Difference between revisions of "Ldap-example3"
From OpenKM Documentation
(→OpenKM.xml) |
(→Configuration parameters) |
||
(11 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | Active directory connection which allows to connect any active directoy authenticated user member of ROLE_USER or ROLE_ADMIN. | |
− | |||
− | |||
− | |||
− | |||
− | + | == LDAP structure == | |
− | + | dc=com | |
− | + | dc=company | |
+ | ou=OPENKM | ||
+ | cn=ROLE_ADMIN | ||
+ | member=okmAdmin | ||
+ | member=user1 | ||
+ | cn=ROLE_USER | ||
+ | member=user3 | ||
+ | cn=ROLE_XXXX | ||
+ | member=user2 | ||
+ | cn=ROLE_YYYY | ||
+ | member=user4 | ||
+ | ... | ||
+ | ou=organization1 | ||
+ | sAMAccountName=okmAdmin | ||
+ | memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | ||
+ | userPrincipalName=okmAdmin@mail.com | ||
+ | cn=OpenKM Administrator | ||
+ | sAMAccountName=user1 | ||
+ | memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | ||
+ | userPrincipalName=user1@mail.com | ||
+ | cn=User Name 1 | ||
+ | sAMAccountName=user2 | ||
+ | memberOf=CN=ROLE_XXXX,OU=OPENKM,DC=company,DC=com | ||
+ | userPrincipalName=user2@mail.com | ||
+ | cn=User Name 3 | ||
+ | ou=organization2 | ||
+ | sAMAccountName=user3 | ||
+ | memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com | ||
+ | userPrincipalName=user3@mail.com | ||
+ | cn=User Name 3 | ||
+ | sAMAccountName=user4 | ||
+ | memberOf=CN=ROLE_YYYY,OU=OPENKM,DC=company,DC=com | ||
+ | userPrincipalName=user4@mail.com | ||
+ | cn=User Name 4 | ||
− | + | '''Valid groups:''' | |
− | + | * cn=ROLE_ADMIN,'''ou=OPENKM,dc=company,dc=com''' | |
− | + | * cn=ROLE_USER,'''ou=OPENKM,dc=company,dc=com''' | |
+ | * cn=ROLE_XXXX,'''ou=OPENKM,dc=company,dc=com''' | ||
+ | * cn=ROLE_YYYY,'''ou=OPENKM,dc=company,dc=com''' | ||
− | + | '''Valid users:''' | |
− | + | * cn=user1,'''ou=organization1,dc=company,dc=com''' | |
− | + | * cn=user2,'''ou=organization1,dc=company,dc=com''' | |
− | + | '''Invalid users:''' | |
− | + | * cn=user3,'''ou=organization2,dc=company,dc=com''' | |
− | + | * cn=user4,'''ou=organization2,dc=company,dc=com''' | |
− | + | {{Note|Any distinguished name include by default '''<nowiki>dc=company,dc=com</nowiki>''' except users which are not memberof ROLE_ADMIN or ROLE_USER}} | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | </ | ||
== OpenKM.xml == | == OpenKM.xml == | ||
+ | * Users defined in any active directory node members of ROLE_ADMIN or ROLE_USER will be able to login, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg index="0" value="DC=company,DC=com" />''' and '''<beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)''' as user account filter. | ||
+ | * Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg value="DC=company,DC=com"/>'''. | ||
+ | |||
<source lang="xml"> | <source lang="xml"> | ||
<?xml version="1.0" encoding="UTF-8"?> | <?xml version="1.0" encoding="UTF-8"?> | ||
Line 47: | Line 70: | ||
http://www.springframework.org/schema/task | http://www.springframework.org/schema/task | ||
http://www.springframework.org/schema/task/spring-task-3.1.xsd"> | http://www.springframework.org/schema/task/spring-task-3.1.xsd"> | ||
+ | |||
<security:authentication-manager alias="authenticationManager"> | <security:authentication-manager alias="authenticationManager"> | ||
<security:authentication-provider ref="ldapAuthProvider" /> | <security:authentication-provider ref="ldapAuthProvider" /> | ||
Line 55: | Line 79: | ||
<beans:property name="userDn" value="CN=connect,OU=OpenKM,DC=company,DC=com"/> | <beans:property name="userDn" value="CN=connect,OU=OpenKM,DC=company,DC=com"/> | ||
<beans:property name="password" value="****"/> | <beans:property name="password" value="****"/> | ||
+ | <beans:property name="baseEnvironmentProperties"> | ||
+ | <beans:map> | ||
+ | <beans:entry> | ||
+ | <beans:key> | ||
+ | <beans:value>java.naming.referral</beans:value> | ||
+ | </beans:key> | ||
+ | <beans:value>follow</beans:value> | ||
+ | </beans:entry> | ||
+ | </beans:map> | ||
+ | </beans:property> | ||
</beans:bean> | </beans:bean> | ||
Line 85: | Line 119: | ||
</beans:beans> | </beans:beans> | ||
+ | </source> | ||
+ | |||
+ | == Configuration parameters == | ||
+ | * Users members of ROLE_ADMIN or ROLE_USER can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.user.search.base=DC=company,DC=com''' and user search filter as '''principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)'''. | ||
+ | * Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.role.search.base=DC=company,DC=com'''. | ||
+ | * All active directory groups will be listed, because has not applied any filter restriction '''principal.ldap.role.search.filter=(objectclass=group)''' | ||
+ | * Mail attribute used in this case was '''userPrincipalName''' ( the most usual ldap attribute to get mail is called '''mail''' ). '''principal.ldap.mail.attribute=userPrincipalName''' | ||
+ | |||
+ | <source lang="java"> | ||
+ | principal.adapter=com.openkm.principal.LdapPrincipalAdapter | ||
+ | system.login.lowercase=true | ||
+ | principal.ldap.referral= | ||
+ | |||
+ | principal.ldap.server=ldap://192.168.xxx.xxx:389 | ||
+ | principal.ldap.security.principal=CN=Administrator,OU=OpenKM,DC=company,DC=com | ||
+ | principal.ldap.security.credentials=xxxxxx | ||
+ | |||
+ | principal.ldap.mail.attribute=userPrincipalName | ||
+ | principal.ldap.mail.search.base=DC=company,DC=com | ||
+ | principal.ldap.mail.search.filter=(sAMAccountName={0}) | ||
+ | |||
+ | principal.ldap.role.attribute=cn | ||
+ | principal.ldap.role.search.base=OU=OpenKM,DC=company,DC=com | ||
+ | principal.ldap.role.search.filter=objectclass=group | ||
+ | |||
+ | principal.ldap.roles.by.user.attribute=memberOf | ||
+ | principal.ldap.roles.by.user.search.base=DC=company,DC=com | ||
+ | principal.ldap.roles.by.user.search.filter=(&(objectclass=user)(sAMAccountName={0})) | ||
+ | |||
+ | principal.ldap.user.attribute=sAMAccountName | ||
+ | principal.ldap.user.search.base=DC=company,DC=com | ||
+ | principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com))) | ||
+ | |||
+ | principal.ldap.username.attribute=cn | ||
+ | principal.ldap.username.search.base=DC=company,DC=com | ||
+ | principal.ldap.username.search.filter=(sAMAccountName={0}) | ||
+ | |||
+ | principal.ldap.users.by.role.attribute=member | ||
+ | principal.ldap.users.by.role.search.base=OU=OpenKM,DC=company,DC=com | ||
+ | principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})) | ||
</source> | </source> | ||
[[Category: Installation Guide]] | [[Category: Installation Guide]] |
Latest revision as of 11:55, 7 January 2014
Active directory connection which allows to connect any active directoy authenticated user member of ROLE_USER or ROLE_ADMIN.
LDAP structure
dc=com dc=company ou=OPENKM cn=ROLE_ADMIN member=okmAdmin member=user1 cn=ROLE_USER member=user3 cn=ROLE_XXXX member=user2 cn=ROLE_YYYY member=user4 ... ou=organization1 sAMAccountName=okmAdmin memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com userPrincipalName=okmAdmin@mail.com cn=OpenKM Administrator sAMAccountName=user1 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com userPrincipalName=user1@mail.com cn=User Name 1 sAMAccountName=user2 memberOf=CN=ROLE_XXXX,OU=OPENKM,DC=company,DC=com userPrincipalName=user2@mail.com cn=User Name 3 ou=organization2 sAMAccountName=user3 memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com userPrincipalName=user3@mail.com cn=User Name 3 sAMAccountName=user4 memberOf=CN=ROLE_YYYY,OU=OPENKM,DC=company,DC=com userPrincipalName=user4@mail.com cn=User Name 4
Valid groups:
- cn=ROLE_ADMIN,ou=OPENKM,dc=company,dc=com
- cn=ROLE_USER,ou=OPENKM,dc=company,dc=com
- cn=ROLE_XXXX,ou=OPENKM,dc=company,dc=com
- cn=ROLE_YYYY,ou=OPENKM,dc=company,dc=com
Valid users:
- cn=user1,ou=organization1,dc=company,dc=com
- cn=user2,ou=organization1,dc=company,dc=com
Invalid users:
- cn=user3,ou=organization2,dc=company,dc=com
- cn=user4,ou=organization2,dc=company,dc=com
Any distinguished name include by default dc=company,dc=com except users which are not memberof ROLE_ADMIN or ROLE_USER |
OpenKM.xml
- Users defined in any active directory node members of ROLE_ADMIN or ROLE_USER will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" /> and <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com) as user account filter.
- Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.xxx.xxx"/>
<beans:property name="userDn" value="CN=connect,OU=OpenKM,DC=company,DC=com"/>
<beans:property name="password" value="****"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="DC=company,DC=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="DC=company,DC=com" />
<beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Configuration parameters
- Users members of ROLE_ADMIN or ROLE_USER can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com and user search filter as principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com).
- Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
- All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)
- Mail attribute used in this case was userPrincipalName ( the most usual ldap attribute to get mail is called mail ). principal.ldap.mail.attribute=userPrincipalName
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase=true
principal.ldap.referral=
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.security.principal=CN=Administrator,OU=OpenKM,DC=company,DC=com
principal.ldap.security.credentials=xxxxxx
principal.ldap.mail.attribute=userPrincipalName
principal.ldap.mail.search.base=DC=company,DC=com
principal.ldap.mail.search.filter=(sAMAccountName={0})
principal.ldap.role.attribute=cn
principal.ldap.role.search.base=OU=OpenKM,DC=company,DC=com
principal.ldap.role.search.filter=objectclass=group
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.roles.by.user.search.base=DC=company,DC=com
principal.ldap.roles.by.user.search.filter=(&(objectclass=user)(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.search.base=DC=company,DC=com
principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
principal.ldap.username.attribute=cn
principal.ldap.username.search.base=DC=company,DC=com
principal.ldap.username.search.filter=(sAMAccountName={0})
principal.ldap.users.by.role.attribute=member
principal.ldap.users.by.role.search.base=OU=OpenKM,DC=company,DC=com
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))