search

DNNCommunity / DNN.ActiveDirectory

Active Directory authentication for DNN
MIT License
26 stars 22 forks source link

Roles Sync - AD and DNN Roles #63

Open TineHorvat opened 4 years ago

TineHorvat commented 4 years ago

Please summarize your question in one sentence

Can someone explain how exactly should the sync of user Roles work? Are roles synced from AD when the user firstly logins or they actually need to exists before in DNN Roles? After login they are matched and if they are the same (for example AD Role "Marketing" and DNN role "Marketing") and if the user has it, it will be added to him as he logged in? Is the process somehow different?

Give a more extended description

I've tried to manually add the names of the roles as they are in the AD, but the user after login gets only Registered and Subscribers role. Should they be set as Auto assign or something? Am I missing something?

Steps to reproduce (if needed)

Using DNN 9.4.1 and DNN.AD module 7.0.0. Users can login with their AD login data, but none of the roles are assigned to them.

Other comments or remarks

I'm a little lost right now as I don't know where to look for more info or examples. Also any help would be really appreciated ;)

Cheers

SCullman commented 4 years ago

Corresponding roles need to exist in DNN in advance.

A User in AD has normally a couple of AD roles, either direct or indirect. You ususally don't want to pollute DNN with all that roles. During login DNN tests all of DNN roles whether the user belongs to that role in AD or not. AD roles are never changed, it synchronizes always from AD to DNN.

sawest commented 4 years ago

@tinehorvat The role must exist in DNN first. It must match exactly. The user needs to be a member of that group on AD first. EVERY login will sync roles. If the user in AD is in a group called Finance then DNN will look for a role called Finance and add them to that role on login.

Of course this assumes you have sync turned on in the AD module settings.

pmgerholdt commented 3 years ago

Trying to use this provider for a DNN portal. It works fine for authentication, but strangely it is not consistent in adding users to a role. I have about 90 members out of 400 who are correctly added to the DNN role, and the other 300+ are not; and all of them are members of the same security group in AD that should map to this DNN role.

Any guidance or thoughts on why this isn't rock solid in this regard? I really want to use / trust this for use within DNN.

Edit: In fact, I can manually add a person to the DNN role who is also a member of the AD group, and when they log on, they get removed from the DNN role. So the sync action appears to be working, it's just not recognizing AD group membership correctly for some (most) folks, while it is getting it right for others.

valadas commented 3 years ago

Are you using the latest Dnn version, there was a fix relating to users cache in 9.7.1 ? Not sure if that is your issue, but just wondering if it may have a effect here.