Difference between revisions of "Knowledge:Ldap examples"

From OpenKM Documentation
Jump to: navigation, search
Line 158: Line 158:
 
    
 
    
 
</beans:beans>
 
</beans:beans>
 +
 +
=== capio active directory ===
 +
<source lang="xml">
 +
<!-- LDAP Complex -->
 +
  <security:authentication-manager alias="authenticationManager">
 +
    <security:authentication-provider ref="ldapAuthProvider" />
 +
  </security:authentication-manager>
 +
 
 +
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
 +
    <beans:constructor-arg value="ldap://aplicacion"/>
 +
    <beans:property name="userDn" value="CN=Josep Llort Tella,OU=OPENKM,OU=TERCEROS,DC=idc,DC=local"/>
 +
    <beans:property name="password" value="462931"/>
 +
    <!-- <beans:property name="pooled" value="false"/> -->
 +
    <beans:property name="baseEnvironmentProperties">
 +
      <beans:map>
 +
        <beans:entry>
 +
          <beans:key>
 +
            <beans:value>java.naming.referral</beans:value>
 +
          </beans:key>
 +
          <beans:value>follow</beans:value>
 +
        </beans:entry>
 +
        <!--
 +
        <beans:entry>
 +
          <beans:key>
 +
            <beans:value>pooled</beans:value>
 +
          </beans:key>
 +
          <beans:value>false</beans:value>
 +
        </beans:entry>
 +
        -->
 +
      </beans:map>
 +
    </beans:property>
 +
  </beans:bean>
 +
 +
  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
 +
    <beans:constructor-arg>
 +
      <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
 +
        <beans:constructor-arg ref="contextSource"/>
 +
        <beans:property name="userSearch" ref="userSearch"/>
 +
      </beans:bean>
 +
    </beans:constructor-arg>
 +
    <beans:constructor-arg>
 +
      <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
 +
        <beans:constructor-arg ref="contextSource"/>
 +
        <beans:constructor-arg value="DC=idc,DC=local"/>
 +
        <beans:property name="groupSearchFilter" value="member={0}"/>
 +
        <beans:property name="groupRoleAttribute" value="cn"/>
 +
        <beans:property name="searchSubtree" value="true" />
 +
        <beans:property name="convertToUpperCase" value="false" />
 +
        <beans:property name="rolePrefix" value="" />
 +
<beans:property name="defaultRole" value="ROLE_USER" />
 +
      </beans:bean>
 +
    </beans:constructor-arg>
 +
  </beans:bean>
 +
 +
  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
 +
    <beans:constructor-arg index="0" value="DC=idc,DC=local" />
 +
    <beans:constructor-arg index="1" value="sAMAccountName={0}" />
 +
    <beans:constructor-arg index="2" ref="contextSource" />
 +
    <beans:property name="searchSubtree" value="true" />
 +
  </beans:bean>
 +
<!-- <beans:property name="derefLinkFlag" value="true" /> -->
 +
 +
</source>
  
 
</source>
 
</source>

Revision as of 12:25, 29 October 2012

Vocabulary

dn is Distinguised Name

case openldap

Take a look at: ldap://192.168.0.13:389/dc=macroct,dc=com which filter all ldap connection to this node. Then :

  • <beans:constructor-arg value="ou=roles"/> really points to <beans:constructor-arg value="ou=roles,dc=macroct,dc=com"/>
  • <beans:constructor-arg index="0" value="ou=organization" /> to <beans:constructor-arg index="0" value="ou=organization,dc=macroct,dc=com" />

User dn are like cn=Manager,dc=macroct,dc=com

Finally take in consideration the value 1 at <beans:property name="groupSearchFilter" value="memberUid={1}"/>

The configuration

<security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldap://192.168.0.13:389/dc=macroct,dc=com"/>
		<beans:property name="userDn" value="cn=Manager,dc=macroct,dc=com"/>
  	<beans:property name="password" value="*****"/>
  </beans:bean>

	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:property name="userSearch" ref="userSearch"></beans:property>
			</beans:bean>
		</beans:constructor-arg>
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:constructor-arg value="ou=roles"/>
				<beans:property name="groupSearchFilter" value="memberUid={1}"/>
				<beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
        
        <beans:property name="rolePrefix" value="" /> 
        
			</beans:bean>
		</beans:constructor-arg>
  </beans:bean>
  
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=organization" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

389 Server ldap ( Fedora Directory Server )

Take a look at ldap://192.168.17.40:389/dc=mnemo,dc=net indicates the default node, then:

  • <beans:constructor-arg value="ou=OpenKM,ou=aplicaciones,ou=MNEMO"/> really points to <beans:constructor-arg value="ou=OpenKM,ou=aplicaciones,ou=MNEMO,dc=mnemo,dc=net"/>

User dn are like uid=openkm_admin@mnemo.com,ou=OpenKM,ou=aplicaciones,ou=MNEMO,dc=mnemo,dc=net

Group cn=ROL_USER,ou=OpenKM,ou=aplicaciones,ou=MNEMO,dc=mnemo,dc=net has a property called uniqueMember with some user dn, like uniqueMember=uid=openkm_admin@mnemo.com,ou=OpenKM,ou=aplicaciones,ou=MNEMO,dc=mnemo,dc=net

Finally take in consideration the value 0 <beans:property name="groupSearchFilter" value="uniqueMember={0}"/>

<security:authentication-manager alias="authenticationManager">
	  <security:authentication-provider ref="ldapAuthProvider" />
	</security:authentication-manager>
	 
	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
	  <beans:constructor-arg value="ldap://192.168.17.40:389/dc=mnemo,dc=net"/>
	  <beans:property name="userDn" value="uid=openkm_admin@mnemo.com,ou=OpenKM,ou=aplicaciones,ou=MNEMO,dc=mnemo,dc=net"/>
	  <beans:property name="password" value="123abc..."/>
	</beans:bean>
	 
	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	  <beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
		  <beans:constructor-arg ref="contextSource"/>
		  <beans:property name="userSearch" ref="userSearch"/>
		</beans:bean>
	  </beans:constructor-arg>
	  <beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		  <beans:constructor-arg ref="contextSource"/>
		  <beans:constructor-arg value="ou=OpenKM,ou=aplicaciones,ou=MNEMO"/>
		  <beans:property name="groupSearchFilter" value="uniqueMember={0}"/>
		  <beans:property name="groupRoleAttribute" value="cn"/>
		  <beans:property name="searchSubtree" value="true" />
		  <beans:property name="convertToUpperCase" value="false" />
		  <beans:property name="rolePrefix" value="" /> 
		</beans:bean>
	  </beans:constructor-arg>
	</beans:bean>
	 
	<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
	  <beans:constructor-arg index="0" value="" />
	  <beans:constructor-arg index="1" value="uid={0}" />
	  <beans:constructor-arg index="2" ref="contextSource" />
	  <beans:property name="searchSubtree" value="true" />
	</beans:bean>

Ejemplo completo con openLdap

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
		<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
  	<beans:property name="password" value="******"/>
  </beans:bean>

	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:property name="userSearch" ref="userSearch"></beans:property>
			</beans:bean>
		</beans:constructor-arg>
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:constructor-arg value="ou=roles"/>
				<beans:property name="groupSearchFilter" value="memberUid={1}"/>
				<beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
        
        <beans:property name="rolePrefix" value="" /> 
        
			</beans:bean>
		</beans:constructor-arg>
  </beans:bean>
  
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=organization" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  
  
</beans:beans>

=== capio active directory ===
<source lang="xml">
<!-- LDAP Complex -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <beans:constructor-arg value="ldap://aplicacion"/>
    <beans:property name="userDn" value="CN=Josep Llort Tella,OU=OPENKM,OU=TERCEROS,DC=idc,DC=local"/>
    <beans:property name="password" value="462931"/>
    <!-- <beans:property name="pooled" value="false"/> -->
    <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
        <!--
        <beans:entry>
          <beans:key>
            <beans:value>pooled</beans:value>
          </beans:key>
          <beans:value>false</beans:value>
        </beans:entry>
        -->
      </beans:map>
    </beans:property>
  </beans:bean>
 
  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:property name="userSearch" ref="userSearch"/>
      </beans:bean>
    </beans:constructor-arg>
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=idc,DC=local"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
	<beans:property name="defaultRole" value="ROLE_USER" />
      </beans:bean>
    </beans:constructor-arg>
  </beans:bean>

  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="DC=idc,DC=local" />
    <beans:constructor-arg index="1" value="sAMAccountName={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
 <!-- <beans:property name="derefLinkFlag" value="true" /> -->

</source>