Ldap-example2

From OpenKM Documentation
Revision as of 21:35, 16 February 2013 by Jllort (talk | contribs)

Jump to: navigation, search

Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.

LDAP structure

dc=com
    dc=company
        ou=OPENKM
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
                member=user2
            cn=ROLE_USER
                member=user3
                member=user4
                ...
        ou=organization1
            sAMAccountName=okmAdmin
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=user@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=user@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=user2@mail.com
                cn=User Name 3
        ou=organization2
            sAMAccountName=user3
                memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                mail=user3@mail.com
                cn=User Name 3
            sAMAccountName=user4
                memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                mail=user4@mail.com
                cn=User Name 4

Valid roles:

  • cn=ROLE_X,ou=OPENKM,dc=company,dc=com
  • cn=ROLE_Y,ou=dept marketing,,dc=company,dc=com
  • cn=ROLE_Z,ou=dept sales,,dc=company,dc=com

Valid users:

  • uid=USER_X,ou=organization1,dc=company,dc=com
  • uid=USER_Y,ou=dept id,ou=organization2,dc=company,dc=com

Nota clasica.png Any distinguished name include by default dc=company,dc=com

OpenKM.xml

  • Parameter follow indicate several domains servers working together ( balanced ).
  • Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" />.
  • Any user athenticated in active directory can login because has not any filtering clausule in <beans:constructor-arg index="1" value="sAMAccountName={0}" />
  • Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.
<!-- LDAP Complex -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
    <beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
    <beans:property name="password" value="****"/>
    <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
  </beans:bean>
 
  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:property name="userSearch" ref="userSearch"/>
      </beans:bean>
    </beans:constructor-arg>
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=company,DC=com"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
      </beans:bean>
    </beans:constructor-arg>
  </beans:bean>

  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="DC=company,DC=com" />
    <beans:constructor-arg index="1" value="sAMAccountName={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

Configuration parameters

  • Parameter follow indicate several domains servers working together ( balanced ). principal.ldap.referral=follow
  • Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com.
  • All active directory users will be listed, because has not applied any filter restriction principal.ldap.user.search.filter=(objectclass=user)
  • Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
  • All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)
 principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 system.login.lowercase=true
 principal.ldap.referral=follow

 principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
 principal.ldap.server=ldap://192.168.xxx.xxx:389
 principal.ldap.security.credentials=*****

 principal.ldap.mail.attribute=mail
 principal.ldap.mail.search.base=DC=company,DC=com
 principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))

 principal.ldap.role.attribute=cn
 principal.ldap.role.search.base=DC=company,DC=com
 principal.ldap.role.search.filter=(objectclass=group)

 principal.ldap.roles.by.user.attribute=memberOf
 principal.ldap.roles.by.user.search.base=DC=company,DC=com
 principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))

 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(objectclass=user)

 principal.ldap.username.attribute=sAMAccountName
 principal.ldap.username.search.base=DC=company,DC=com
 principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))

 principal.ldap.users.by.role.attribute=member
 principal.ldap.users.by.role.search.base=DC=company,DC=com
 principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0}))