Difference between revisions of "Active Directory"

From OpenKM Documentation
Jump to: navigation, search
Line 6: Line 6:
 
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
 
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
 
principal.ldap.server=ldap://192.168.0.6
 
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrador,cn=users,dc=weyler,dc=local
+
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
 
principal.ldap.security.credentials=password
 
principal.ldap.security.credentials=password
 
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
Line 56: Line 56:
  
 
<source lang="java">
 
<source lang="java">
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=Users,DC=dominio,DC=local))
+
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=Users,DC=dominio,DC=local))
+
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
 
</source>
 
</source>
  
And this one in login-config.xml:
+
And this option one in login-config.xml:
  
 
<source lang="xml">
 
<source lang="xml">
<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=Users,DC=dominio,DC=local))</module-option>
+
<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>
 
</source>
 
</source>
 +
 +
And remove this one:
 +
 +
<source lang="xml">
 +
<module-option name="defaultRole">UserRole</module-option>
 +
<source>
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]

Revision as of 12:55, 8 February 2010

To configure Active Directory we must make some changes in OpenKM.cfg configuration file and in login-config.xml file that can be found at $JBOSS_HOME/server/default/conf. For both changes you need to restart JBoss server.

OpenKM.cfg file example ( you must change 192.168.0.6, Administrador, password and weyler values to your active directory values ) 

principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.atribute=cn
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.atribute=cn
principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.atribute=mail
system.login.lowercase=on

In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable 

system.login.lowercase=on

property in OpenKM.cfg. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.

login-config.xml file example ( you must change 192.168.0.6, Administrador, password and weyler values to your active directory values ) 

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="defaultRole">UserRole</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg: 

principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

And this option one in login-config.xml: 

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>

And remove this one:

<source lang="xml"> <module-option name="defaultRole">UserRole</module-option> <source>

Retrieved from "https://www.openkm.com/wiki/index.php?title=Active_Directory&oldid=1168"