Difference between revisions of "LDAP and Active Directory uniqueMember user examples"

From OpenKM Documentation
Jump to: navigation, search
(Created page with '== LDAP example with uniqueMember == We are usin users and roles from LDAP. In our LDAP schema we don't use memberUid attribute for group membership, but uniqueMember, see: htt…')
 
m
 
(3 intermediate revisions by one other user not shown)
Line 1: Line 1:
 
== LDAP example with uniqueMember ==
 
== LDAP example with uniqueMember ==
 
+
We are using users and roles from LDAP. In our LDAP schema we don't have memberUid attribute for group membership, but uniqueMember, see:
We are usin users and roles from LDAP. In our LDAP schema we don't use memberUid attribute for group membership, but uniqueMember, see:
 
  
 
http://tools.ietf.org/html/rfc4519#section-2.40
 
http://tools.ietf.org/html/rfc4519#section-2.40
  
 +
To use uniqueMember instead of memberUid, you need this patch: [[File:OpenKM-uniqueMember.rep]].
  
So, when somebody wants to use uniqueMember instead of memberUid, there is need this patch see: [[File:OpenKM-uniqueMember.patch]].
+
1) Patch allows to use {1} in  principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example:
 
 
1) Patch enables to use {1} in  principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example:
 
 
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))';
 
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))';
  
2) When principal.ldap.users.by.role.attribute='uniqueMember', then patch force to replace value of uniqueMember attribute (DN's of user node in ldap) by value of principal.ldap.user.attribute in node with specified DN. This is done by finding result of search with filter (given by property principal.ldap.user.filter) returning value of user attribute (given by property principal.ldap.user.attribute) in LDAP subtree under DN (given by value of uniqueMember).
+
2) If you set principal.ldap.users.by.role.attribute='uniqueMember', then the patch replaces the value of uniqueMember attribute (DN's of user node in ldap) with the value of principal.ldap.user.attribute in the node with specified DN. This is done by a search in LDAP with filter given in principal.ldap.user.filter property that returns value of user attribute (given in principal.ldap.user.attribute property ) in LDAP subtree under DN (given by value of uniqueMember).
 
 
 
 
  
 
'''LDAP Structure'''
 
'''LDAP Structure'''

Latest revision as of 08:36, 19 April 2012

LDAP example with uniqueMember

We are using users and roles from LDAP. In our LDAP schema we don't have memberUid attribute for group membership, but uniqueMember, see:

http://tools.ietf.org/html/rfc4519#section-2.40

To use uniqueMember instead of memberUid, you need this patch: File:OpenKM-uniqueMember.rep.

1) Patch allows to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))';

2) If you set principal.ldap.users.by.role.attribute='uniqueMember', then the patch replaces the value of uniqueMember attribute (DN's of user node in ldap) with the value of principal.ldap.user.attribute in the node with specified DN. This is done by a search in LDAP with filter given in principal.ldap.user.filter property that returns value of user attribute (given in principal.ldap.user.attribute property ) in LDAP subtree under DN (given by value of uniqueMember).

LDAP Structure

dn: cn=admins@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet

dn: cn=users@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: users@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uniqueMember: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet

dn: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: jack@solnet.cz
displayName: Jack Davis

dn: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: joe@solnet.cz
displayName: Joe Davis

Configuration parameters

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users=true
// ldap
principal.adapter='com.openkm.principal.LdapPrincipalAdapter'
principal.ldap.server='ldap://localhost:389'
principal.ldap.security.principal='uid=admin,o=base'
principal.ldap.security.credentials='super-safe'
// user
principal.ldap.user.search.base='o=base'
principal.ldap.user.search.filter='(&(objectClass=posixAccount)(inetAuthorizedServices=openkm))'
principal.ldap.user.attribute='uid'
// user name
principal.ldap.username.search.base='o=base'
principal.ldap.username.search.filter='(&(objectclass=posixAccount)(inetAuthorizedServices=openkm)(uid={0}))'
principal.ldap.username.attribute='displayName'
// role
principal.ldap.role.search.base='o=base'
principal.ldap.role.search.filter='(objectClass=posixGroup)'
principal.ldap.role.attribute='cn'
// mail
principal.ldap.mail.search.base='o=base'
principal.ldap.mail.search.filter='(&(objectclass=inetMailUser)(uid={0}))'
principal.ldap.mail.attribute='mail'
// users by role
principal.ldap.users.by.role.search.base='o=base'
principal.ldap.users.by.role.search.filter='(&(objectClass=posixGroup)(cn={0}))'
principal.ldap.users.by.role.attribute='uniqueMember'
// roles by user
principal.ldap.roles.by.user.search.base='o=base'
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))'
principal.ldap.roles.by.user.attribute='mail'
// login
system.login.lowercase=true
default.user.role='UserRole'
default.admin.role='admins@solnet.cz'

login-config.xml

<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
       <module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
       <module-option name="bindDN">uid=admin,o=solnet</module-option>
       <module-option name="bindCredential">supper-safe</module-option>
       <module-option name="baseCtxDN">o=solnet</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="java.naming.referral">follow</module-option>
       <module-option name="roleAttributeIsDN">false</module-option>
       <module-option name="matchOnUserDN">true</module-option>
       <module-option name="roleRecursion">-1</module-option>
       <module-option name="roleFilter">(&amp;(objectClass=solnetGroup)(uniqueMember={0}))</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="rolesCtxDN">o=solnet</module-option>
       <module-option name="defaultRole">UserRole</module-option>
       <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>
      </login-module>
    </authentication>
</application-policy>