Active Directory Authorization and Content Item Permissions

[Tayvius]

This isn't an issue as such...

I was wondering if there would be any plans to provide compatibility with the Content Item Permissions module that's available on the orchard gallery? I've opened a thread on the orchard codeplex discussions which details an error I'm currently running into (refer to below link).

I think your plugin combined with this feature would be fantastic (it's pretty great how it works now none the less :D ) as it would allow very high administrative control. Unless you have a suggestion.

https://orchard.codeplex.com/discussions/434422

Any help with this would be great, thanks.

[DannyT]

We'll have a look and let you know. Whilst we are abstracting a pretty major piece of functionality we ideally want to stay as interoperable as possible. Bear with us :)

[Tayvius]

Thank you for that.

Also, i don't know if this would help with compatibility but would automatically adding a generated user to the particular AD Role help with compatibility?

[DannyT]

So if you manually assign the user to the Orchard role this module works as expected? Sorry I don't have an AD environment set up at the moment to test this. I guess so and if that's the case then yes perhaps auto assigning users to matching Orchard roles is a good idea.

[Tayvius]

Nah i tried manually assigning the user at my end after the first initial access thinking that would work due to item permissions working via roles.

-----Original Message-----

From: DannyT Sent: 2 Mar 2013 13:49:07 GMT To: moov2/Orchard.ActiveDirectoryAuthorization Cc: Tayvius Subject: Re: [Orchard.ActiveDirectoryAuthorization] Active Directory Authorization and Content Item Permissions (#9)

So if you manually assign the user to the Orchard role this module works as expected? Sorry I don't have an AD environment set up at the moment to test this. I guess so and if that's the case then yes perhaps auto assigning users to matching Orchard roles is a good idea.

---

Reply to this email directly or view it on GitHub: https://github.com/moov2/Orchard.ActiveDirectoryAuthorization/issues/9#issuecomment-14328433

[DannyT]

Does it error or just not give the appropriate access?

[Tayvius]

It doesn't apply the access permission at all (the roles used for AD) and errors. I downloaded the error log module which is what i posted up on the orchard discussions section and checked the time against when i had my work mate try to access the page and both match.

-----Original Message-----

From: DannyT Sent: 2 Mar 2013 17:42:46 GMT To: moov2/Orchard.ActiveDirectoryAuthorization Cc: Tayvius Subject: Re: [Orchard.ActiveDirectoryAuthorization] Active Directory Authorization and Content Item Permissions (#9)

Does it error or just not give the appropriate access?

---

Reply to this email directly or view it on GitHub: https://github.com/moov2/Orchard.ActiveDirectoryAuthorization/issues/9#issuecomment-14331973

[Tayvius]

Hi,

Sorry for double posting :s.

Just wondering if you might have anything on this issue yet? I tried contacting Sebastien Ros about the plugin and didn't get any reply back (He might not be actively managing the plugin anymore, which would be a shame).

This is the below output i get when i get a single user under the "Intranet_Users" role to try and access the page.

Page Setting for Item Access Control:

[peterkeating]

Wondering if you can give the latest source code a try. I have managed to get it to work for my local version but it would be really good if you could give it a test and let me know if it solves the issues your having.

[peterkeating]

Realised I have prevented the active directory roles from being loaded onto the IUser that is set on the active context with the commit above. This means that only the roles that are set on the User that is stored in the database will be available to the logged in user that is stored on the context. Will fix this when I get a moment so both the user roles in orchard and the AD roles are set.

[Tayvius]

The permission seems to work now however their seems to be two issues i can see:

1. When the user logs in for the first time and is created, I have to manually apply that generated user to the predefined role e.g. MACANDREWS\Intranet_Users.
2. When i have manually applied the user to the role which matches the AD group, the user is prompted for a login to the page which they should not be able to see (which i thought would happen). When the user gets the login prompt back it appends "INTRANETDEV\" before their username, when it should be either just their username (to hide the domain from them) or "MACANDREWS\".

Seems to be nearly their though which I'm really appreciative for :).

[peterkeating]

Your 1st point is something myself & @DannyT were talking about this morning, hopefully I will implement this feature tonight.

With regards to your 2nd point we think that windows authentication is responsible for putting the domain in front of the username so it maybe out of our control.

[Tayvius]

Yeah, just been doing some tests and the generated user does have to be applied manually to get it to work. The other point i'll keep looking at the IIS server to see if there are any stray settings and keep you posted.

For your brilliant help on this, is there anywhere i can make a donation e.g. paypal? (Get you and your team a drink :-) ).

[peterkeating]

No donation required, but thanks for the thought :)

Think I have got this working, remember it will only create the roles for the user when the user is created. So if the roles change then the orchard roles will need to be manually changed as well.

[Tayvius]

Has the update been submitted as the latest master build?

[peterkeating]

Yeps, here is the commit. Not working?

[Tayvius]

Yep that works a treat, thank you so much for your help :).

One last question, if i swapped the user in AD to another group will this swap their role accordingly within Orchard (assuming the user already exists from a previous visit)?

[peterkeating]

Unfortunately it won't at the moment, I could possibly make it so each time it checks to see if there are any AD roles that match Orchard roles that aren't assigned to the user (they would then be assigned to that role). Think it could get messy though if we try to implement some sort of maintaining the assigned roles (updating, removing), hence why I didn't put that in to begin with.

[Tayvius]

Would it be easier to check if the AD/Role has changed, and if so delete the user and recreate them with the new info?

Instead of manipulating the orchard roles?

[peterkeating]

I would be cautious of doing that, because if an Administrator has assigned a role to the user in the Orchard admin area, that would then be lost.

[Tayvius]

Yeah that's true.

As a summary the new updates seem to be working fine with no errors in my orchard installation. If you want any more testing for future features in a production environment let me know by email.

Thanks again for your support. :)

[peterkeating]

Thanks very much for your contribution :)