Specifically I am referring to the Sitecore Active Directory module and it’s new feature called “Custom Filters” that was added in the latest version 1.0.3 rev.111005.
Some customers were asking for it, so here is what you can do now.
Imagine the following scenario.
1. You have a pretty massive AD, let’s say 50K objects in this OU:
<add name="usa" connectionString="LDAP://ADServer/OU=Many Users,DC=usa,DC=sitecore,DC=net"
2. You want to have only a certain number of users to be able to access Sitecore. Plus you want to control such access on AD level by membership to a specific group, let’s say “Sitecore Devs”.
Since your users may belong to multiple OUs as shown below:
…what you have to do previously is pull in all 50K users by AD Membership Provider, which was obviously not pretty.
What you can do now is setup a custom filter by querying memberOf, for example:
<add name="usa"
type="LightLDAP.SitecoreADMembershipProvider"
connectionStringName="usa"
applicationName="sitecore"
blablabla
customFilter="(memberOf=cn=Sitecore Devs,OU=Roles,OU=Many Users,DC=usa,DC=sitecore,DC=net)" />
As a result, only 3 users show up in my User Manager:
More on this can be found in Section 4.1 of this official Sitecore document.
Enjoy!
5 comments:
hey, we are facing some issues regarding the performance when looking up the users in our ad aprox 50k. each user has a unique identification string which could be used to search for a dedicated user. do you know if there are some additional tweaks to restrict the ad lookup into a dedicated ad field or to restrict it to non wildcard "*string*" searches? any information would be great
thanks in advance
torsten
Hi Torsten,
I bet you can.
The filters are described in section 4.1 of the AD guide. which references official MSDN resource for that
Hope it helps.
Alex
This is an older thread, I know, but Alex: What if you want to query users from two groups for example:
AD TREE
-OU=Sitecore
-group 1=Sitecore Dev
-group 2=Sitecore Editor
How would you grab the users from both groups and have them show?
Cha, I think the unfortunate answer to get multiple groups (which I tried to do a variety of different ways), is to create multiple providers specific to your group. It's not the answer I wanted either as I was also trying to do what you are, but the client was fortunately flexible enough to put all my users into the same AD group and then let me assign the roles to them as correctly needed.
Cha, I actually stand corrected, what we were trying to achieve is in fact possible.
Refer to the following documentation for syntax as was described in the document. I managed to miss it on first pass but was corrected. http://msdn.microsoft.com/en-us/library/ms675768%28VS.85%29.aspx
The end result was my custom filter looked something like the following: customFilter="|(memberOf=CN=group1,OU=someOU,OU=someOU,DC=someDC,DC=com)(memberOf=CN=group2,OU=someOU,OU=someOU,DC=someDC,DC=com)"
I have up to 3 different AD groups now and its working great!
Post a Comment