Difference between revisions of "LDAP and Active Directory uniqueMember user examples"
(→LDAP example with uniqueMember) |
(→LDAP example with uniqueMember) |
||
Line 1: | Line 1: | ||
== LDAP example with uniqueMember == | == LDAP example with uniqueMember == | ||
− | We are | + | We are using users and roles from LDAP. In our LDAP schema we don't have memberUid attribute for group membership, but uniqueMember, see: |
http://tools.ietf.org/html/rfc4519#section-2.40 | http://tools.ietf.org/html/rfc4519#section-2.40 | ||
+ | To use uniqueMember instead of memberUid, you need this patch: [[File:OpenKM-uniqueMember.rep]]. | ||
− | + | 1) Patch allows to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: | |
− | |||
− | 1) Patch | ||
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))'; | principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))'; | ||
− | 2) | + | 2) If you set principal.ldap.users.by.role.attribute='uniqueMember', then the patch replaces the value of uniqueMember attribute (DN's of user node in ldap) with the value of principal.ldap.user.attribute in the node with specified DN. This is done by a search in LDAP with filter given in principal.ldap.user.filter property that returns value of user attribute (given in principal.ldap.user.attribute property ) in LDAP subtree under DN (given by value of uniqueMember). |
− | |||
− | |||
'''LDAP Structure''' | '''LDAP Structure''' |
Revision as of 20:37, 6 April 2012
LDAP example with uniqueMember
We are using users and roles from LDAP. In our LDAP schema we don't have memberUid attribute for group membership, but uniqueMember, see:
http://tools.ietf.org/html/rfc4519#section-2.40
To use uniqueMember instead of memberUid, you need this patch: File:OpenKM-uniqueMember.rep.
1) Patch allows to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))';
2) If you set principal.ldap.users.by.role.attribute='uniqueMember', then the patch replaces the value of uniqueMember attribute (DN's of user node in ldap) with the value of principal.ldap.user.attribute in the node with specified DN. This is done by a search in LDAP with filter given in principal.ldap.user.filter property that returns value of user attribute (given in principal.ldap.user.attribute property ) in LDAP subtree under DN (given by value of uniqueMember).
LDAP Structure
dn: cn=admins@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
dn: cn=users@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: users@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uniqueMember: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
dn: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: jack@solnet.cz
displayName: Jack Davis
dn: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: joe@solnet.cz
displayName: Joe Davis
Configuration parameters
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users=true
// ldap
principal.adapter='com.openkm.principal.LdapPrincipalAdapter'
principal.ldap.server='ldap://localhost:389'
principal.ldap.security.principal='uid=admin,o=base'
principal.ldap.security.credentials='super-safe'
// user
principal.ldap.user.search.base='o=base'
principal.ldap.user.search.filter='(&(objectClass=posixAccount)(inetAuthorizedServices=openkm))'
principal.ldap.user.attribute='uid'
// user name
principal.ldap.username.search.base='o=base'
principal.ldap.username.search.filter='(&(objectclass=posixAccount)(inetAuthorizedServices=openkm)(uid={0}))'
principal.ldap.username.attribute='displayName'
// role
principal.ldap.role.search.base='o=base'
principal.ldap.role.search.filter='(objectClass=posixGroup)'
principal.ldap.role.attribute='cn'
// mail
principal.ldap.mail.search.base='o=base'
principal.ldap.mail.search.filter='(&(objectclass=inetMailUser)(uid={0}))'
principal.ldap.mail.attribute='mail'
// users by role
principal.ldap.users.by.role.search.base='o=base'
principal.ldap.users.by.role.search.filter='(&(objectClass=posixGroup)(cn={0}))'
principal.ldap.users.by.role.attribute='uniqueMember'
// roles by user
principal.ldap.roles.by.user.search.base='o=base'
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))'
principal.ldap.roles.by.user.attribute='mail'
// login
system.login.lowercase=true
default.user.role='UserRole'
default.admin.role='admins@solnet.cz'
login-config.xml
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
<module-option name="bindDN">uid=admin,o=solnet</module-option>
<module-option name="bindCredential">supper-safe</module-option>
<module-option name="baseCtxDN">o=solnet</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="roleFilter">(&(objectClass=solnetGroup)(uniqueMember={0}))</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="rolesCtxDN">o=solnet</module-option>
<module-option name="defaultRole">UserRole</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>