Difference between revisions of "Ldap-example2"
From OpenKM Documentation
(→OpenKM.xml) |
|||
(21 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow. | |
− | |||
− | |||
− | |||
== LDAP structure == | == LDAP structure == | ||
Line 15: | Line 12: | ||
member=user3 | member=user3 | ||
member=user4 | member=user4 | ||
+ | cn=ROLE_XXXX | ||
+ | cn=ROLE_YYYY | ||
... | ... | ||
ou=organization1 | ou=organization1 | ||
sAMAccountName=okmAdmin | sAMAccountName=okmAdmin | ||
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | ||
− | mail= | + | mail=okmAdmin@mail.com |
cn=OpenKM Administrator | cn=OpenKM Administrator | ||
sAMAccountName=user1 | sAMAccountName=user1 | ||
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | ||
− | mail= | + | mail=user1@mail.com |
cn=User Name 1 | cn=User Name 1 | ||
sAMAccountName=user2 | sAMAccountName=user2 | ||
Line 38: | Line 37: | ||
mail=user4@mail.com | mail=user4@mail.com | ||
cn=User Name 4 | cn=User Name 4 | ||
+ | |||
+ | '''Valid groups:''' | ||
+ | * cn=ROLE_ADMIN,'''ou=OPENKM,dc=company,dc=com''' | ||
+ | * cn=ROLE_USER,'''ou=OPENKM,dc=company,dc=com''' | ||
+ | * cn=ROLE_XXXX,'''ou=OPENKM,dc=company,dc=com''' | ||
+ | * cn=ROLE_YYYY,'''ou=OPENKM,dc=company,dc=com''' | ||
+ | |||
+ | '''Valid users:''' | ||
+ | * cn=user1,'''ou=organization1,dc=company,dc=com''' | ||
+ | * cn=user2,'''ou=organization1,dc=company,dc=com''' | ||
+ | * cn=user3,'''ou=organization2,dc=company,dc=com''' | ||
+ | * cn=user4,'''ou=organization2,dc=company,dc=com''' | ||
+ | |||
+ | {{Note|Any distinguished name include by default '''<nowiki>dc=company,dc=com</nowiki>'''}} | ||
== OpenKM.xml == | == OpenKM.xml == | ||
− | * Parameter '''follow''' | + | * Parameter '''follow''' indicate several domains servers working together ( balanced ). |
− | * Any user athenticated in active directory can login because has not any filtering clausule in | + | * Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg index="0" value="DC=company,DC=com" />'''. |
+ | * Any user athenticated in active directory can login because has not any filtering clausule in '''<beans:constructor-arg index="1" value="sAMAccountName={0}" />''' | ||
+ | * Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg value="DC=company,DC=com"/>'''. | ||
<source lang="xml"> | <source lang="xml"> | ||
Line 93: | Line 108: | ||
</source> | </source> | ||
− | == Configuration parameters == | + | == Configuration parameters == |
+ | * Parameter '''follow''' indicate several domains servers working together ( balanced ). '''principal.ldap.referral=follow''' | ||
+ | * Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.user.search.base=DC=company,DC=com'''. | ||
+ | * All active directory users will be listed, because has not applied any filter restriction '''principal.ldap.user.search.filter=(objectclass=user)''' | ||
+ | * Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.role.search.base=DC=company,DC=com'''. | ||
+ | * All active directory groups will be listed, because has not applied any filter restriction '''principal.ldap.role.search.filter=(objectclass=group)''' | ||
+ | |||
<source lang="java"> | <source lang="java"> | ||
principal.adapter=com.openkm.principal.LdapPrincipalAdapter | principal.adapter=com.openkm.principal.LdapPrincipalAdapter | ||
Line 117: | Line 138: | ||
principal.ldap.user.attribute=sAMAccountName | principal.ldap.user.attribute=sAMAccountName | ||
principal.ldap.user.search.base=DC=company,DC=com | principal.ldap.user.search.base=DC=company,DC=com | ||
− | principal.ldap.user.search.filter= | + | principal.ldap.user.search.filter=(objectclass=user) |
− | principal.ldap.username.attribute= | + | principal.ldap.username.attribute=cn |
principal.ldap.username.search.base=DC=company,DC=com | principal.ldap.username.search.base=DC=company,DC=com | ||
principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0})) | principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0})) |
Latest revision as of 09:45, 12 March 2013
Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.
LDAP structure
dc=com dc=company ou=OPENKM cn=ROLE_ADMIN member=okmAdmin member=user1 member=user2 cn=ROLE_USER member=user3 member=user4 cn=ROLE_XXXX cn=ROLE_YYYY ... ou=organization1 sAMAccountName=okmAdmin memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com mail=okmAdmin@mail.com cn=OpenKM Administrator sAMAccountName=user1 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com mail=user1@mail.com cn=User Name 1 sAMAccountName=user2 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com mail=user2@mail.com cn=User Name 3 ou=organization2 sAMAccountName=user3 memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com mail=user3@mail.com cn=User Name 3 sAMAccountName=user4 memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com mail=user4@mail.com cn=User Name 4
Valid groups:
- cn=ROLE_ADMIN,ou=OPENKM,dc=company,dc=com
- cn=ROLE_USER,ou=OPENKM,dc=company,dc=com
- cn=ROLE_XXXX,ou=OPENKM,dc=company,dc=com
- cn=ROLE_YYYY,ou=OPENKM,dc=company,dc=com
Valid users:
- cn=user1,ou=organization1,dc=company,dc=com
- cn=user2,ou=organization1,dc=company,dc=com
- cn=user3,ou=organization2,dc=company,dc=com
- cn=user4,ou=organization2,dc=company,dc=com
Any distinguished name include by default dc=company,dc=com |
OpenKM.xml
- Parameter follow indicate several domains servers working together ( balanced ).
- Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" />.
- Any user athenticated in active directory can login because has not any filtering clausule in <beans:constructor-arg index="1" value="sAMAccountName={0}" />
- Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.
<!-- LDAP Complex -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
<beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
<beans:property name="password" value="****"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="DC=company,DC=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="DC=company,DC=com" />
<beans:constructor-arg index="1" value="sAMAccountName={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
Configuration parameters
- Parameter follow indicate several domains servers working together ( balanced ). principal.ldap.referral=follow
- Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com.
- All active directory users will be listed, because has not applied any filter restriction principal.ldap.user.search.filter=(objectclass=user)
- Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
- All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase=true
principal.ldap.referral=follow
principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.security.credentials=*****
principal.ldap.mail.attribute=mail
principal.ldap.mail.search.base=DC=company,DC=com
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.role.attribute=cn
principal.ldap.role.search.base=DC=company,DC=com
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.roles.by.user.search.base=DC=company,DC=com
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.search.base=DC=company,DC=com
principal.ldap.user.search.filter=(objectclass=user)
principal.ldap.username.attribute=cn
principal.ldap.username.search.base=DC=company,DC=com
principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute=member
principal.ldap.users.by.role.search.base=DC=company,DC=com
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0}))