Difference between revisions of "Ldap-example3"

From OpenKM Documentation
Jump to: navigation, search
(LDAP structure)
(Configuration parameters)
 
(7 intermediate revisions by the same user not shown)
Line 18: Line 18:
 
             sAMAccountName=okmAdmin
 
             sAMAccountName=okmAdmin
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                 mail=user@mail.com
+
                 userPrincipalName=okmAdmin@mail.com
 
                 cn=OpenKM Administrator
 
                 cn=OpenKM Administrator
 
             sAMAccountName=user1
 
             sAMAccountName=user1
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                 mail=user@mail.com
+
                 userPrincipalName=user1@mail.com
 
                 cn=User Name 1
 
                 cn=User Name 1
 
             sAMAccountName=user2
 
             sAMAccountName=user2
 
                 memberOf=CN=ROLE_XXXX,OU=OPENKM,DC=company,DC=com
 
                 memberOf=CN=ROLE_XXXX,OU=OPENKM,DC=company,DC=com
                 mail=user2@mail.com
+
                 userPrincipalName=user2@mail.com
 
                 cn=User Name 3
 
                 cn=User Name 3
 
         ou=organization2
 
         ou=organization2
 
             sAMAccountName=user3
 
             sAMAccountName=user3
 
                 memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
 
                 memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                 mail=user3@mail.com
+
                 userPrincipalName=user3@mail.com
 
                 cn=User Name 3
 
                 cn=User Name 3
 
             sAMAccountName=user4
 
             sAMAccountName=user4
 
                 memberOf=CN=ROLE_YYYY,OU=OPENKM,DC=company,DC=com
 
                 memberOf=CN=ROLE_YYYY,OU=OPENKM,DC=company,DC=com
                 mail=user4@mail.com
+
                 userPrincipalName=user4@mail.com
 
                 cn=User Name 4
 
                 cn=User Name 4
  
Line 55: Line 55:
  
 
== OpenKM.xml ==
 
== OpenKM.xml ==
 +
* Users defined in any active directory node members of ROLE_ADMIN or ROLE_USER will be able to login, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg index="0" value="DC=company,DC=com" />''' and '''<beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)''' as user account filter.
 +
* Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg value="DC=company,DC=com"/>'''.
 +
 
<source lang="xml">
 
<source lang="xml">
 
<?xml version="1.0" encoding="UTF-8"?>
 
<?xml version="1.0" encoding="UTF-8"?>
Line 67: Line 70:
 
                                 http://www.springframework.org/schema/task
 
                                 http://www.springframework.org/schema/task
 
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
 
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
 +
 
<security:authentication-manager alias="authenticationManager">
 
<security:authentication-manager alias="authenticationManager">
 
     <security:authentication-provider ref="ldapAuthProvider" />
 
     <security:authentication-provider ref="ldapAuthProvider" />
Line 75: Line 79:
 
   <beans:property name="userDn" value="CN=connect,OU=OpenKM,DC=company,DC=com"/>
 
   <beans:property name="userDn" value="CN=connect,OU=OpenKM,DC=company,DC=com"/>
 
   <beans:property name="password" value="****"/>
 
   <beans:property name="password" value="****"/>
 +
  <beans:property name="baseEnvironmentProperties">
 +
    <beans:map>
 +
        <beans:entry>
 +
          <beans:key>
 +
            <beans:value>java.naming.referral</beans:value>
 +
          </beans:key>
 +
          <beans:value>follow</beans:value>
 +
        </beans:entry>
 +
      </beans:map>
 +
  </beans:property>
 
</beans:bean>
 
</beans:bean>
  
Line 108: Line 122:
  
 
== Configuration parameters ==
 
== Configuration parameters ==
 +
* Users members of ROLE_ADMIN or ROLE_USER can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.user.search.base=DC=company,DC=com''' and user search filter as '''principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)'''.
 +
* Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.role.search.base=DC=company,DC=com'''.
 +
* All active directory groups will be listed, because has not applied any filter restriction '''principal.ldap.role.search.filter=(objectclass=group)'''
 +
* Mail attribute used in this case was '''userPrincipalName''' ( the most usual ldap attribute to get mail is called '''mail''' ). '''principal.ldap.mail.attribute=userPrincipalName'''
 +
 
<source lang="java">
 
<source lang="java">
 
  principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 
  principal.adapter=com.openkm.principal.LdapPrincipalAdapter
Line 127: Line 146:
 
  principal.ldap.roles.by.user.attribute=memberOf
 
  principal.ldap.roles.by.user.attribute=memberOf
 
  principal.ldap.roles.by.user.search.base=DC=company,DC=com
 
  principal.ldap.roles.by.user.search.base=DC=company,DC=com
  principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
+
  principal.ldap.roles.by.user.search.filter=(&(objectclass=user)(sAMAccountName={0}))
  
 
  principal.ldap.user.attribute=sAMAccountName
 
  principal.ldap.user.attribute=sAMAccountName

Latest revision as of 11:55, 7 January 2014

Active directory connection which allows to connect any active directoy authenticated user member of ROLE_USER or ROLE_ADMIN.

LDAP structure

dc=com
    dc=company
        ou=OPENKM
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
            cn=ROLE_USER
                member=user3
            cn=ROLE_XXXX
                member=user2
            cn=ROLE_YYYY
                member=user4
                ...
        ou=organization1
            sAMAccountName=okmAdmin
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=CN=ROLE_XXXX,OU=OPENKM,DC=company,DC=com
                userPrincipalName=user2@mail.com
                cn=User Name 3
        ou=organization2
            sAMAccountName=user3
                memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                userPrincipalName=user3@mail.com
                cn=User Name 3
            sAMAccountName=user4
                memberOf=CN=ROLE_YYYY,OU=OPENKM,DC=company,DC=com
                userPrincipalName=user4@mail.com
                cn=User Name 4

Valid groups:

  • cn=ROLE_ADMIN,ou=OPENKM,dc=company,dc=com
  • cn=ROLE_USER,ou=OPENKM,dc=company,dc=com
  • cn=ROLE_XXXX,ou=OPENKM,dc=company,dc=com
  • cn=ROLE_YYYY,ou=OPENKM,dc=company,dc=com

Valid users:

  • cn=user1,ou=organization1,dc=company,dc=com
  • cn=user2,ou=organization1,dc=company,dc=com

Invalid users:

  • cn=user3,ou=organization2,dc=company,dc=com
  • cn=user4,ou=organization2,dc=company,dc=com

Nota clasica.png Any distinguished name include by default dc=company,dc=com except users which are not memberof ROLE_ADMIN or ROLE_USER

OpenKM.xml

  • Users defined in any active directory node members of ROLE_ADMIN or ROLE_USER will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" /> and <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com) as user account filter.
  • Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.xxx.xxx"/>
  <beans:property name="userDn" value="CN=connect,OU=OpenKM,DC=company,DC=com"/>
  <beans:property name="password" value="****"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=company,DC=com"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=company,DC=com" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>

Configuration parameters

  • Users members of ROLE_ADMIN or ROLE_USER can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com and user search filter as principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com).
  • Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
  • All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)
  • Mail attribute used in this case was userPrincipalName ( the most usual ldap attribute to get mail is called mail ). principal.ldap.mail.attribute=userPrincipalName
 principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 system.login.lowercase=true
 principal.ldap.referral=

 principal.ldap.server=ldap://192.168.xxx.xxx:389
 principal.ldap.security.principal=CN=Administrator,OU=OpenKM,DC=company,DC=com
 principal.ldap.security.credentials=xxxxxx

 principal.ldap.mail.attribute=userPrincipalName
 principal.ldap.mail.search.base=DC=company,DC=com
 principal.ldap.mail.search.filter=(sAMAccountName={0})

 principal.ldap.role.attribute=cn
 principal.ldap.role.search.base=OU=OpenKM,DC=company,DC=com
 principal.ldap.role.search.filter=objectclass=group

 principal.ldap.roles.by.user.attribute=memberOf
 principal.ldap.roles.by.user.search.base=DC=company,DC=com
 principal.ldap.roles.by.user.search.filter=(&(objectclass=user)(sAMAccountName={0}))

 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
 
 principal.ldap.username.attribute=cn
 principal.ldap.username.search.base=DC=company,DC=com
 principal.ldap.username.search.filter=(sAMAccountName={0})
 
 principal.ldap.users.by.role.attribute=member
 principal.ldap.users.by.role.search.base=OU=OpenKM,DC=company,DC=com
 principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
Retrieved from "https://www.openkm.com/wiki/index.php?title=Ldap-example3&oldid=11139"