Difference between revisions of "Testing LDAP configuration"

From OpenKM Documentation
Jump to: navigation, search
(Created page with 'LDAP configuration maybe a little weird sometimes. For this reason is very important following certain rules. First of all you need to configure JBoss LDAP authentication. If aft…')
 
(OpenKM 5.x)
 
(13 intermediate revisions by 2 users not shown)
Line 1: Line 1:
LDAP configuration maybe a little weird sometimes. For this reason is very important following certain rules. First of all you need to configure JBoss LDAP authentication. If after that you can log into OpenKM, go ahead configuring OpenKM LDAP integration.
+
LDAP configuration maybe a little tricky sometimes. For this reason is very important following certain rules. First of all you need to configure JBoss LDAP authentication. If after that you can log into OpenKM, go ahead configuring OpenKM LDAP integration.
  
OpenKM is an J2EE that uses an Application Server called JBoss. In J2EE web applications, autentication and authorization are task delegated to the Application Server. This can be achieved because OpenKM use [http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service JAAS] and you need to configure JBoss to handle your users and passwords. JBoss has many predefined Login Modules which handles different the user and password storage, like RDBMS or LDAP. These Login Modules are configured at $JBOSS_HOME/server/default/conf/login-config.xml file.
+
Once the user is logged into OpenKM, the application also need to know which users and roles are defined. In the case of the default database based authentication, you can even manage these users, passwords and roles from OpenKM Administration. But if you use another authentication and authorization backend like LDAP, you only will see these users and their password but no modification is allowed.
 +
 
 +
In OpenKM you need to configure these LDAP queries:
 +
 
 +
* Get all users
 +
* Get all roles
 +
* Get email from a user
 +
* Get name from a user
 +
* Get users in a role
 +
* Get roles from a user
 +
 
 +
Every query needs three configuration properties:
  
Once the user is logged into OpenKM, the application also need to know which users and roles are defined. In the case of the default database based authentication, you can even manage these users, passwords and roles from OpenKM Administration. But if you use another authentication and authorization backend like LDAP, you only will see these users and their password but no modification is allowed.
+
* Search base
 +
* Filter
 +
* Attribute
 +
 
 +
So, the "get all users" query is composed by:
 +
 
 +
* principal.ldap.user.search.base
 +
* principal.ldap.user.search.filter
 +
* principal.ldap.user.attribute
 +
 
 +
To build these queries, I recommend using the precious [http://directory.apache.org/studio/ Apache Directory Studio] tool. It is multi-platform and works pretty well.
 +
 
 +
{{Note|With these configuration parameters you should be able to configure your LDAP. But in some cases, the user location is split in two or more branches. In this case you will need to develop a custom LDAP adapter which meets your particular requirements.}}
 +
 
 +
To execute the utility try:
 +
 
 +
$ java -jar testLdap.jar
 +
 
 +
And will provide you the available options:
 +
 
 +
java -jar testLdap.jar ACTION
 +
Where ACTION can be:
 +
  * getUsers
 +
  * getRoles
 +
  * getMail (need an additional parameter)
 +
  * getName (need an additional parameter)
 +
  * getUsersByRole (need an additional parameter)
 +
  * getRolesByUser (need an additional parameter)
 +
 
 +
So if you want to get the list of users, you need to run:
 +
 
 +
$ java -jar testLdap.jar getUsers
 +
 
 +
== OpenKM 6.x ==
 +
OpenKM is an J2EE that uses an application server called Tomcat. In J2EE web applications, autentication and authorization are task delegated to the Application Server, but in this case we use Spring Security because is more flexible and customizable. Spring Security has many predefined Authentication Providers which handles different the user and password storage, like RDBMS or LDAP. These Authentication Providers are configured at '''$TOMCAT_HOME/OpenKM.xml''' file.
 +
 
 +
{{Warning|Although OpenKM 6.x uses database for storing configuration properties, to simplify the usage this tool read these properties from OpenKM.cfg.}}
 +
 
 +
As you can imagine, configure all these properties correctly is complex. For this reason we have developed a tool for testing OpenKM configuration. This tool can be downloaded from http://download.openkm.com/okm/OpenKM-6.2-LDAP.zip.
 +
 
 +
== OpenKM 5.x ==
 +
OpenKM is an J2EE that uses an Application Server called JBoss. In J2EE web applications, autentication and authorization are task delegated to the Application Server. This can be achieved because OpenKM use [http://en.wikipedia.org/wiki/Java_Authentication_and_Authorization_Service JAAS] and you need to configure JBoss to handle your users and passwords. JBoss has many predefined Login Modules which handles different the user and password storage, like RDBMS or LDAP. These Login Modules are configured at '''$JBOSS_HOME/server/default/conf/login-config.xml''' file.
 +
 
 +
{{Warning|Although OpenKM 5.1.x uses database for storing configuration properties, to simplify the usage this tool read these properties from OpenKM.cfg.}}
 +
 
 +
As you can imagine, configure all these properties correctly is complex. For this reason we have developed a tool for testing OpenKM configuration. This tool can be downloaded from http://download.openkm.com/okm/OpenKM-5.1-LDAP.zip.
  
[[Category:OKM Network]]
+
[[Category: Installation Guide]]

Latest revision as of 10:32, 25 July 2014

LDAP configuration maybe a little tricky sometimes. For this reason is very important following certain rules. First of all you need to configure JBoss LDAP authentication. If after that you can log into OpenKM, go ahead configuring OpenKM LDAP integration.

Once the user is logged into OpenKM, the application also need to know which users and roles are defined. In the case of the default database based authentication, you can even manage these users, passwords and roles from OpenKM Administration. But if you use another authentication and authorization backend like LDAP, you only will see these users and their password but no modification is allowed.

In OpenKM you need to configure these LDAP queries:

  • Get all users
  • Get all roles
  • Get email from a user
  • Get name from a user
  • Get users in a role
  • Get roles from a user

Every query needs three configuration properties:

  • Search base
  • Filter
  • Attribute

So, the "get all users" query is composed by:

  • principal.ldap.user.search.base
  • principal.ldap.user.search.filter
  • principal.ldap.user.attribute

To build these queries, I recommend using the precious Apache Directory Studio tool. It is multi-platform and works pretty well.


Nota clasica.png With these configuration parameters you should be able to configure your LDAP. But in some cases, the user location is split in two or more branches. In this case you will need to develop a custom LDAP adapter which meets your particular requirements.

To execute the utility try:

$ java -jar testLdap.jar

And will provide you the available options:

java -jar testLdap.jar ACTION
Where ACTION can be: 
 * getUsers
 * getRoles
 * getMail (need an additional parameter)
 * getName (need an additional parameter)
 * getUsersByRole (need an additional parameter)
 * getRolesByUser (need an additional parameter)

So if you want to get the list of users, you need to run:

$ java -jar testLdap.jar getUsers

OpenKM 6.x

OpenKM is an J2EE that uses an application server called Tomcat. In J2EE web applications, autentication and authorization are task delegated to the Application Server, but in this case we use Spring Security because is more flexible and customizable. Spring Security has many predefined Authentication Providers which handles different the user and password storage, like RDBMS or LDAP. These Authentication Providers are configured at $TOMCAT_HOME/OpenKM.xml file.


Nota advertencia.png Although OpenKM 6.x uses database for storing configuration properties, to simplify the usage this tool read these properties from OpenKM.cfg.

As you can imagine, configure all these properties correctly is complex. For this reason we have developed a tool for testing OpenKM configuration. This tool can be downloaded from http://download.openkm.com/okm/OpenKM-6.2-LDAP.zip.

OpenKM 5.x

OpenKM is an J2EE that uses an Application Server called JBoss. In J2EE web applications, autentication and authorization are task delegated to the Application Server. This can be achieved because OpenKM use JAAS and you need to configure JBoss to handle your users and passwords. JBoss has many predefined Login Modules which handles different the user and password storage, like RDBMS or LDAP. These Login Modules are configured at $JBOSS_HOME/server/default/conf/login-config.xml file.


Nota advertencia.png Although OpenKM 5.1.x uses database for storing configuration properties, to simplify the usage this tool read these properties from OpenKM.cfg.

As you can imagine, configure all these properties correctly is complex. For this reason we have developed a tool for testing OpenKM configuration. This tool can be downloaded from http://download.openkm.com/okm/OpenKM-5.1-LDAP.zip.