Active Directory - OpenKM 5.1

From OpenKM Documentation
Revision as of 17:53, 16 April 2012 by Pavila (talk | contribs) (OpenKM Integration - Filtering users and roles)

Jump to: navigation, search

Basic configuration

This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise refer to the advanced configuration.

Active directory configuration has two parts; Login configuration and OpenKM integration.

In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.


Nota clasica.png In this example all users are under same node cn=users,dc=weyler,dc=local and roles are under the same node cn=users,dc=weyler,dc=local too.

Login configuration

Change the login-config.xml file at $JBOSS_HOME/server/default/conf


Nota idea.png You must restart jboss after changing login-config.xml.

There're two configuration options, both valid:

Filter roles by users who are members

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

Getting roles by user

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

Nota clasica.png Take care if your ldap server is configured under ssl then you should use ldaps://

OpenKM integration

To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=sAMAccountName={0},cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=sAMAccountName={0},cn=users,dc=weyler,dc=local
principal.ldap.username.search.filter=(objectclass=person)
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=sAMAccountName={0},cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(objectClass=person) 
principal.ldap.roles.by.user.attribute=memberOf

Nota idea.png With OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties, that are not present on older versions.


Nota idea.png With OpenKM 5.1.10 we added more "username" configuration properties, that are not present on older versions.


Nota clasica.png Understanding cn={0},cn=users,dc=weyler,dc=local example.
  • In roles by user search, for example by user openkm, the query string after replacement will be cn=openkm,cn=users,dc=weyler,dc=local.
  • In users by role search, for example by role AdminRole, the query string after replacement will be cn=AdminRole,cn=users,dc=weyler,dc=local.
  • In mail search, for example by user openkm, the query string after replacement will be cn=openkm,cn=users,dc=weyler,dc=local.
Pay attention. In both cases we're filtering by the absolute reference of the node.

In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable

system.login.lowercase=on

The reason is simply because Windows does not make any dictiontion between upper and lower case when validating user name credentials.

OpenKM Integration - Filtering users and roles

Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:

principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.users.by.role.search.filter=(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

Also add this option in login-config.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>

Nota clasica.png If you see an exception like this, probably you need to use advanced configuration:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'cn=users,dc=weyler,dc=local'

read these articles:

The type of referral in LdapPrincipalAdapter can be configured using the configuration property principal.ldap.referral.

Advanced configuration

This configuration should be used when roles and users are defined on different active directory nodes.

Active directory configuration has two parts; Login configuration and OpenKM integration.

In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.


Nota clasica.png In this example the main ldap is node dc=weyler,dc=local, users and roles distributed in different active directory nodes.

Login configuration

Change the login-config.xml file in $JBOSS_HOME/server/default/conf


Nota idea.png You must restart jboss after changing login-config.xml.

<application-policy name="OpenKM"> 
  <authentication> 
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,CN=users,dc=weyler,dc=local</module-option> 
      <module-option name="java.naming.referral">follow</module-option> 
      <module-option name="java.naming.security.authentication">simple</module-option> 
      <module-option name="bindCredential">password</module-option> 
      <module-option name="baseCtxDN">dc=weyler,dc=local</module-option> 
      <module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=user))</module-option> 
      <module-option name="rolesCtxDN">dc=weyler,dc=local</module-option> 
      <module-option name="roleFilter">(member={1})</module-option> 
      <module-option name="roleAttributeID">cn</module-option> 
      <module-option name="roleAttributeIsDN">false</module-option> 
      <module-option name="roleRecursion">2</module-option> 
      <module-option name="searchScope">SUBTREE_SCOPE</module-option> 
      <module-option name="allowEmptyPasswords">false</module-option> 
    </login-module> 
  </authentication> 
</application-policy>

Nota clasica.png Take care if your ldap server is configured under ssl then you should use ldaps://

OpenKM integration

To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=dc=weyler,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf

principal.ldap.referral=follow

Nota idea.png With OpenKM 5.0.4 we added more "users by role", "roles by user" and "referral" configuration properties, which are not present in older versions.


Nota clasica.png Understanding cn={0} values
  • In roles by user, for example by user Administrador, the query string after replacement will be (&(objectClass=person)(CN=Administrator,cn=users,dc=weyler,dc=local)).
  • In users by role, for example by role AdminRole, the query string after replacement will be (&(objectClass=group)(CN=AdminRole,cn=roles,dc=weyler,dc=local))'''. Here we've supposed AdminRole node is (CN=AdminRole,cn=roles,dc=weyler,dc=local)).
  • In mail search, for example by user Administrator, the query string after replacement will be (&(objectClass=person)(CN=Administrator,cn=users,dc=weyler,dc=local)).

In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable

system.login.lowercase=on

The reason is simply because Windows does not make any distinction between upper and lower case when validating user name credentials.

OpenKM Integration - Filtering users and roles

Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:

principal.ldap.user.search.filter=(&(objectclass=person) (|(memberOf=CN=UserRole,dc=weyler,dc=local)(memberOf=CN=AdminRole,dc=weyler,dc=local)))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,dc=weyler,dc=local))
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

Nota clasica.png In the example we assume that role OpenKM is in node CN=OpenKM,CN=users,DC=weyler,DC=local.

Also add this option in login-config.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>