Difference between revisions of "Active Directory - OpenKM 5.1"
(42 intermediate revisions by 3 users not shown) | |||
Line 1: | Line 1: | ||
+ | {{TOCright}} __TOC__ | ||
== Basic configuration == | == Basic configuration == | ||
− | This is the suggested configuration | + | This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise refer to the advanced configuration. |
Active directory configuration has two parts; Login configuration and OpenKM integration. | Active directory configuration has two parts; Login configuration and OpenKM integration. | ||
− | '''In this example''' you must change '''192.168.0.6, | + | '''In this example''' you must change '''192.168.0.6, Administrator, password and weyler''' values to your active directory values. |
− | {{Note|In this example all users are under same node '''cn=users,dc=weyler,dc=local''' and roles are under same node '''cn=users,dc=weyler,dc=local''' too.}} | + | {{Note|In this example all users are under same node '''cn=users,dc=weyler,dc=local''' and roles are under the same node '''cn=users,dc=weyler,dc=local''' too.}} |
=== Login configuration === | === Login configuration === | ||
Change the login-config.xml file at $JBOSS_HOME/server/default/conf | Change the login-config.xml file at $JBOSS_HOME/server/default/conf | ||
− | {{Advice|You must | + | {{Advice|You must restart jboss after changing login-config.xml.}} |
There're two configuration options, both valid: | There're two configuration options, both valid: | ||
Line 61: | Line 62: | ||
</source> | </source> | ||
+ | {{Note|Take care if your ldap server is configured under ssl then you should use ldaps://}} | ||
=== OpenKM integration === | === OpenKM integration === | ||
− | + | To configure Active Directory we must make some changes in [[Configuration view]]. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly. | |
− | To configure Active Directory we must make some changes in [[ | ||
<source lang="java"> | <source lang="java"> | ||
Line 76: | Line 77: | ||
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local | principal.ldap.user.search.base=cn=users,dc=weyler,dc=local | ||
principal.ldap.user.search.filter=(objectclass=person) | principal.ldap.user.search.filter=(objectclass=person) | ||
− | principal.ldap.user.attribute= | + | principal.ldap.user.attribute=sAMAccountName |
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local | principal.ldap.role.search.base=cn=users,dc=weyler,dc=local | ||
Line 82: | Line 83: | ||
principal.ldap.role.attribute=cn | principal.ldap.role.attribute=cn | ||
− | principal.ldap.mail.search.base= | + | principal.ldap.mail.search.base=cn=users,dc=weyler,dc=local |
− | principal.ldap.mail.search.filter=(objectclass=person) | + | principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0})) |
principal.ldap.mail.attribute=mail | principal.ldap.mail.attribute=mail | ||
+ | |||
+ | principal.ldap.username.search.base=cn=users,dc=weyler,dc=local | ||
+ | principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0})) | ||
+ | principal.ldap.username.attribute=cn | ||
principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local | principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local | ||
Line 90: | Line 95: | ||
principal.ldap.users.by.role.attribute=member | principal.ldap.users.by.role.attribute=member | ||
− | principal.ldap.roles.by.user.search.base= | + | principal.ldap.roles.by.user.search.base=cn=users,dc=weyler,dc=local |
− | principal.ldap.roles.by.user.search.filter=( | + | principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0})) |
principal.ldap.roles.by.user.attribute=memberOf | principal.ldap.roles.by.user.attribute=memberOf | ||
</source> | </source> | ||
− | {{Advice|With '''OpenKM 5.0.4''' we added more "users by role" and "roles by user" configuration properties, are not present on older versions.}} | + | {{Advice|With '''OpenKM 5.0.4''' we added more "users by role" and "roles by user" configuration properties, that are not present on older versions.}} |
+ | {{Advice|With '''OpenKM 5.1.10''' we added more "username" configuration properties, that are not present on older versions.}} | ||
− | + | In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable | |
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
− | |||
<source lang="java"> | <source lang="java"> | ||
Line 112: | Line 110: | ||
</source> | </source> | ||
− | The reason is | + | The reason is simply because Windows does not make any dictiontion between upper and lower case when validating user name credentials. |
− | |||
==== OpenKM Integration - Filtering users and roles ==== | ==== OpenKM Integration - Filtering users and roles ==== | ||
− | Create a role called OpenKM. Assign this role to users and roles | + | Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. |
− | If you want to restrict the | + | If you want to restrict the users who can log into OpenKM, you should change these: |
<source lang="java"> | <source lang="java"> | ||
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | ||
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | ||
− | principal.ldap.users.by.role.search.filter=(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | + | principal.ldap.users.by.role.search.filter=(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) |
− | principal.ldap.roles.by.user.search.filter=(objectClass=person)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | + | principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) |
</source> | </source> | ||
− | + | Also add this option in login-config.xml: | |
− | Also add this option | ||
<source lang="xml"> | <source lang="xml"> | ||
Line 133: | Line 129: | ||
</source> | </source> | ||
− | + | {{Note|If you see an exception like this, probably you need to use advanced configuration: | |
− | |||
− | |||
− | {{Note|If you see an exception like this: | ||
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name <nowiki>'cn=users,dc=weyler,dc=local'</nowiki> | javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name <nowiki>'cn=users,dc=weyler,dc=local'</nowiki> | ||
read these articles: | read these articles: | ||
* [http://download.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html Referrals in the JNDI] | * [http://download.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html Referrals in the JNDI] | ||
− | * [http://giocosmiano.blogspot.com/2011/02/resolving-javaxnamingpartialresultexcep.html Resolving javax.naming.PartialResultException thrown by JBoss 5.1 LdapExtLoginModule]}} | + | * [http://java.sun.com/products/jndi/jndi-ldap-gl.html JNDI Implementor Guidelines for LDAP Service Providers] |
+ | * [http://giocosmiano.blogspot.com/2011/02/resolving-javaxnamingpartialresultexcep.html Resolving javax.naming.PartialResultException thrown by JBoss 5.1 LdapExtLoginModule] | ||
+ | |||
+ | The type of referral in LdapPrincipalAdapter can be configured using the configuration property '''principal.ldap.referral'''.}} | ||
+ | |||
+ | == Advanced configuration == | ||
+ | This configuration should be used when roles and users are defined on different active directory nodes. | ||
+ | |||
+ | Active directory configuration has two parts; Login configuration and OpenKM integration. | ||
+ | |||
+ | '''In this example''' you must change '''192.168.0.6, Administrator, password and weyler''' values to your active directory values. | ||
+ | |||
+ | {{Note|In this example the main ldap is node '''dc=weyler,dc=local''', users and roles distributed in different active directory nodes.}} | ||
+ | |||
+ | === Login configuration === | ||
+ | Change the login-config.xml file in $JBOSS_HOME/server/default/conf | ||
+ | |||
+ | {{Advice|You must restart jboss after changing login-config.xml.}} | ||
+ | |||
+ | <source lang="xml"> | ||
+ | <application-policy name="OpenKM"> | ||
+ | <authentication> | ||
+ | <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > | ||
+ | <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> | ||
+ | <module-option name="bindDN">CN=Administrador,CN=users,dc=weyler,dc=local</module-option> | ||
+ | <module-option name="java.naming.referral">follow</module-option> | ||
+ | <module-option name="java.naming.security.authentication">simple</module-option> | ||
+ | <module-option name="bindCredential">password</module-option> | ||
+ | <module-option name="baseCtxDN">dc=weyler,dc=local</module-option> | ||
+ | <module-option name="baseFilter">(&(sAMAccountName={0})(objectClass=user))</module-option> | ||
+ | <module-option name="rolesCtxDN">dc=weyler,dc=local</module-option> | ||
+ | <module-option name="roleFilter">(member={1})</module-option> | ||
+ | <module-option name="roleAttributeID">cn</module-option> | ||
+ | <module-option name="roleAttributeIsDN">false</module-option> | ||
+ | <module-option name="roleRecursion">2</module-option> | ||
+ | <module-option name="searchScope">SUBTREE_SCOPE</module-option> | ||
+ | <module-option name="allowEmptyPasswords">false</module-option> | ||
+ | </login-module> | ||
+ | </authentication> | ||
+ | </application-policy> | ||
+ | </source> | ||
+ | |||
+ | {{Note|Take care if your ldap server is configured under ssl then you should use ldaps://}} | ||
+ | |||
+ | === OpenKM integration === | ||
+ | To configure Active Directory we must make some changes in [[Configuration view]]. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly. | ||
+ | |||
+ | <source lang="java"> | ||
+ | system.login.lowercase=on | ||
+ | principal.adapter=com.openkm.principal.LdapPrincipalAdapter | ||
+ | |||
+ | principal.ldap.server=ldap://192.168.0.6 | ||
+ | principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local | ||
+ | principal.ldap.security.credentials=password | ||
+ | |||
+ | principal.ldap.user.search.base=dc=weyler,dc=local | ||
+ | principal.ldap.user.search.filter=(objectclass=person) | ||
+ | principal.ldap.user.attribute=sAMAccountName | ||
+ | |||
+ | principal.ldap.role.search.base=dc=weyler,dc=local | ||
+ | principal.ldap.role.search.filter=(objectclass=group) | ||
+ | principal.ldap.role.attribute=cn | ||
+ | |||
+ | principal.ldap.mail.search.base=dc=weyler,dc=local | ||
+ | principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0})) | ||
+ | principal.ldap.mail.attribute=mail | ||
+ | |||
+ | principal.ldap.username.search.base=dc=weyler,dc=local | ||
+ | principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0})) | ||
+ | principal.ldap.username.attribute=cn | ||
+ | |||
+ | principal.ldap.users.by.role.search.base=dc=weyler,dc=local | ||
+ | principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})) | ||
+ | principal.ldap.users.by.role.attribute=member | ||
+ | |||
+ | principal.ldap.roles.by.user.search.base=dc=weyler,dc=local | ||
+ | principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})) | ||
+ | principal.ldap.roles.by.user.attribute=memberOf | ||
+ | |||
+ | principal.ldap.referral=follow | ||
+ | </source> | ||
+ | |||
+ | {{Advice|With '''OpenKM 5.0.4''' we added more "users by role", "roles by user" and "referral" configuration properties, which are not present in older versions.}} | ||
+ | |||
+ | In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable | ||
+ | |||
+ | <source lang="java"> | ||
+ | system.login.lowercase=on | ||
+ | </source> | ||
+ | |||
+ | The reason is simply because Windows does not make any distinction between upper and lower case when validating user name credentials. | ||
+ | |||
+ | ==== OpenKM Integration - Filtering users and roles ==== | ||
+ | Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. | ||
+ | If you want to restrict the users who can log into OpenKM, you should change these: | ||
+ | |||
+ | <source lang="java"> | ||
+ | principal.ldap.user.search.filter=(&(objectclass=person) (|(memberOf=CN=UserRole,dc=weyler,dc=local)(memberOf=CN=AdminRole,dc=weyler,dc=local))) | ||
+ | principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,dc=weyler,dc=local)) | ||
+ | principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | ||
+ | principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local)) | ||
+ | </source> | ||
+ | |||
+ | {{Note|In the example we assume that role OpenKM is in node '''<nowiki>CN=OpenKM,CN=users,DC=weyler,DC=local</nowiki>'''.}} | ||
+ | |||
+ | Also add this option in login-config.xml: | ||
+ | |||
+ | <source lang="xml"> | ||
+ | <module-option name="baseFilter">(&(sAMAccountName={0})(objectClass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option> | ||
+ | </source> | ||
+ | == LDAP example with uniqueMember == | ||
+ | See [[LDAP and Active Directory uniqueMember user examples]]. | ||
[[Category: Installation Guide]] | [[Category: Installation Guide]] | ||
− |
Latest revision as of 19:36, 1 December 2012
Basic configuration
This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise refer to the advanced configuration.
Active directory configuration has two parts; Login configuration and OpenKM integration.
In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.
In this example all users are under same node cn=users,dc=weyler,dc=local and roles are under the same node cn=users,dc=weyler,dc=local too. |
Login configuration
Change the login-config.xml file at $JBOSS_HOME/server/default/conf
You must restart jboss after changing login-config.xml. |
There're two configuration options, both valid:
Filter roles by users who are members
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
Getting roles by user
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
Take care if your ldap server is configured under ssl then you should use ldaps:// |
OpenKM integration
To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.
system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
principal.ldap.username.search.base=cn=users,dc=weyler,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn
principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
principal.ldap.roles.by.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf
With OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties, that are not present on older versions. |
With OpenKM 5.1.10 we added more "username" configuration properties, that are not present on older versions. |
In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable
system.login.lowercase=on
The reason is simply because Windows does not make any dictiontion between upper and lower case when validating user name credentials.
OpenKM Integration - Filtering users and roles
Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.users.by.role.search.filter=(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
Also add this option in login-config.xml:
<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>
Advanced configuration
This configuration should be used when roles and users are defined on different active directory nodes.
Active directory configuration has two parts; Login configuration and OpenKM integration.
In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.
In this example the main ldap is node dc=weyler,dc=local, users and roles distributed in different active directory nodes. |
Login configuration
Change the login-config.xml file in $JBOSS_HOME/server/default/conf
You must restart jboss after changing login-config.xml. |
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,CN=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(&(sAMAccountName={0})(objectClass=user))</module-option>
<module-option name="rolesCtxDN">dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
Take care if your ldap server is configured under ssl then you should use ldaps:// |
OpenKM integration
To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.
system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password
principal.ldap.user.search.base=dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
principal.ldap.username.search.base=dc=weyler,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn
principal.ldap.users.by.role.search.base=dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member
principal.ldap.roles.by.user.search.base=dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.referral=follow
With OpenKM 5.0.4 we added more "users by role", "roles by user" and "referral" configuration properties, which are not present in older versions. |
In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable
system.login.lowercase=on
The reason is simply because Windows does not make any distinction between upper and lower case when validating user name credentials.
OpenKM Integration - Filtering users and roles
Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:
principal.ldap.user.search.filter=(&(objectclass=person) (|(memberOf=CN=UserRole,dc=weyler,dc=local)(memberOf=CN=AdminRole,dc=weyler,dc=local)))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,dc=weyler,dc=local))
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
In the example we assume that role OpenKM is in node CN=OpenKM,CN=users,DC=weyler,DC=local. |
Also add this option in login-config.xml:
<module-option name="baseFilter">(&(sAMAccountName={0})(objectClass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>