Please login to participate.
.
Home
Wiki Page

HowTo: Setup MS Active Directory integration with Cyn.in

.

Get to ZMI Screen for your site. 

Login with admin user (password: Whatever you changed it to, from the default of "secret") at http://<siteURL OR IP address>:8080/manage to get ZMI screen

msadldapsetup001

Open up your site (cynin link) and click portal_quickinstaller

msadldapsetup002

Install LDAP Support

Check the product shown and hit the Install button

 

msadldapsetup003

Go to /cynin/acl_users and add ACL plugin

For Microsoft Active Directory, this must be : Plone Active Directory plugin, for other services, Plone LDAP plugin would be first choice

msadldapsetup004

Fill in the details for the AD connection...

This is the crucial step, and must be done right, because without successful connection, the plugin will not install and all you'll get is an Error screen. If you do get an error screen, hit Back in your browser, and change what is needed to fix, and try again.

More details follow in further screenshots.

msadldapsetup005

Get details from your AD

For doing this with MSAD specifically, I recommend the SysInternals tool, AD Explorer. You need to use a tool only to determine the values of your DNs for the AD hookup. If you're well versed with your configuration, then just follow along and fill in appropriate values.

So install AD Explorer, open it up, connect to your Active Directory, and go to the DC, navigate to the place where you're storing User data. This is typically (at least in the out-of-box setup), going to be the one highlighted in the screenshot.

msadldapsetup006

Pick up the base DN and paste

The default AD setup has users and groups in the same DN, Users, so do a right-click on the Folder, and copy the value of Distinguished Name, and paste it into both, the Users Base DN and the Groups Base DN fields. Adjust as required for your own setup, if different.

msadldapsetup007

Pick up the DN of the Administrator user and paste

The Plone AD plugin will use this user to connect to your AD, so if you're not particular about it, the Administrator user will do (right click->properties on the Admnistrator user), else substitute any user's DN as appropriate, just make sure at least Read access to the Base DN that you're selecting is available.

Paste the DN into... you guessed it, the Manager DN field. :)

 

msadldapsetup008

Fill in the remaining fields

  • Fill in the password for the Admin user.
  • Fill in the hostname and port of the AD server in the LDAP Server:port field. The format of this must be either IPAddress:port (as shown), or hostname:port, as per your needs.
  • Check on Read Only unless you want users to be able to modify their AD profile through their Cyn.in profile.
  • Change the default user roles from Anonymous, Member to just Member
  • Fill in an ID and a Title. Whatever you want in this, it doesn't really matter, just as long as you remember it.

msadldapsetup009

... And hit Save

Now depending on validation of the info you filled in, you'll either get the screen shown below, with your newly added item showing in the list, or you'll get an error, if the connection to your AD failed. Diagnose and adjust accordingly, if so by hitting back in your browser and changing what's necessary. Passing this step is crucial for the integration to work.

msadldapsetup010

Turn on all the plugin's methods, hit Update

msadldapsetup011

Click the Properties plugin and move it higher in priority

Select the AD plugin

msadldapsetup012

and click the Up arrow to move it up.

msadldapsetup013

Fix the incorrect Group ID Attribute in Properties Tab

Change from groupid_attr = ObjectGUID to...

msadldapsetup014

... to groupid_attr = sAMAccountName and hit Save.

Yes, the case of the value is important, you have to type it exactly as shown.

msadldapsetup015

Open the Contents tab

...and then open up the nested acl_users object.

msadldapsetup016

Fix the User Object Classes

Change from pilotPerson, uidObject to...

msadldapsetup017

..... to organizationalPerson, as shown. Again, CaSe is important.

msadldapsetup018

Check the Groups tab

You should see all the groups in your AD showing up here, now. Verify that all looks ok, don't change anything.

msadldapsetup019

Verify User lookup

Click the Users tab, fill in a known value and choose the appropriate field, and hit Search.

msadldapsetup020

Verify the Search Results

msadldapsetup021

Click a result and ensure correct Group assignment

The user should have appropriate Groups checked as per "belongs to" relationship.

msadldapsetup022

Login should now be working with AD :)

msadldapsetup023

But you still have to do Schema mapping...

The fullname of the user, the email address is not being mapped to the user yet. You need to map this up properly so that things like notification emails, etc. work properly. Read on...

msadldapsetup024

Go to LDAP Schema tab...

Add displayName as FullName

msadldapsetup025

Add mail as email

msadldapsetup026

Refer to /cynin/portal_metadata and map other fields

Navigate out to /cynin and then to portal_metadata object. Here, you'll see the fields that Cyn.in currently stores against all users.

Note: Some fields are not wired up yet, use this screen for reference only.

The idea is that you can map things like phone numbers, job titles (designation), etc., by matching these fields against the ones stored and in use, in your AD. To add a new mapping, see the name here, compare it with your AD field's name and add a new mapping in LDAP schema screen, as shown for displayName and mail. The rest of the fields are left up to you as per your requirements and usage.

  • If you don't map a field, it won't get filled automatically, but your users will be able to use it normally from their Cyn.in edit profile
  • If you do map a field, and your AD connection is set to Read Only, then users will not be able to edit it
  • If you do map a field, and you AD connection is not set to Read Only, then changes users will make, will make it back to your AD, if the username/password combination you put in the Manager DN field has write permssions

msadldapsetup027

Clear Cache and revisit

If you, like me, wanted to login first to see if it works, then you get to visit the Caches tab to purge all caches, after you do the schema mapping.

Logins are cached as per the setting in the Caches tab, so that your AD is not looked up constantly. Tweak here only if necessary.

Once you map up the schema as per above, your People Directory will come pre-populated with the users from your AD, as shown. If you're setting up a complex Space structure, do note that you can

map groups from AD to local roles on the Sharing tab of a Space - and it should work fine.

msadldapsetup028

So set your Cyn.in's up, let's see if you can get it to work properly. :)

Let us know if you have any ideas, suggestions about this or if you get stuck in a problem with the AD integration, just post up a new discussion with the details.

Description
A stepwise walkthrough for setting up integrated authentication with MSAD for authentication, group assignment and user schema field synchronization.
Comments (14)
gump103 Nov 09, 2009 04:39 PM
Just wondering if its posible to configure cynin for SSO as well.
dhiraj Nov 10, 2009 07:08 AM
SSO. Hmm... as you can see with the Cynapse.com sites it's definitely possible. It does require quite a bit of varied expertise and know-how, though. SSO setup is a no-no for the easily intimidated. :)

Please start a new discussion topic for this and tell us what you want to accomplish, in as much detail as possible.

For Cynapse.com we currently have an SSO between Drupal 6.x, Redmine and Cyn.in.
mgarner Dec 15, 2009 09:21 PM
Using MSAD i can only get a hand full of users to show up and a portion of my groups.
mgarner Dec 15, 2009 10:34 PM
Problem Fixed. My OU's are stuctured different from the instructions. I had a sub OU that all my users are in. I was using this bind (CN=Users,DC=mydomain,DC=us)i switched to this one and it worked.OU=Standard Users,OU=Dept Groups,DC=mydomain,DC=us. Great tutorial BTW.
dhiraj Dec 30, 2009 07:17 AM
Thanks! :)

So you had pointed the Users and Group OUs to the top-level and it was not working fully?

Weird. The normal behavior mode is "SUBTREE" where any matches from any descending structure should be returned, for all queries.

Or was it some other top-level branch of the AD tree altogether?
andrebrown Feb 04, 2010 03:29 AM
I noticed that if I delete an LDAP user account from Cynin, it delete's the account in the LDAP directory. However, if I create an account in Cynin, it doesn't create an account in the LDAP directory. Why does this only work one way?
dhiraj Feb 04, 2010 07:44 AM
Hmmm.... that's easily explained: There is no LDAP user account *create* facility, yet. I do believe I'd seen a plone product that would allow user management - but since we're recommending read-only MSAD ATM, this hasn't been looked into.

The reason that delete works is because Cyn.in knows that it's an AD user and when you administratively ask to delete the user, the choice is either to say not-can-do, or to go ahead and delete it.

In the case of create user, Cyn.in will create a "normal" user, one that it can manage fully, in the internal source_users implementation.
tomasz May 26, 2010 10:06 AM
I use this guide to add openLDAP support (also our openldap acts as domain controler with samba). I succesfully added plone openldap plugin. But when i get to this step ""Fix the incorrect Group ID Attribute in Properties Tab from groupid_attr = ObjectGUID to sAMAccountName", view from guide is different one I have. So, what file i edit by hand to change this manually ?
tomasz May 26, 2010 10:23 AM
Im adding Cyn.in (v313) OpenLDAP plugin. Seems like this guide is for older version. Because picture for "Fix the incorrect Group ID Attribute in Properties Tab" step is completely diferent for v313. What is other way to change groupid_attr ?
amandahla May 31, 2010 06:06 PM
Does "User Object Classes" is right? The organizationalPerson doesnt work for me...Any help?
ymhing Jun 08, 2010 03:06 AM
For those that wanted to exclude other objects within the AD, i.e just User profile only, you can put the following at the "Additional user search filter" field : (&(objectCategory=person)(objectClass=user))
pac22 Jun 17, 2010 08:10 PM
Hi, i am running a Test Pilot in our University (UTN) in Campana, Argentina.
I have everything working properly with AD, I wanted to see if he could give access (login) only to a group of AD, such that only group members of GG_CynFRD group can log into Cyn.In

Thanks in advance, Cristian.
ybizeul Jul 29, 2010 08:40 AM
I just noticed a BIG issue, I'd like to know if people using accents have the same issue :
For a user having an accent in his CN, If I look at his properties and the list of groups he belongs to, that's ok.
But if I go the the group properties, I only see users NOT having accents in their name. The effect is that the effective privileges of the user when he logs in ignores this group belonging.

That is a very big issue if I'm not alone !
physikal Aug 27, 2010 05:53 PM
My AD structure is as follows:
domain.com
 > Location1.OU
    > Computers
    > Users
> Location2.OU
    > Computers
    > Users

And so on. So in order to grab all users, I have to enter the root dn. so dc=domain, dc=com. So it is grabbing ALL users. But my problem is it is grabbing all objects, computers, servers, etc. So when browsing the "People" section of cyn.in it is showing a bunch of computer names and server names. Any way around this?
Go to Top↑
 
Loading