Difference between revisions of "Ldap-example1"
From OpenKM Documentation
| Line 50: | Line 50: | ||
principal.ldap.roles.by.user.search.base=ou=groups,dc=soc,dc=fr | principal.ldap.roles.by.user.search.base=ou=groups,dc=soc,dc=fr | ||
principal.ldap.roles.by.user.search.filter=(memberUid={0}) | principal.ldap.roles.by.user.search.filter=(memberUid={0}) | ||
| − | principal.ldap.security.credentials | + | principal.ldap.security.credentials=xxxxxx |
| − | principal.ldap.security.principal=cn= | + | principal.ldap.security.principal=cn=Manager,dc=some,dc=com |
principal.ldap.server=ldap://192.168.xxx.xxx:389 | principal.ldap.server=ldap://192.168.xxx.xxx:389 | ||
principal.ldap.user.attribute=uid | principal.ldap.user.attribute=uid | ||
Revision as of 21:02, 20 January 2013
Description
- Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
- Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. <beans:constructor-arg value="ou=roles"/> really points to <beans:constructor-arg value="ou=roles,dc=some,dc=com"/>
- Users filter base is ou=organization ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. <beans:constructor-arg index="0" value="ou=organization" /> to <beans:constructor-arg index="0" value="ou=organization,dc=some,dc=com" />
- User filter is uid={0}
- Finally take in consideration the value 1 at <beans:property name="groupSearchFilter" value="memberUid={1}"/>
LDAP structure
dc=com
dc=some
ou=organization
cn=ROLE_ADMIN
memberUID=user1
memberUID=user2
cn=ROLE_USER
memberUID=user3
memberUID=user4
...
ou=organization
uid=user1
uid=user2
uid=user3
uid=user4
Valid roles:
- cn=ROLE_X,ou=roles,dc=some,dc=com
- cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
- cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com
Invalid roles:
- cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )
Valid users:
- uid=USER_X,ou=organization,dc=some,dc=com
- uid=USER_Y,ou=dept id,ou=organization,dc=some,dc=com
- uid=USER_Z,ou=dept administrator,ou=organization,dc=some,dc=com
Invalid users:
- uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )
Configuration parameters
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.mail.attribute=mail
principal.ldap.mail.search.base=dc=some,dc=com
principal.ldap.mail.search.filter=(uid={0})
principal.ldap.role.attribute=cn
principal.ldap.role.search.base=ou=organization,dc=some,dc=com
principal.ldap.role.search.filter=(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute=cn
principal.ldap.roles.by.user.search.base=ou=groups,dc=soc,dc=fr
principal.ldap.roles.by.user.search.filter=(memberUid={0})
principal.ldap.security.credentials=xxxxxx
principal.ldap.security.principal=cn=Manager,dc=some,dc=com
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.user.attribute=uid
principal.ldap.user.search.base=ou=users,dc=some,dc=com
principal.ldap.user.search.filter=(objectClass=inetOrgPerson)
principal.ldap.users.by.role.attribute=memberUid
principal.ldap.users.by.role.search.base=ou=groups,dc=soc,dc=fr
principal.ldap.users.by.role.search.filter=(&(objectClass=posixGroup)(cn={0}))
system.login.lowercase=true
OpenKM.xml
<source lang="xml"> <?xml version="1.0" encoding="UTF-8"?> <beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security" xmlns:task="http://www.springframework.org/schema/task" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.1.xsd http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.1.xsd http://www.springframework.org/schema/task http://www.springframework.org/schema/task/spring-task-3.1.xsd"> <security:authentication-manager alias="authenticationManager"> <security:authentication-provider ref="ldapAuthProvider" /> </security:authentication-manager> <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource"> <beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
<beans:property name="password" value="******"/> </beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider"> <beans:constructor-arg> <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator"> <beans:constructor-arg ref="contextSource"/> <beans:property name="userSearch" ref="userSearch"></beans:property> </beans:bean> </beans:constructor-arg> <beans:constructor-arg> <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator"> <beans:constructor-arg ref="contextSource"/> <beans:constructor-arg value="ou=roles"/> <beans:property name="groupSearchFilter" value="memberUid={1}"/> <beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean> </beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=organization" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
