7. Users and Groups

When using directory service authentication, user group memberships can be managed locally or via the directory service.

One of the primary values of using LDAP or Active Directory authentication is a streamlined user creation and permission management workflow. Users already exist in groups on the domain, and by telling the recorder what those groups (or new groups added specifically for recorder permissions) mean, you can manage users more easily than before.

7.1. Local Users with LDAP

Users that only exist on the recorder remain the same as always. Users can be created and administrated entirely on the recorder as on any system without an Active Directory integration.

Note

In the case that user names on the domain overlap with existing users on the recorder, the recorder user’s permissions take precedence over the domain user.

7.2. Domain Users with LDAP Group Mapping

With LDAP Group Mapping, users are automatically created on the recorder at first log in, with the user group membership and channel permissions based on the LDAP Group Mapping. So, with the default mapping, if there is a user LBertucci on the domain who is an NLResearcher, when they log in for the first time they will be added as a Researcher on the recorder, and get the resource groups that the Researcher group has access to.

With LDAP Group Mapping on, you cannot edit user group membership of LDAP users on the recorder. You can however edit their resource groups for resource permissions and you can grant additional recorder level permissions individually. Resources granted by user groups are just defaults, as explained in the NexLog DX-Series™ system user manual, so you can change them as you wish after a user has been created.

7.2.1. Enable LDAP Group Mapping

LDAP Group Mapping can be configured in the web configuration manager at Users and Security → Active Directory → LDAP Settings.

Enable the Use LDAP User Group Settings checkbox.

In the LDAP Group Mapping section, enter the LDAP Group Name, from the directory service, that corresponds with the local recorder group name.

Table 7.1 Default LDAP Group Mapping

Recorder Group

LDAP Group

Admin

NLAdmin

Agents

NLAgents

Archivers

NLArchivers

Group Evaluators

NLGroupEvaluators

Instant Recall

NLInstantRecall

Maintainers

NLMaintainers

Monitors

NLMonitors

Report Editor

NLReportEditor

Researchers

NLResearchers

SuperEvaluators

NLSuperEvaluators

Systems

NLSystems

User Managers

NLUserManagers

LDAP Groups Base DN

This field should contain the root path containing all mapped groups. It should be intered using LDAP syntax.

Example: OU=Groups,OU=HQ,DC=contoso,DC=net

7.2.2. Export Recorder Groups to LDAP

This is an optional step, but a useful one. This allows you to import the permission groups the NexLog recorder is looking for to assign permissions to domain users at log in. If you have multiple NexLog recorders in your domain and they share the same group associations, then this procedure only needs to be run once.

This will save implementation time by not having to create each LDAP group one at a time. This should be completed after the LDAP or Active Directory settings are fully configured and saved, including LDAP Groups Base DN.

Navigate to Users and Security → Active Directory → LDAP Settings.

Export Eventide LDAP Security Group Schema

Click this button to generate a groups.ldif file which should be downloaded and verified for correctness.

For Microsoft Windows Active Directory, load groups.ldif onto a domain controller, then open an elevated shell. The program ldifde should already be installed on the server. Run the following command to import the schema:

ldifde.exe -i -f groups.ldif

Running ldifde.exe -? will bring up a help menu with further options.

Once that is done, verify the groups were added to the Active Directory. Users can now be assiegned to certain groups, as a test.

7.3. Domain Users without LDAP Group Mapping

Without LDAP Group Mapping, you have to add each domain user individually, but then you can manage their group memberships at the recorder side as you would any other recorder user. This may be a better fit depending on how the recorder is being administered.

To add a domain user, enable the Active Directory User checkbox at creation time; this will disable the password fields because passwords are managed on the directory service only.

Add New Active Directory User

Fig. 7.1 Add New Active Directory User

7.4. Passwords

In all cases, passwords for domain users are managed via the directory service. You cannot change passwords via the NexLog DX-Series™ recorder and if a user account is marked “Must Change Password at Next Login”, the user cannot log in to MediaWorks DX™ nor the web configuration manager until the password has been changed in the directory service.