Having spent a couple of days debugging this aspect of DNN, I have a couple of observations about the current ADSI solution.

Issues:
One of my first wishes was to have the roles imported from AD. This is not done in the current solution.
A second observation is that users are added when they log in and this places the burden of user sync at that point. This leads to slow loading times when a user first logs in. This will only get worse given the fact that more advanced sync requests are made and implemented in separate solutions (I'm talking about 'the fix' for role and user sync that is mentioned all over these forums)

Proposal:
I'd move the synchronization into a separate screen (obvious candidate is the current 'Authentication' page under Admin) and let the sync happen on instigation of the admin, rather than each login. We can then make it as advanced as we like without wasting the user's time on logon. My direct wishes: downloading roles from AD, and some rule mechanism to have these automatically go into various role groups (for instance: if role name includes 'Admin' then put in Role Group 'Admin Roles'). Then sync all users including their personal data. Alternatively the UI implementation could be in the form of a Wizard. STEP 1: download the user roles and select which ones you like imported and select from dropdown into which role group, STEP 2: sync user base from AD. Another great feature would be more feedback about the sync process.

Drawbacks:
This obviously means that a user that logs on is potentially out of sync with DNN (this would be an issue in a large organization where changes to AD are frequent, not in the case I'm dealing with now which is a company of about 80 people with relatively few changes). One could imagine a couple of improvements to aleviate this such as a scheduled service that syncs on a given time. This would need to be automatic and could, for instance, only concern the users, not the roles.

Peter

---

Peter Donker

http://www.bring2mind.net Home of the Document Exchange, the professional document management solution for DNN

Well, I just spent 2 days stepping through the code and here is what is happening (as far as I can see):

1. During user authentication a list of DNN portal roles is retrieved
2. For each of these a query is made to AD to see if this role exists. This is done in Components/ADSI/Utilities.vb through

        Public Shared Function GetGroupEntriesByName(ByVal GroupName As String) As ArrayList
            Dim RootDomain As ADSI.Domain = GetRootDomain()
            Dim objSearch As New Authentication.ADSI.Search(RootDomain)

            objSearch.AddFilter(ADSI_CLASS, ADSI.CompareOperator.Is, Authentication.ObjectClass.group.ToString)
            objSearch.AddFilter(ADSI_ACCOUNTNAME, ADSI.CompareOperator.Is, GroupName)

            Dim groupEntries As ArrayList = objSearch.GetEntries

            If Not groupEntries Is Nothing Then
                Return groupEntries
            Else
                Return Nothing
            End If

        End Function

As you can see the search results are limited by providing the groupname we're looking for. If you remove this constraint, then all groups seem to pour out of AD to your program.

3. A check is made to see if user A belongs to the group B we were checking if the result of step 2 was positive.


So you see, you could easily create something that extracts all groups from AD to add them to DNN.

Peter

PS. Note that with synchronization I don't mean true 2-way traffic. I mean changing DNN to reflect changes in AD, not the other way round.

---

Peter Donker

http://www.bring2mind.net Home of the Document Exchange, the professional document management solution for DNN