From this guide, you will learn how to use the LDAP module and switch between different modes
1. Using LDAP
After installing the module, you must configure it by selecting one of the following shortcuts in the start menu:
- A shortcut named LDAP in the Sitecore menu.
This shortcut is defined in the Core Database at:
Content Editor » Document and Settings » Start menu » All users » Left » LDAP
- In the Sitecore menu under All Applications » Security » LDAP
This shortcut is defined in the Core Database at:
Content Editor » Document and Settings » Start menu » All users » Programs » Security » LDAP
- Or Sitecore » Administrative Tools » LDAP
This shortcut is defined in the Core Database at:
Content Editor » Documents and Settings » Start menu » All users » Right » Administrative Tools » LDAP
Note that you can remove any of these shortcuts by deleting the corresponding Items in the Core database (shown above in italics). We recommend that you use Sitecore security settings to exclude the shortcuts from the main menu for non-administrators.
The LDAP Configuration tool displays the options shown below. Choose whether you want to configure Sitecore Client Security or Sitecore Extranet security
Depending on the synchronizing mode you have chosen, you may now add/delete Users and/or groups (from your LDAP directory) that should have access to Sitecore. See the figure below:
Important notes when adding/deleting Users and groups:
-
If you have added Users and/or groups using the LDAP module, please avoid deleting them manually in Sitecore. Do this using the module.
-
A directory User cannot login to Sitecore in Live Validation or Mixed mode if there is no directory group in Sitecore which a particular User is assigned to.
- A user won’t be logged in if another User with the same name as your directory account name already exists in Sitecore.
For example, if I ‘manually’ add a User named ‘User1’ in Sitecore. Using the LDAP module, I add a group named Sitecore Editors to which the group User1 belongs in my directory. Now User1 (which exists in my directory) tries to login using his password in my active directory. The login will fail!
-
If you have checked Add group members in either Replication or Mixed mode when adding a group, then Users that have this group as their primary group will not be replicated into Sitecore. Please note that when you remove a group, its members are not removed from Sitecore. Finally, please be aware that in Replication Mode, new Users are not automatically added to Sitecore if you have added them to a directory group which already exists in Sitecore.
-
For Users added using the LDAP module, it is only possible to add/remove Roles that have been manually added in Sitecore, as the module will automatically update directory Users’ memberships from your directory (see below).
- IMPORTANT NOTE: No matter which synchronization mode you have chosen, a scheduled LDAP synchronization task will run every day at 3 a.m. (if your frequency parameter is not set higher than 1 hour in both the web.config and the LdapScheduleTask schedule, you cannot be sure that the task will run between 3 and 4 am).
The schedule task would do the following in the three modes;
- In Live Validation mode, it would delete the sitecore/users/temporary folder and delete roles in Sitecore if you have deleted the group from your directory.
- In Replication mode, it would update/delete all added Users values and also delete roles as explained above.
- In Mixed mode, it would do the same as in Replication mode, but would not update Users memberships as this is done every time a User loggs into Sitecore.