Difference between revisions of "Active Directory - OpenKM 5.1"

From OpenKM Documentation
Jump to: navigation, search
(Created page with '== Basic configuration == This is the suggested configuration that should be used when roles and users are both defined in same node,otherside refer to advanced configuration. T…')
 
Line 40: Line 40:
 
principal.ldap.roles.by.user.search.filter=(objectClass=person)  
 
principal.ldap.roles.by.user.search.filter=(objectClass=person)  
 
principal.ldap.roles.by.user.attribute=memberOf
 
principal.ldap.roles.by.user.attribute=memberOf
</source>
 
 
'''OpenKM 4.1 and older'''
 
<source lang="java">
 
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
 
principal.ldap.user.atribute=cn
 
principal.ldap.role.atribute=cn
 
principal.ldap.mail.atribute=mail
 
 
</source>
 
</source>
  
Line 111: Line 103:
 
* [http://download.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html Referrals in the JNDI]
 
* [http://download.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html Referrals in the JNDI]
 
* [http://giocosmiano.blogspot.com/2011/02/resolving-javaxnamingpartialresultexcep.html Resolving javax.naming.PartialResultException thrown by JBoss 5.1 LdapExtLoginModule]}}
 
* [http://giocosmiano.blogspot.com/2011/02/resolving-javaxnamingpartialresultexcep.html Resolving javax.naming.PartialResultException thrown by JBoss 5.1 LdapExtLoginModule]}}
 
== Enable debug at login process ==
 
It's good practice enable login debug when you make any change in autentication mechanism. Edit the file /server/default/conf/jboss-log4j.xml and add the category ( remember you must restart jboss to it takes effect ):
 
<source lang="xml">
 
<category name="org.jboss.security">
 
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 
</category>
 
</source>
 
 
or
 
 
<source lang="xml">
 
<category name="org.jboss.security">
 
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 
    <appender-ref ref="SECURITY_F"/>
 
</category>
 
 
<appender name="SECURITY_F" class="org.jboss.logging.appender.DailyRollingFileAppender">
 
    <param name="Append" value="true"/>
 
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
 
    <param name="File" value="${jboss.server.home.dir}/log/jboss.security.log"/>
 
    <layout class="org.apache.log4j.PatternLayout">
 
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c] %m%n"/>
 
    </layout>
 
</appender>
 
</source>
 
 
More info at [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug].
 
 
== Active directory utilities ==
 
We recommend take a look at these tools:
 
* [http://directory.apache.org/studio/ Apache Directory Studio]
 
* [http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx Active Directory Explorer Utility]
 
 
See also:
 
* [[Testing LDAP configuration]]
 
* [http://forum.openkm.com/viewtopic.php?f=13&t=3535 Forum: Usuario administrador LDAP v.4]
 
* [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug]
 
* [http://community.jboss.org/message/427398 LDAP authentication using LDAPExtUserModuleImpl is case-inse]
 
* [http://community.jboss.org/wiki/LdapExtLoginModule LdapExtLoginModule]
 
* [http://community.jboss.org/wiki/LdapLoginModule LdapLoginModule]
 
* [http://community.jboss.org/thread/159069 Problems with LdapExtLoginModule]
 
 
* [[Active Directory OpenKM 5.0]] [[File:Padlock.gif]]
 
* [[Active Directory OpenKM 4.1]] [[File:Padlock.gif]] ( and valid for older versions )
 
  
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]
 
[[Category:OKM Network]]
 
[[Category:OKM Network]]

Revision as of 10:24, 21 October 2011

Basic configuration

This is the suggested configuration that should be used when roles and users are both defined in same node,otherside refer to advanced configuration.

To configure Active Directory we must make some changes in OpenKM.cfg configuration file and in login-config.xml file that can be found at $JBOSS_HOME/server/default/conf. For both changes you need to restart JBoss server.

OpenKM.cfg file example ( you must change 192.168.0.6, Administrador, password and weyler values to your active directory values )

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn

principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail

principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.roles.by.user.search.filter=(&(objectClass=group)(cn={0}))

Starting with OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties:

principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(objectClass=person) 
principal.ldap.roles.by.user.attribute=memberOf

In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable

system.login.lowercase=on

property in OpenKM.cfg. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.

login-config.xml file example ( you must change 192.168.0.6, Administrador, password and weyler values to your active directory values )

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="defaultRole">UserRole</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg:

principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

This means that only users within the UserRole groups will be shown as valid OpenKM users, and only roles which are included in the OpenKM group will be shown in OpenKM.

Also add this option one in login-config.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>

And remove this one:

<module-option name="defaultRole">UserRole</module-option>

All this means that only users member of the UserRole groups are able to log into OpenKM.


Nota clasica.png If you see an exception like this:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'cn=users,dc=weyler,dc=local'

read these articles: