Difference between revisions of "Ldap-example2"
From OpenKM Documentation
(→LDAP structure) |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 12: | Line 12: | ||
member=user3 | member=user3 | ||
member=user4 | member=user4 | ||
| + | cn=ROLE_XXXX | ||
| + | cn=ROLE_YYYY | ||
... | ... | ||
ou=organization1 | ou=organization1 | ||
sAMAccountName=okmAdmin | sAMAccountName=okmAdmin | ||
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | ||
| − | mail= | + | mail=okmAdmin@mail.com |
cn=OpenKM Administrator | cn=OpenKM Administrator | ||
sAMAccountName=user1 | sAMAccountName=user1 | ||
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com | ||
| − | mail= | + | mail=user1@mail.com |
cn=User Name 1 | cn=User Name 1 | ||
sAMAccountName=user2 | sAMAccountName=user2 | ||
| Line 38: | Line 40: | ||
'''Valid groups:''' | '''Valid groups:''' | ||
* cn=ROLE_ADMIN,'''ou=OPENKM,dc=company,dc=com''' | * cn=ROLE_ADMIN,'''ou=OPENKM,dc=company,dc=com''' | ||
| − | * cn=ROLE_USER,ou= | + | * cn=ROLE_USER,'''ou=OPENKM,dc=company,dc=com''' |
| − | * | + | * cn=ROLE_XXXX,'''ou=OPENKM,dc=company,dc=com''' |
| + | * cn=ROLE_YYYY,'''ou=OPENKM,dc=company,dc=com''' | ||
'''Valid users:''' | '''Valid users:''' | ||
| Line 137: | Line 140: | ||
principal.ldap.user.search.filter=(objectclass=user) | principal.ldap.user.search.filter=(objectclass=user) | ||
| − | principal.ldap.username.attribute= | + | principal.ldap.username.attribute=cn |
principal.ldap.username.search.base=DC=company,DC=com | principal.ldap.username.search.base=DC=company,DC=com | ||
principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0})) | principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0})) | ||
Latest revision as of 09:45, 12 March 2013
Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.
LDAP structure
dc=com
dc=company
ou=OPENKM
cn=ROLE_ADMIN
member=okmAdmin
member=user1
member=user2
cn=ROLE_USER
member=user3
member=user4
cn=ROLE_XXXX
cn=ROLE_YYYY
...
ou=organization1
sAMAccountName=okmAdmin
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=okmAdmin@mail.com
cn=OpenKM Administrator
sAMAccountName=user1
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=user1@mail.com
cn=User Name 1
sAMAccountName=user2
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=user2@mail.com
cn=User Name 3
ou=organization2
sAMAccountName=user3
memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
mail=user3@mail.com
cn=User Name 3
sAMAccountName=user4
memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
mail=user4@mail.com
cn=User Name 4
Valid groups:
- cn=ROLE_ADMIN,ou=OPENKM,dc=company,dc=com
- cn=ROLE_USER,ou=OPENKM,dc=company,dc=com
- cn=ROLE_XXXX,ou=OPENKM,dc=company,dc=com
- cn=ROLE_YYYY,ou=OPENKM,dc=company,dc=com
Valid users:
- cn=user1,ou=organization1,dc=company,dc=com
- cn=user2,ou=organization1,dc=company,dc=com
- cn=user3,ou=organization2,dc=company,dc=com
- cn=user4,ou=organization2,dc=company,dc=com
 |
Any distinguished name include by default dc=company,dc=com |
OpenKM.xml
- Parameter follow indicate several domains servers working together ( balanced ).
- Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" />.
- Any user athenticated in active directory can login because has not any filtering clausule in <beans:constructor-arg index="1" value="sAMAccountName={0}" />
- Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.
<!-- LDAP Complex -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
<beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
<beans:property name="password" value="****"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="DC=company,DC=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="DC=company,DC=com" />
<beans:constructor-arg index="1" value="sAMAccountName={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
Configuration parameters
- Parameter follow indicate several domains servers working together ( balanced ). principal.ldap.referral=follow
- Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com.
- All active directory users will be listed, because has not applied any filter restriction principal.ldap.user.search.filter=(objectclass=user)
- Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
- All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase=true
principal.ldap.referral=follow
principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.security.credentials=*****
principal.ldap.mail.attribute=mail
principal.ldap.mail.search.base=DC=company,DC=com
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.role.attribute=cn
principal.ldap.role.search.base=DC=company,DC=com
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.roles.by.user.search.base=DC=company,DC=com
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.search.base=DC=company,DC=com
principal.ldap.user.search.filter=(objectclass=user)
principal.ldap.username.attribute=cn
principal.ldap.username.search.base=DC=company,DC=com
principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute=member
principal.ldap.users.by.role.search.base=DC=company,DC=com
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0}))
