Difference between revisions of "Ldap-example2"

From OpenKM Documentation
Jump to: navigation, search
(Description)
 
(24 intermediate revisions by the same user not shown)
Line 1: Line 1:
== Description ==
+
Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.
* Parameter '''follow''' indicates several domains servers working together ( balanced ). Should be configured in OpenKM.xml and configuration parameters.
 
* Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.user.search.base=DC=company,DC=com'''.
 
* Roles can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.role.search.base=DC=company,DC=com'''.
 
 
 
  
=== LDAP structure ===
+
== LDAP structure ==
 
  dc=com
 
  dc=com
 
     dc=company
 
     dc=company
Line 16: Line 12:
 
                 member=user3
 
                 member=user3
 
                 member=user4
 
                 member=user4
 +
            cn=ROLE_XXXX
 +
            cn=ROLE_YYYY
 
                 ...
 
                 ...
 
         ou=organization1
 
         ou=organization1
 
             sAMAccountName=okmAdmin
 
             sAMAccountName=okmAdmin
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                 mail=user@mail.com
+
                 mail=okmAdmin@mail.com
 
                 cn=OpenKM Administrator
 
                 cn=OpenKM Administrator
 
             sAMAccountName=user1
 
             sAMAccountName=user1
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
 
                 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                 mail=user@mail.com
+
                 mail=user1@mail.com
 
                 cn=User Name 1
 
                 cn=User Name 1
 
             sAMAccountName=user2
 
             sAMAccountName=user2
Line 39: Line 37:
 
                 mail=user4@mail.com
 
                 mail=user4@mail.com
 
                 cn=User Name 4
 
                 cn=User Name 4
 +
 +
'''Valid groups:'''
 +
* cn=ROLE_ADMIN,'''ou=OPENKM,dc=company,dc=com'''
 +
* cn=ROLE_USER,'''ou=OPENKM,dc=company,dc=com'''
 +
* cn=ROLE_XXXX,'''ou=OPENKM,dc=company,dc=com'''
 +
* cn=ROLE_YYYY,'''ou=OPENKM,dc=company,dc=com'''
 +
 +
'''Valid users:'''
 +
* cn=user1,'''ou=organization1,dc=company,dc=com'''
 +
* cn=user2,'''ou=organization1,dc=company,dc=com'''
 +
* cn=user3,'''ou=organization2,dc=company,dc=com'''
 +
* cn=user4,'''ou=organization2,dc=company,dc=com'''
 +
 +
{{Note|Any distinguished name include by default '''<nowiki>dc=company,dc=com</nowiki>'''}}
  
 
== OpenKM.xml ==
 
== OpenKM.xml ==
 +
* Parameter '''follow''' indicate several domains servers working together ( balanced ).
 +
* Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg index="0" value="DC=company,DC=com" />'''.
 +
* Any user athenticated in active directory can login because has not any filtering clausule in '''<beans:constructor-arg index="1" value="sAMAccountName={0}" />'''
 +
* Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg value="DC=company,DC=com"/>'''.
 +
 
<source lang="xml">
 
<source lang="xml">
 
<!-- LDAP Complex -->
 
<!-- LDAP Complex -->
Line 91: Line 108:
 
</source>
 
</source>
  
== Configuration parameters ==  
+
== Configuration parameters ==
 +
* Parameter '''follow''' indicate several domains servers working together ( balanced ). '''principal.ldap.referral=follow'''
 +
* Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.user.search.base=DC=company,DC=com'''.
 +
* All active directory users will be listed, because has not applied any filter restriction '''principal.ldap.user.search.filter=(objectclass=user)'''
 +
* Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.role.search.base=DC=company,DC=com'''.
 +
* All active directory groups will be listed, because has not applied any filter restriction '''principal.ldap.role.search.filter=(objectclass=group)'''
 +
 
 
<source lang="java">
 
<source lang="java">
 
  principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 
  principal.adapter=com.openkm.principal.LdapPrincipalAdapter
Line 115: Line 138:
 
  principal.ldap.user.attribute=sAMAccountName
 
  principal.ldap.user.attribute=sAMAccountName
 
  principal.ldap.user.search.base=DC=company,DC=com
 
  principal.ldap.user.search.base=DC=company,DC=com
  principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com)(memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com)))
+
  principal.ldap.user.search.filter=(objectclass=user)
  
  principal.ldap.username.attribute=sAMAccountName
+
  principal.ldap.username.attribute=cn
 
  principal.ldap.username.search.base=DC=company,DC=com
 
  principal.ldap.username.search.base=DC=company,DC=com
 
  principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))
 
  principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))

Latest revision as of 09:45, 12 March 2013

Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.

LDAP structure

dc=com
    dc=company
        ou=OPENKM
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
                member=user2
            cn=ROLE_USER
                member=user3
                member=user4
            cn=ROLE_XXXX
            cn=ROLE_YYYY
                ...
        ou=organization1
            sAMAccountName=okmAdmin
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=user2@mail.com
                cn=User Name 3
        ou=organization2
            sAMAccountName=user3
                memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                mail=user3@mail.com
                cn=User Name 3
            sAMAccountName=user4
                memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                mail=user4@mail.com
                cn=User Name 4

Valid groups:

  • cn=ROLE_ADMIN,ou=OPENKM,dc=company,dc=com
  • cn=ROLE_USER,ou=OPENKM,dc=company,dc=com
  • cn=ROLE_XXXX,ou=OPENKM,dc=company,dc=com
  • cn=ROLE_YYYY,ou=OPENKM,dc=company,dc=com

Valid users:

  • cn=user1,ou=organization1,dc=company,dc=com
  • cn=user2,ou=organization1,dc=company,dc=com
  • cn=user3,ou=organization2,dc=company,dc=com
  • cn=user4,ou=organization2,dc=company,dc=com

Nota clasica.png Any distinguished name include by default dc=company,dc=com

OpenKM.xml

  • Parameter follow indicate several domains servers working together ( balanced ).
  • Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" />.
  • Any user athenticated in active directory can login because has not any filtering clausule in <beans:constructor-arg index="1" value="sAMAccountName={0}" />
  • Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.
<!-- LDAP Complex -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
    <beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
    <beans:property name="password" value="****"/>
    <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
  </beans:bean>
 
  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:property name="userSearch" ref="userSearch"/>
      </beans:bean>
    </beans:constructor-arg>
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=company,DC=com"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
      </beans:bean>
    </beans:constructor-arg>
  </beans:bean>

  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="DC=company,DC=com" />
    <beans:constructor-arg index="1" value="sAMAccountName={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

Configuration parameters

  • Parameter follow indicate several domains servers working together ( balanced ). principal.ldap.referral=follow
  • Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com.
  • All active directory users will be listed, because has not applied any filter restriction principal.ldap.user.search.filter=(objectclass=user)
  • Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
  • All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)
 principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 system.login.lowercase=true
 principal.ldap.referral=follow

 principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
 principal.ldap.server=ldap://192.168.xxx.xxx:389
 principal.ldap.security.credentials=*****

 principal.ldap.mail.attribute=mail
 principal.ldap.mail.search.base=DC=company,DC=com
 principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))

 principal.ldap.role.attribute=cn
 principal.ldap.role.search.base=DC=company,DC=com
 principal.ldap.role.search.filter=(objectclass=group)

 principal.ldap.roles.by.user.attribute=memberOf
 principal.ldap.roles.by.user.search.base=DC=company,DC=com
 principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))

 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(objectclass=user)

 principal.ldap.username.attribute=cn
 principal.ldap.username.search.base=DC=company,DC=com
 principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))

 principal.ldap.users.by.role.attribute=member
 principal.ldap.users.by.role.search.base=DC=company,DC=com
 principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0}))