Users access the files that are stored in Assets Server by making use of any of the client applications such as Assets, the Brand portal or the Assets for InDesign.
Before they can do this, they need to be given access to these clients and the stored files. This is done by adding the users or user groups to Assets Server and subsequently defining for each user or user group which clients and client features they can use, which folders and files they can access, which metadata fields they can see and edit. and which presets they can use for downloading images.
This article describes the first step in this process: setting up users and user groups in Assets Server.
Locations where users and user groups can be managed
Users and user groups can be managed in 2 locations:
- In Assets Server itself. This is typically done for very small setups such as a demo environment installed on a single laptop.
- In an external LDAP system such as Microsoft's Active Directory or Apple's Open Directory. This is common practice in production environments.
Default users
After installing Assets Server, 2 default user accounts exist:
- admin. This account is available for system administrators to access Assets Server, especially during the installation of Assets Server.
- importmodule. This account is used by automated processes (such as the Hot folder import) for importing files.
Note: Both accounts are 'super users' meaning that they have full permission to access all areas and perform all tasks.
IMPORTANT: For security reasons we advise to change the default password for these accounts. See the next section 'Managing users and user groups in Assets Server'.
Managing users and user groups in Assets Server
When no external LDAP system is available, managing users and user groups is done in Assets Server itself. This is typically the case when a very small setup is used such as a demo environment installed on a single laptop.
Step 1. Access the Management Console > Server configuration > Files > internal-users.properties.txt.
Note: When working on a single system on which Assets Server is installed, you can also open this file directly from the Assets Server/Config folder.
The 2 default users are already defined:
admin=changemenow,ROLE_SUPERUSER
importmodule=changemenow,ROLE_SUPERUSER
IMPORTANT: For security reasons we advise to change the default password for these accounts.
Step 2. Add each new user by using the following format:
- To add just a username and password:
<username>=<password>
- To add a username, password and one or more groups:
<username>=<password>,GROUP_<group name>,GROUP_<group name>
Note: Do not use invalid characters such as @, #, $, %, & in the user name or user group. Do not use spaces in the user name.
Example:
Here a user named 'rob.smart' with password 'secret' is defined. He will also be associated with the groups 'News desk' and 'Editors' (if these groups do not exist then these will be automatically created). |
Step 3. Click Save changes.
Step 4. Restart Assets Server.
Step 5. Verify in the Management Console > Users page that the user and user groups have been created.
Step 6. Define for the users or user groups which clients and client features they can use, which files they can access, which metadata fields they can see and edit, which presets they can use for downloading images and which Search Presets should be available to them.
Connecting Assets Server to LDAP
In a typical production environment, users and user groups are centrally managed in an LDAP-system such as Microsoft's Active Directory or Apple's Open Directory. Other systems, such as Assets Server, can connect to LDAP for authenticating users.
About groups within groups
In LDAP, groups can be configured within groups. However, this is not supported in Assets Server.
If you do have such a setup in LDAP, define various groups specifically for Assets Server and divide your users throughout those groups. This way you keep a clear overview of all user and group rights for Assets Server without compromising your current LDAP configuration.
Configuring LDAP in Assets Server
Configuring LDAP in Assets Server is done through a configuration file. It contains examples for setting up Microsoft's Active Directory and Apple's Open Directory.
Note: Knowledge about LDAP in general and your LDAP environment in particular is required to configure LDAP in Assets Server. It can be quite a challenge to find the correct search settings depending on how Active Directory or LDAP is set up.
Step 1. Access the Management Console > Server configuration > Files > ldap-config.properties.txt.
Step 2. Choose the configuration example for the LDAP system that you use, comment-out the lines of code by removing the #-characters and update the options.
Note: Consult your LDAP administrator for the correct parameters.
- ldapServerURL. The URL of the LDAP server.
- ldapManagerDn. Add the username for logging in to LDAP.
- ldapManagerPassword. Add the password for logging in to LDAP.
- ldapAdditionalGroupFilter and ldapAdditionalUserFilter. Limits the visible users and groups in the Manage Permissions page.
Examples:
|
- ldapGroupSearchBase and ldapUserSearchBase. These settings for finding groups and users define the top level, most basic location of the groups or users. Enter no more than one value for each setting (such as 'ou=' or 'cn=').
Examples: Correct:
Incorrect:
|
- Update the other settings as needed, for example those for finding groups (ldapGroupSearchBase, ldapGroupSearchFilter and ldapGroupRoleAttribute) and those for finding users (ldapUserSearchBase, ldapUserSearchFilter and ldapUserObjectClassRestrictions).
Step 3. Click Save changes.
Step 4. Restart the cluster.
Step 5. Verify in the Management Console > Users page the user and user groups have been created.
Troubleshooting: No groups or users appear and 'LDAP error code 32 problem 2001' is logged Issue: No groups or users appear and the following error is logged in Assets Server: [LDAP: error code 32 - 0000208D: NameErr: DSID-03100238, problem 2001 (NO_OBJECT), data 0, best match of: Cause: Multiple values are defined in the configuration. Solution: Make sure that for the settings ldapGroupSearchBase and ldapUserSearchBase only one value is defined (see step 2 above). |
Step 6. Define for the users or user groups which clients and client features they can use, which files they can access, which metadata fields they can see and edit, which presets they can use for downloading images and which Search Presets should be available to them.
Connecting Assets Server to LDAPS
Connecting to LDAPS is similar to connecting to LDAP but also requires adding the secure LDAPS certificates to the trusted SSL certificates in the Assets Server Java configuration.
LDAP configuration
It should be sufficient to configure the correct LDAP URL in the Assets Server configuration.
Examples: ldapServerUrl=ldaps://your.domain.com:389/... or ldapServerUrl=ldaps://your.domain.com:636/... or ldapServerUrl=ldaps://your.domain.com: 3269/... |
Notes:
|
Adding trusted SSL certificates to the default trust store
To import the certificate into the default trust store, use the following command as an admin.
Note: The trusted SSL certificate needs to be applied for every node in the cluster. It is not distributed by Assets Server.
- For Windows:
C:\Program Files (x86)\Elvis Server\tools\windows\java\jre\bin\keytool -import -alias <alias name of the certificate> -keystore C:\Program Files (x86)\Elvis Server\tools\windows\java\jre\lib\security\cacerts -file <path to certificate>
- For macOS:
$ cd /Applications/Elvis\ Server.app/Contents/Server/tools/macosx/java/
$ sudo keytool -importcert -keystore ./jre/lib/security/cacerts -file <path to certificate>
- For Linux:
$ cd /srv/elvis-server/app/tools/linux/java/
$ sudo ./bin/keytool -importcert -keystore ./jre/lib/security/cacerts -file <path to certificate>
For more information, see:
- Atlassian Support: Configuring an SSL connection to Active Directory
- Stack Overflow: How to check certificate name and alias in keystore files?
Comment
Do you have corrections or additional information about this article? Leave a comment! Do you have a question about what is described in this article? Please contact Support.
4 comments
Hi, for Linux all above Adding trusted SSL certificates to the default trust store are wrong.
First please correct path to keytool is: /srv/elvis-server/app/tools/linux/java/bin
Then please correct the command:
keytool -import -trustcacerts -keystore /srv/elvis-server/app/tools/linux/java/jre/lib/security/cacerts -storepass changeit -file /path-to-certificate/certicate.pem -noprompt
Tested with WoodWing Assets 6.83, java 1.8.0_332
Hi Piotr,
Thanks for bringing this to our attention.
I had the developers take a look at this and we now changed the Linux example from:
$ sudo keytool
to:
$ sudo ./bin/keytool
Best regards,
Maarten van Kleinwee
Senior Technical Writer, WoodWing Software
Maarten van Kleinwee do you consider your keytool command "-importcert -keystore ./jre/lib/security/cacerts -file <path to certificate>" works?
Hi Piotr,
Apologies for the late reply. I checked this with Support and yes, that command should work. If it is not working for you, can you contact Support to troubleshoot this?
Best regards,
Maarten van Kleinwee
Senior Technical Writer, WoodWing Software
Please sign in to leave a comment.