5. Role mapping¶
Note
Objective of this chapter is to show how:
- transfer Active Directory groups into DNN website
- restrict access to the AD login for uses from specified AD groups
5.1. Overview¶
The ‘AD-Pro Authentication’ plugin allows push Active Directory groups to the DNN website, in other words an AD user can have the same groups as corresponding DNN user. This significantly improves user managemant tasks. For example access to DNN page can be restricted only for specified AD groups. Now from Active Directory level we can decide if user can get access to DNN page.
Additionally ‘AD-Pro Authentication’ plugin can allow sign in only users from a specified Active Directory group(s). For example only users belongs to AD group ‘Students’ are able to sign in to DNN website.
Note
To work with ‘Role mapping manager’ first a valid connection to Active Directory needs to be set, see Configuring connection to Active Directory chapter for more info.
5.2. Transfering AD groups to DNN¶
As already beed said, ‘AD-Pro Authentication’ can push AD group to DNN.
What is important, it what happens only at sign in process.
When the role is transfered to DNN, it can have same name as AD group or, using a special mapping, AD group can be connected with any DNN role.
It’s even possible to connect one AD group with multiple DNN roles.
Below are configuration steps that needs to be done to transfer AD group GroupTest1 to DNN.
- First sign in to DNN website as a ‘DNN Host’ or ‘DNN Administrator’.
- Go to page where ‘AD-Pro Authentication’ module is placed.
- Set DNN into ‘Edit’ mode, then go to ‘Module Options’, see figure below.
- Go to ‘Role Manager’ tab where Active Directory groups should be listed, see image below.
Warning
If ‘Role Manager’ tab displays message like: Can’t load Active Directory groups The server is not operational, this means that DNN is unable to estabiblish connection with Active Directory and you need adjust the connection settings, see image below.
- In the filter box enter group name, this will narrow list of the displayed groups, see image below.
- Set one or more corresponding DNN roles from ‘DNN role mapping’ column, see image below.
- We want set mapping from AD group ‘GroupTest1’ to DNN role ‘GroupTest1’, but that group doesn’t exist in DNN yet. Click on
Create itlink to create ‘GroupTest1’ in DNN, see image below.
- Now we can easily set mapping from AD group ‘GroupTest1’ to DNN role ‘GroupTest1’, see image below. Please notice that
Create itlink no longer exist.
- Click on ‘Update role mapping’ to save the changes, see image below.
Task is completed. Now AD user that belongs to group ‘GroupTest1’, will have the same role in DNN, please remember that this will happen on next login process.
5.3. Allow logon for all Active Directory users¶
In easy way you can open access to DNN website for all Active Directory users. Please notice that all AD users are members of group ‘Domain Users’, therefore setting this group as a authorization group, will open DNN for all users.
To do that please go to ‘AD-Pro Authentication-> Module options-> Role Manager’ tab, and for role ‘Domain Users’ enable checkbox under ‘Authorization’ column. Now all AD users can sign in to DNN. See figure below for more details.
5.4. Restrict logons to a group of users¶
The ‘AD-Pro Authentication’ module allows you to limit Active Directory users that are able to sign in to DNN. This can be done through ‘Role manager’ and column ‘Authorization Group’. Below are simple steps that needs to be done to allow all AD users to sign in to DNN. We will utilize AD group ‘Domain Users’, to which by default all AD users are assigned.
Important
At least one Active Directory group needs to be enabled inside ‘Authorization Group’ column. In other case all AD users will be rejected from the logon.
- First sign in to DNN website as a ‘DNN Host’ or ‘DNN Administrator’.
- Go to page where ‘AD-Pro Authentication’ module is placed.
- Set DNN into ‘Edit’ mode, then go to ‘Module Options’, see figure below.
- Go to ‘Role Manager’ tab where Active Directory groups should be listed, see image below.
- Find ‘Domain Users’ group (for simplify put ‘domain users’ string inside filter box), then tick chckbox, see image below.
- Click on ‘Update role mapping’ button, to save the changes, see image below.
Task is completed. Now all Active Directory users will be able to sign in to DNN website, through the ‘AD-Pro Authentication’ plugin.
5.5. Revoking user from a role¶
The “AD-Pro Authentication” can unassign DNN user from a DNN role, only if:
- the login process is happening,
- corresponding AD user doesn’t belong to specified AD group,
- AD group has a mapping in the “AD-Pro Authentication->Role Manager”,
Consider following scenario where we have:
- Active Directory user: “AD\Bob”,
- Active Directory group “Role_1”,
- DNN user “Bob”,
- DNN role “Role_1”;
Now let’s say that:
- DNN user “bob” was manually assigned to the DNN role “Role_1”,
- corresponding AD user “AD\Bob” doesn’t belongs to AD group “Role_1”,
- in “AD-Pro Authentication” in “Role Manager” following mapping is created: if AD user belongs to AD group “Role_1”, add to the corresponding DNN user role “Role_1”,
Now user “AD\Bob” is trying to login to DNN using “AD-Pro Authentication” module. And at the login process DNN user “Bob” is removed from DNN role “Role_1”. It’s because “Role_1” has a mapping in “Role Manager” and AD user “AD\Bob” doesn’t belong to AD group “Role_1”.
5.6. Toggle switch On/Off role sync¶
In some circumstances, usually if Active Directory system has thousands of groups, the performance of the sign-in procedure could be to low. In this case it could be worth thinking to disable AD role sync at all.
To easily swich ON or OFF Active Directory role synchronization, please click green button in ‘Role Manager’ tab, see fiigure below.
Please remember that when AD role synchronization is turned off, module will allow all Active Directory users to sign-in to DNN. In other words, the ‘Authorization’ attribute that each AD group has will not be check, see here for reference.
