Using LDAP for User Authentication

(1)

Using LDAP for User Authentication

Product version: 4.50

Document version: 1.1

Document creation date: 03-06-05

Purpose

This technical note describes how to configure and set up EPiServer to use an LDAP server for user authentication. This is an advanced operation and good knowledge of your LDAP environment is required.

The contents of this document are protected by copyright. Contents of the document may be freely copied and distributed, either digitally or in printed format, to all EPiServer users.

(2)

2 | Using LDAP for User Authentication

Revision Information

Document version Comments

1.0 4.50 release version.

1.1 Updated "Requirements" chapter to indicate Windows 2000 or later.

Requirements

• EPiServer 4.0.0.20 or later running on Windows 2000 Server or later. EPiServer uses the

native Windows LDAP APIs introduced in Windows 2000 and does not run on earlier versions of Windows.

• A Windows Active Directory (AD) server and an account with read/browse rights to the Active

Directory. - or -

A Novell eDirectory version 8.5 or later and an account with read/browse rights to the entire eDirectory.

Initial Setup to Use Active Directory

Open web.config, which is in the root folder of your EPiServer installation, and modify the following

settings under configuration/appSettings. See Advanced Configuration Options for more

information.

Key Value

EPsLdapServer _{The DNS name or IP address of the AD domain, for example}

company.com.

EPsLdapDomain _{The domain of the account that you want to use to access}

information from your AD, for example MyDomain. If you are using simple authentication, this should be left blank.

EPsLdapUser _{The username of the account that you want to use to access}

information from your AD, for instance MyUser (If you are using simple authentication this should be MyDomain\MyUser). This

(3)

account should have read/browse access to the entire tree.

Note The role Account Operators should have sufficient access

rights in the AD.

EPsLdapPassword _{The password for the account that you want to use to access}

information from your AD.

EPsLdapRootContext _{The root of the AD domain. Using the same example as before}

(company.com) it should be dc=company,dc=com.

EPnLdapAuthenticationType ₁₁₅₈

EPfLdapAuthenticateWithBind True

EPsLdapServerType _{Set this parameter to}_AD_{if you use}_{AuthenticationMode =}

Windows. This will enable check of LDAP group membership event for Windows accounts.

Note This does not work in EPiServer 4.21 and previous versions.

Initial Setup to Use eDirectory

Open web.config, which is in the root folder of your EPiServer installation, and modify the following

settings under configuration/appSettings. See Advanced Configuration Options for more

information.

Key Value

EPsLdapServer _{The DNS name or IP address of the AD domain, for example}

company.com.

EPsLdapDomain _Empty

EPsLdapUser _{An account that has read/browse rights to the eDirectory, for}

instance cn=ldapbrowser,o=company.

Note You must enter the account name as a fully qualified LDAP

name. The more common "dotted notation" usually used with NDS/eDirectory will not work.

EPsLdapPassword _{The password for the account that you want to use to access}

information from your eDirectory.

EPsLdapRootContext _Empty

EPnLdapAuthenticationType ₁₂₈

EPfLdapAuthenticateWithBind False

Import Groups from LDAP Server

To be able to fully utilize the LDAP server for authentication, you need to import the groups /

organizational units (OU) that you want to use for controlling access to EPiServer. If you skip this step, you will still be able to use accounts from the LDAP server, but they will only belong to the group "Everyone" from EPiServer’s point-of-view.

(4)

4 | Using LDAP for User Authentication

Note In AD, a group that is used in EPiServer and is defined as Primary Group for a user cannot be

retrieved when EPiServer queries LDAP for group membership. Normally this means that you can import a primary group (such as Domain Users) to EPiServer, but an LDAP user that has this group as primary group will not act as a member of this group in EPiServer.

How to import groups:

1. Log on and go to Admin mode.

2. Select Administer groups under Access rights.

3. In the text area above the Import from LDAP server button, enter a search expression to

retrieve a list of groups/OUs from the LDAP server. The search expression should usually be in the form prefix*, where prefix will match the beginning of a group name or OU. If the search expression is left blank, all groups will be returned. Note that this can take a long time and may fail if excessive amounts of data are returned.

4. Click Import from LDAP server to retrieve a group list.

5. Select the groups that you want to import and click Save. You can now use the imported

groups to set access rights for pages in EPiServer.

Note Previously selected groups should be selected as default when you make a new search.

Using LDAP Accounts for Editors and Administrators

If you want to use LDAP accounts for Editors and Administrators, you need to perform additional

configuration changes in web.config.

In the following example we assume that the groups "EPiServerAdmins-Users-company-com" (actual LDAP name is CN=EPiServerAdmins,CN=Users,DC=company,DC=com) and "EPiServerEditors-Users-company-com" (actual LDAP name is CN=EPiServerEditors,CN=Users,DC=company,DC=com) have been imported. All LDAP accounts that belong to the EPiServerAdmins group should have access to Admin mode, and accounts belonging to EPiServerEditors should have access to the Edit mode.

In web.config, locate the section <location path="admin"> and the contained tag that reads <allow roles="WebAdmins, Administrators" />. Change this tag to <allow roles="WebAdmins, Administrators, EPiServerAdmins-Users-company-com" />.

Note To access the system settings, you must use a Windows account that has local Administrator

privileges on the Web server.

In web.config, locate the section <location path="edit"> and the contained tag that reads <allow roles=" WebAdmins, WebEditors, Administrators" />. Change this tag to <allow roles=" WebAdmins, WebEditors, Administrators, EPiServerEditors-Users-company-com " />. This change is enough to give users access to the Edit mode, but to be allowed to edit pages you must set the correct access rights for the pages that they should be allowed to edit.

Advanced Configuration Options

(5)

EPsLdapServer _{Host name of LDAP server or the name of the Active Directory} domain. If you are using an AD domain, it is highly

recommended to use the domain name to take advantage of failover functions, etc. For example "ldap.microsoft.com" or "192.168.12.23".

EPsLdapDomain _{Should be set to the domain of the user if you are using simple}

authentication. If you are using Negotiate authentication, this should be left blank.

EPsLdapUser _{A user that has read/browse rights to the entire tree where you}

want to authenticate.

EPsLdapPassword _{Password for}_EPsLdapUser

EPsLdapRootContext _{If you want to limit the scope of group searches, set this}

parameter to the desired starting point. For ActiveDirectory sites, you must set this parameter to the root (or somewhere below the root). Otherwise searches will be performed against schema data. For the ActiveDirectory domain company.com, the root context should be "dc=company,dc=com".

EPnLdapAuthenticationType _{A numeric value to select the authentication type. Possible}

values are:

128 = Simple authentication, i e clear text. 1158 = Negotiate authentication.

Add 131072 to force communication over SSL.

EPfLdapAuthenticateWithBind If your LDAP server does not support the ldap_compare

command to check passwords, set to True to use a second

Bind to provide the authentication service. The ldap_compare is a much faster operation than performing a bind so you

should set this parameter to False if possible.

EPsLdapServerType _{For AD, set this parameter to}_AD_{if you use}

AuthenticationMode = Windows. This will enable check of LDAP group membership event for Windows accounts.

Note This does not work in EPiServer 4.21 and previous

Using LDAP for User Authentication