Difference between revisions of "Active Directory - OpenKM 5.1"
From OpenKM Documentation
| Line 147: | Line 147: | ||
'''In this example''' you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values. | '''In this example''' you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values. | ||
| + | |||
| + | {{Note|In this example the main ldap is node '''dc=weyler,dc=local''' and users and roles distributed in distinc active directory nodes.}} | ||
| Line 176: | Line 178: | ||
</application-policy> | </application-policy> | ||
</source> | </source> | ||
| + | |||
| + | === OpenKM integration === | ||
| + | |||
| + | To configure Active Directory we must make some changes in [[Configuration_view]] only is needed restarting jboss first time you change principal.adapter parameter, other changes can be made on fly. | ||
| + | |||
| + | <source lang="java"> | ||
| + | system.login.lowercase=on | ||
| + | principal.adapter=com.openkm.principal.LdapPrincipalAdapter | ||
| + | |||
| + | principal.ldap.server=ldap://192.168.0.6 | ||
| + | principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local | ||
| + | principal.ldap.security.credentials=password | ||
| + | |||
| + | principal.ldap.user.search.base=dc=weyler,dc=local | ||
| + | principal.ldap.user.search.filter=(objectclass=person) | ||
| + | principal.ldap.user.attribute=cn | ||
| + | |||
| + | principal.ldap.role.search.base=dc=weyler,dc=local | ||
| + | principal.ldap.role.search.filter=(objectclass=group) | ||
| + | principal.ldap.role.attribute=cn | ||
| + | |||
| + | principal.ldap.mail.search.base=cn=users,dc=weyler,dc=local | ||
| + | principal.ldap.mail.search.filter=(&(objectclass=person)(cn={0})) | ||
| + | principal.ldap.mail.attribute=mail | ||
| + | |||
| + | principal.ldap.users.by.role.search.base=dc=weyler,dc=local | ||
| + | principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})) | ||
| + | principal.ldap.users.by.role.attribute=member | ||
| + | |||
| + | principal.ldap.roles.by.user.search.base=dc=weyler,dc=local | ||
| + | principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(cn={0})) | ||
| + | principal.ldap.roles.by.user.attribute=memberOf | ||
| + | |||
| + | </source> | ||
| + | |||
| + | {{Advice|With '''OpenKM 5.0.4''' we added more "users by role" and "roles by user" configuration properties, are not present on older versions.}} | ||
| + | |||
| + | |||
| + | {{Note|Understanding '''cn={0},cn=users,dc=weyler,dc=local''' example. | ||
| + | |||
| + | *In roles by user search, for example by user openkm, the query string after replacement will be '''cn=openkm,cn=users,dc=weyler,dc=local'''. | ||
| + | *In users by role search, for example by role AdminRole the query string after replacement will be '''cn=AdminRole,cn=users,dc=weyler,dc=local'''. | ||
| + | *In mail search, for example by user openkm, the query string after replacement will be '''cn=openkm,cn=users,dc=weyler,dc=local'''. | ||
| + | |||
| + | Pay attention in both cases we're filtering by absolute reference of the node.}} | ||
| + | |||
| + | In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable | ||
| + | |||
| + | <source lang="java"> | ||
| + | system.login.lowercase=on | ||
| + | </source> | ||
| + | |||
| + | The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials. | ||
| + | |||
| + | |||
| + | |||
[[Category: Installation Guide]] | [[Category: Installation Guide]] | ||
[[Category:OKM Network]] | [[Category:OKM Network]] | ||
Revision as of 11:48, 21 October 2011
Contents
Basic configuration
This is the suggested configuration should be used when roles and users are both defined in same node, otherside refer to advanced configuration.
Active directory configuration has two parts; Login configuration and OpenKM integration.
In this example you must change 192.168.0.6, Administrador, password and weyler values to your active directory values.
 |
In this example all users are under same node cn=users,dc=weyler,dc=local and roles are under same node cn=users,dc=weyler,dc=local too. |
Login configuration
Change the login-config.xml file at $JBOSS_HOME/server/default/conf
 |
You must restarting jboss after changing login-config.xml. |
There're two configuration options, both valid:
Filter roles by users who are members
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
Getting roles by user
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">memberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
OpenKM integration
To configure Active Directory we must make some changes in Configuration_view only is needed restarting jboss first time you change principal.adapter parameter, other changes can be made on fly.
system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail
principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
principal.ldap.roles.by.user.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(objectClass=person)
principal.ldap.roles.by.user.attribute=memberOf
|
With OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties, are not present on older versions. |
|
Understanding cn={0},cn=users,dc=weyler,dc=local example.
|
In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable
system.login.lowercase=on
The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.
OpenKM Integration - Filtering users and roles
Create a role called OpenKM. Assign this role to users and roles, it'll be used to filtering used and roles, only users and roles with OpenKM role will be displayed into OpenKM. If you want to restrict the user who can log into OpenKM, you should change these:
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.users.by.role.search.filter=(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(objectClass=person)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
Also add this option one in login-config.xml:
<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>
|
If you see an exception like this, probably you must use advanced configuration:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'cn=users,dc=weyler,dc=local' read these articles: |
Advanced configuration
This is suggested configuration should be used when roles and users are defined on different active directory nodes.
Active directory configuration has two parts; Login configuration and OpenKM integration.
In this example you must change 192.168.0.6, Administrador, password and weyler values to your active directory values.
|
In this example the main ldap is node dc=weyler,dc=local and users and roles distributed in distinc active directory nodes. |
Login configuration
Change the login-config.xml file at $JBOSS_HOME/server/default/conf
|
You must restarting jboss after changing login-config.xml. |
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,CN=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(&(sAMAccountName={0})(objectClass=user))</module-option>
<module-option name="rolesCtxDN">dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
OpenKM integration
To configure Active Directory we must make some changes in Configuration_view only is needed restarting jboss first time you change principal.adapter parameter, other changes can be made on fly.
system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password
principal.ldap.user.search.base=dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn
principal.ldap.role.search.base=dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(cn={0}))
principal.ldap.mail.attribute=mail
principal.ldap.users.by.role.search.base=dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member
principal.ldap.roles.by.user.search.base=dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.roles.by.user.attribute=memberOf
|
With OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties, are not present on older versions. |
|
Understanding cn={0},cn=users,dc=weyler,dc=local example.
|
In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable
system.login.lowercase=on
The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.
