Users access the assets that are stored in Elvis by making use of any of the client applications such as the Pro client, the Brand portal or the InDesign client.
Before they can do this, they need to be given access to these clients and the stored assets. This is done by adding the users or user groups to Elvis and subsequently defining for each user or user group which clients and client features they can use, which folders and assets they can access, which metadata fields they can see and edit. and which presets they can use for downloading images.
This article describes the first step in this process: setting up users and user groups in Elvis.
Locations where users and user groups can be managed
Users and user groups can be managed in 2 locations:
- In Elvis itself. This is typically done for very small setups such as a demo environment installed on a single laptop.
- In an external LDAP system such as Microsoft's Active Directory or Apple's Open Directory. This is common practice in production environments.
Default users
After installing Elvis Server, 2 default user accounts exist:
- admin. This account is available for system administrators to access Elvis, especially during the installation of Elvis.
- importmodule. This account is used by automated processes (such as the Hot folder import) for importing assets.
Note: Both accounts are 'super users' meaning that they have full permission to access all areas and perform all tasks.
IMPORTANT: For security reasons we advise to change the default password for these accounts. See the next section 'Managing users and user groups in Elvis'.
Managing users and user groups in Elvis
When no external LDAP system is available, managing users and user groups is done in Elvis itself. This is typically the case when a very small setup is used such as a demo environment installed on a single laptop.
Step 1. Do one of the following:
- For Elvis 6.16 or higher: access the Management Console > Server configuration > Files > internal-users.properties.txt.
- For Elvis 6.15 or lower: access the Admin pages > Change config > internal-users.properties.txt.
Note: When working on a single system on which Elvis Server is installed, you can also open this file directly from the Elvis Server/Config folder.
The 2 default users are already defined:
admin=changemenow,ROLE_SUPERUSER
importmodule=changemenow,ROLE_SUPERUSERIMPORTANT: For security reasons we advise to change the default password for these accounts.
Step 2. Add each new user by using the following format:
- To add just a username and password:
<username>=<password>
- To add a username, password and one or more groups:
<username>=<password>,GROUP_<group name>,GROUP_<group name>
Note: Do not use invalid characters such as @, #, $, %, & in the user name or user group. Do not use spaces in the user name.
|
Example:
Here a user named 'rob.smart' with password 'secret' is defined. He will also be associated with the groups 'News desk' and 'Editors' (if these groups do not exist then these will be automatically created). |
Step 3. Click Save changes.
Step 4. Restart Elvis Server.
Step 5. Verify in the Management Console > Users page the user and user groups have been created.
Figure: Viewing users and user groups in the Management console of the Pro client. Here, 2 new groups are listed: "Editors' and 'News desk' and one new user: 'rob.smart'.
Step 6. Define for the users or user groups which clients and client features they can use, which assets they can access, which metadata fields they can see and edit, which presets they can use for downloading images and which Search Presets should be available to them.
Connecting Elvis to LDAP
In a typical production environment, users and user groups are centrally managed in an LDAP-system such as Microsoft's Active Directory or Apple's Open Directory. Other systems, such as Elvis Server, can connect to LDAP for authenticating users.
About groups within groups
LDAP allows you to configure groups within groups. However, this is not supported in Elvis.
If you do have such a setup in LDAP, define various groups specifically for Elvis and divide your users throughout those groups. This way you keep a clear overview of all user and group rights for Elvis without compromising your current LDAP configuration.
Configuring LDAP in Elvis
Configuring LDAP in Elvis is done through a configuration file. It contains examples for setting up Microsoft's Active Directory and Apple's Open Directory.
Note: Knowledge about LDAP in general and your LDAP environment in particular is required to configure LDAP in Elvis. It can be quite a challenge to find the correct search settings depending on how Active Directory or LDAP is set up.
Step 1. Do one of the following:
- For Elvis 6.16 or higher: access the Management Console > Server configuration > Files > ldap-config.properties.txt.
- For Elvis 6.15 or lower: access the Admin pages > Change config > ldap-config.properties.txt.
Step 2. Choose the configuration example for the LDAP system that you use, comment-out the lines of code by removing the #-characters and update the options.
Note: Consult your LDAP administrator for the correct parameters.
- ldapServerURL. The URL of the LDAP server.
- ldapManagerDn. Add the username for logging in to LDAP.
- ldapManagerPassword. Add the password for logging in to LDAP.
- ldapAdditionalGroupFilter and ldapAdditionalUserFilter. Limit the visible users and groups in the Manage Permissions tab of the Elvis Desktop client.
|
Examples: |
- ldapGroupSearchBase and ldapUserSearchBase. These settings for finding groups and users define the top level, most basic location of the groups or users. Enter no more than one value for each setting (such as 'ou=' or 'cn=').
|
Examples: Correct: Incorrect: |
- Update the other settings as needed, for example those for finding groups (ldapGroupSearchBase, ldapGroupSearchFilter and ldapGroupRoleAttribute) and those for finding users (ldapUserSearchBase, ldapUserSearchFilter and ldapUserObjectClassRestrictions).
Step 3. Click Save changes.
Step 4. Restart the cluster.
Step 5. Verify in the Management Console > Users page the user and user groups have been created.
Figure: Viewing users and user groups in the Management console. Here, 2 new groups are listed: "Editors' and 'News desk' and one new user: 'rob.smart'.
Issue: No groups or users appear in the Desktop client and the following error is logged in Elvis:
[LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of:
Cause: Multiple values are defined in the configuration.
Solution: Make sure that for the settings ldapGroupSearchBase and ldapUserSearchBase only one value is defined (see step 2 above).
Step 6. Define for the users or user groups which clients and client features they can use, which assets they can access, which metadata fields they can see and edit, which presets they can use for downloading images and which Search Presets should be available to them.
Connecting Elvis to LDAPS
Connecting to LDAPS is similar to connecting to LDAP but also requires adding the secure LDAPS certificates to the trusted SSL certificates in the Elvis Java configuration.
LDAP configuration
It should be sufficient to configure the correct LDAP URL in the Elvis Server configuration.
|
Examples: ldapServerUrl=ldaps://your.domain.com:389/... or ldapServerUrl=ldaps://your.domain.com:636/... or ldapServerUrl=ldaps://your.domain.com: 3269/... |
|
Notes:
|
Adding trusted SSL certificates to the default trust store
To import the certificate into the default trust store, use the following command as an admin.
Note: The trusted SSL certificate needs to be applied for every node in the cluster. It is not distributed by Elvis Server.
- For Windows:
C:\Program Files (x86)\Elvis Server\tools\windows\java\jre\bin\keytool -import -alias <alias name of the certificate> -keystore C:\Program Files (x86)\Elvis Server\tools\windows\java\jre\lib\security\cacerts -file <path to certificate>
- For MacOS:
$ cd /Applications/Elvis\ Server.app/Contents/Server/tools/macosx/java/
$ sudo keytool -importcert -keystore ./jre/lib/security/cacerts -file <path to certificate>
- For Linux:
$ cd /srv/elvis-server/app/tools/linux/java/
$ sudo keytool -importcert -keystore ./jre/lib/security/cacerts -file <path to certificate>
For more information, see:
- Atlassian Support: Configuring an SSL connection to Active Directory
- Stack Overflow: How to check certificate name and alias in keystore files?
Comment
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
0 comments
Please sign in to leave a comment.