, the user will be created with the IsVisitor bit set to true, otherwise it will be set to false. The same rules for the primary key applies, as explained above. This setting will be ignored when ManagerAccessGroup has been specified.

StoreFullyQualifiedLoginName

Specifies whether to store the fully qualified user name (user@domain) in the AllUsers table when updating Smartsite user accounts with the LDAP information for a user.

SearchBase

The LDAP membership provider needs a searchbase when executing queries against the LDAP server. This searchbase usually includes the name of the organizational unit and the name of the organization, e.g. "ou=SMARTSITE_GROUPS,o=SENECA". It must equal the distinguishedName of the group/unit which must act as searchbase. This also implies that users which must have access to Smartsite, must be a (direct or indirect) member of this same group/unit.

DatabaseId

When the cms manager has also been configured to use the LDAP server to validate users, you need to specify which database id (corresponding with an database configuration within the Smartsite.Data.config configuration file) should be used. (This has to do with the usage of COM interop and the fact that within the cms application Database.Current is not available.)

For example, if your Smartsite.Data.config contains the following database configuration:

XML	Copy Code
<database id="DB_EmptySix"> <connectionstring>Data Source=machinename;Initial Catalog=EmptySix;Persist Security Info=True;User ID=FalconAdmin;Password=xxxxx</connectionstring> </database>

the DatabaseId should be set to DB_EmptySix.

Notice that the specified DatabaseId must refer to a database connection which has read/write access to (at least) all the tables used for managing user accounts.

ProtocolVersion (1.3 build 3 and later)

Specifies the LDAP protocol version to use. When this setting hasn't been specified, it defaults to the internal .NET default (which is 2 in case of connecting to Active Directory).

Forms authentication

The LDAP membership provider works in combination with Forms authentication only.

XML	Copy Code
<authentication mode="Forms"> <forms loginUrl="/Login" name="Smartsite" /> </authentication>

Registry configuration

When you want the cms manager to use the LDAP server for verifying users and credentials as well, you need to specify the LDAP LogonHandler within the registry. For troubleshooting purposes, you can also add LogLevel to this registry key and specify a (numeric) loglevel. In that case, the COM-Interop class will submit log messages to the windows event log (if loglevel>0). The higher the specified loglevel, the more log messages (which provides more details of the authentication process) will be submitted.

LogonHandler registry configuration

Single Signon between CMS and Front-end

With the LDAP provider, single signon between CMS and front-end will not work, because there is no way the manager can do a hidden login request to the front-end.

Disable SSO

Within the <location path="cms"> section of your web.config you need to set the authentication mode to None.

XML	Copy Code
<location path="cms"> (...) <authentication mode="None" /> <authorization> <allow users="*" /> </authorization> (...) </location>

Examples

Your (externally managed) Smartsite Group is 'SmartsiteAccess', and you have configured a 'ManagerAccessGroup' for LDAP users who should be given access to the cms manager.

JohnG is a member of 'SmartsiteAccess' and 'ManagerAccessGroup' in the LDAP Directory, so he will be mapped to an user (IsVisitor bit set to false) within the AllUsers table on first login.

SandraB is only a member of 'SmartsiteAccess' in the LDAP Directory, so she will be mapped to an visitor (IsVisitor bit set to true) within the AllUsers table on first login.

Notes

Currently, the LDAP Membership Provider has been tested with Novell e-Directory only. However, since it uses the .NET LdapConnection object from the Sytem.DirectoryServices.Protocols namespace, it should be possible to connect to other LDAP servers as well.

Install & Config