Difference between revisions of "Ldap-example2"
From OpenKM Documentation
(→LDAP structure) |
(→LDAP structure) |
||
Line 45: | Line 45: | ||
* uid=USER_Y,ou=dept id,'''ou=organization2,dc=company,dc=com''' | * uid=USER_Y,ou=dept id,'''ou=organization2,dc=company,dc=com''' | ||
− | {{Note|Any distinguished name include by default <nowiki>dc=company,dc=com<nowiki>}} | + | {{Note|Any distinguished name include by default '''<nowiki>dc=company,dc=com</nowiki>'''}} |
== OpenKM.xml == | == OpenKM.xml == |
Revision as of 21:28, 16 February 2013
Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.
LDAP structure
dc=com dc=company ou=OPENKM cn=ROLE_ADMIN member=okmAdmin member=user1 member=user2 cn=ROLE_USER member=user3 member=user4 ... ou=organization1 sAMAccountName=okmAdmin memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com mail=user@mail.com cn=OpenKM Administrator sAMAccountName=user1 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com mail=user@mail.com cn=User Name 1 sAMAccountName=user2 memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com mail=user2@mail.com cn=User Name 3 ou=organization2 sAMAccountName=user3 memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com mail=user3@mail.com cn=User Name 3 sAMAccountName=user4 memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com mail=user4@mail.com cn=User Name 4
Valid roles:
- cn=ROLE_X,ou=OPENKM,dc=company,dc=com
- cn=ROLE_Y,ou=dept marketing,,dc=company,dc=com
- cn=ROLE_Z,ou=dept sales,,dc=company,dc=com
Valid users:
- uid=USER_X,ou=organization1,dc=company,dc=com
- uid=USER_Y,ou=dept id,ou=organization2,dc=company,dc=com
Any distinguished name include by default dc=company,dc=com |
OpenKM.xml
- Parameter follow indicate several domains servers working together ( balanced ).
- Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" />.
- Any user athenticated in active directory can login because has not any filtering clausule in <beans:constructor-arg index="1" value="sAMAccountName={0}" />
- Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.
<!-- LDAP Complex -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
<beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
<beans:property name="password" value="****"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="DC=company,DC=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="DC=company,DC=com" />
<beans:constructor-arg index="1" value="sAMAccountName={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
Configuration parameters
- Parameter follow indicate several domains servers working together ( balanced ). principal.ldap.referral=follow
- Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com.
- All active directory users will be listed, because has not applied any filter restriction principal.ldap.user.search.filter=(objectclass=user)
- Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
- All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase=true
principal.ldap.referral=follow
principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.security.credentials=*****
principal.ldap.mail.attribute=mail
principal.ldap.mail.search.base=DC=company,DC=com
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.role.attribute=cn
principal.ldap.role.search.base=DC=company,DC=com
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.roles.by.user.search.base=DC=company,DC=com
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.search.base=DC=company,DC=com
principal.ldap.user.search.filter=(objectclass=user)
principal.ldap.username.attribute=sAMAccountName
principal.ldap.username.search.base=DC=company,DC=com
principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute=member
principal.ldap.users.by.role.search.base=DC=company,DC=com
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0}))