Difference between revisions of "Active Directory"

From OpenKM Documentation
Jump to: navigation, search
 
(61 intermediate revisions by 3 users not shown)
Line 1: Line 1:
To configure Active Directory we must make some changes in [[OpenKM.cfg]] configuration file and in login-config.xml file that can be found at ''$JBOSS_HOME/server/default/conf''. For both changes you need to restart JBoss server.
+
{{TOCright}} __TOC__
  
'''OpenKM.cfg''' file example ( you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values )
+
== Configuration ==
 +
* [[Active Directory - OpenKM 6.2| OpenKM 6.2]]
 +
* [[Active Directory - OpenKM 5.1| OpenKM 5.1]]
 +
* [[Active Directory - OpenKM 5.0| OpenKM 5.0]]
 +
* [[Active Directory - OpenKM 4.1| OpenKM 4.1]] ( valid for older versions )
  
<source lang="java">
+
== Enable debug on login process ==
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
+
=== OpenKM 6.2 - Tomcat ===
principal.ldap.server=ldap://192.168.0.6
+
Edit the log4j configuration file located at '''$TOMCAT_HOME/conf/log4j.properties''' and add:
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
 
principal.ldap.security.credentials=password
 
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.user.search.filter=(objectclass=person)
 
principal.ldap.user.atribute=cn
 
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.role.search.filter=(objectclass=group)
 
principal.ldap.role.atribute=cn
 
principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
 
principal.ldap.mail.search.filter=(objectclass=person)
 
principal.ldap.mail.atribute=mail
 
system.login.lowercase=on
 
</source>
 
 
 
In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable
 
  
 
<source lang="java">
 
<source lang="java">
system.login.lowercase=on
+
log4j.logger.org.springframework.security=DEBUG
 
</source>
 
</source>
  
property in [[OpenKM.cfg]]. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.
+
Tomcat released with OpenKM has a configured a listener which watch the '''log4.properties''' files for changes, so you don't need to restart Tomcat to make these changes effectives.
  
'''login-config.xml''' file example ( you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values )
+
=== OpenKM 5.1 - JBoss ===
 +
It's good practice to enable login debugging when you make any change to the authentication mechanism. Edit the file '''$JBOSS_HOME/server/default/conf/jboss-log4j.xml''' and add the category ( remember you must restart jboss for it to take effect ):
  
 
<source lang="xml">
 
<source lang="xml">
<application-policy name="OpenKM">
+
<category name="org.jboss.security">
  <authentication>
+
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >  
+
</category>
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
 
      <module-option name="java.naming.security.authentication">simple</module-option>
 
      <module-option name="bindCredential">password</module-option>
 
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
 
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
 
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
 
      <module-option name="roleFilter">(member={1})</module-option>
 
      <module-option name="roleAttributeID">cn</module-option>
 
      <module-option name="roleAttributeIsDN">false</module-option>
 
      <module-option name="roleRecursion">2</module-option>
 
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 
      <module-option name="defaultRole">UserRole</module-option>
 
      <module-option name="allowEmptyPasswords">false</module-option>
 
    </login-module>
 
  </authentication>
 
</application-policy>
 
 
</source>
 
</source>
  
If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg:
+
or
 +
 
 +
<source lang="xml">
 +
<category name="org.jboss.security">
 +
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 +
    <appender-ref ref="SECURITY_F"/>
 +
</category>
  
<source lang="java">
+
<appender name="SECURITY_F" class="org.jboss.logging.appender.DailyRollingFileAppender">
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
+
    <param name="Append" value="true"/>
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
+
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
 +
    <param name="File" value="${jboss.server.home.dir}/log/jboss.security.log"/>
 +
    <layout class="org.apache.log4j.PatternLayout">
 +
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c] %m%n"/>
 +
    </layout>
 +
</appender>
 
</source>
 
</source>
  
And this option one in login-config.xml:
+
More info at [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug].
  
<source lang="xml">
+
== Active directory utilities ==
<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>
+
We recommend to take a look at these tools:
</source>
+
* [http://directory.apache.org/studio/ Apache Directory Studio]
 +
* [http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx Active Directory Explorer Utility]
  
And remove this one:
+
See also:
 
+
* [[Testing LDAP configuration]]
<source lang="xml">
+
* [http://forum.openkm.com/viewtopic.php?f=13&t=3535 Forum: Usuario administrador LDAP v.4]
<module-option name="defaultRole">UserRole</module-option>
+
* [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug]
</source>
+
* [http://krams915.blogspot.com.es/2011/01/ldap-apache-directory-studio-basic.html LDAP - Apache Directory Studio: A Basic Tutorial]
 +
* [http://community.jboss.org/message/427398 LDAP authentication using LDAPExtUserModuleImpl is case-inse]
 +
* [http://community.jboss.org/wiki/LdapExtLoginModule LdapExtLoginModule]
 +
* [http://community.jboss.org/wiki/LdapLoginModule LdapLoginModule]
 +
* [http://community.jboss.org/thread/159069 Problems with LdapExtLoginModule]
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]

Latest revision as of 11:13, 27 December 2012

Configuration

Enable debug on login process

OpenKM 6.2 - Tomcat

Edit the log4j configuration file located at $TOMCAT_HOME/conf/log4j.properties and add:

log4j.logger.org.springframework.security=DEBUG

Tomcat released with OpenKM has a configured a listener which watch the log4.properties files for changes, so you don't need to restart Tomcat to make these changes effectives.

OpenKM 5.1 - JBoss

It's good practice to enable login debugging when you make any change to the authentication mechanism. Edit the file $JBOSS_HOME/server/default/conf/jboss-log4j.xml and add the category ( remember you must restart jboss for it to take effect ):

<category name="org.jboss.security">
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
</category>

or

<category name="org.jboss.security">
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
    <appender-ref ref="SECURITY_F"/>
</category>

<appender name="SECURITY_F" class="org.jboss.logging.appender.DailyRollingFileAppender">
    <param name="Append" value="true"/>
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
    <param name="File" value="${jboss.server.home.dir}/log/jboss.security.log"/>
    <layout class="org.apache.log4j.PatternLayout">
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c] %m%n"/>
    </layout>
</appender>

More info at JBoss and JAAS debug.

Active directory utilities

We recommend to take a look at these tools:

See also: