Active Directory - OpenKM 6.2

From OpenKM Documentation
Jump to: navigation, search

If you need to debug the security configuration, Edit the $TOMCAT_HOME/conf/log4j.properties file and add this line:

 log4j.logger.org.springframework.security=DEBUG

Basic configuration

This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise refer to the advanced configuration.

Active directory configuration has two parts; Login configuration and OpenKM integration.

In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.


Nota clasica.png In this example all users are under same node cn=users,dc=weyler,dc=local and roles are under the same node cn=users,dc=weyler,dc=local too.

Login configuration

Change the $TOMCAT_HOME/OpenKM.xml:

<security:ldap-server id="ldapServer"
    url="ldap://192.168.0.6:389/DC=ldap,dc=weyler,dc=local"
    manager-dn="CN=Administrator,cn=users,dc=weyler,dc=local"
    manager-password="password"/>
   
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="cn=Users"
      user-search-filter="(sAMAccountName={0})"
      group-search-base="cn=Users"
      group-search-filter="(member={0})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>

Nota idea.png You must restart Tomcat after changing OpenKM.xml.


Nota clasica.png Take care if your ldap server is configured under ssl then you should use ldaps://

Read also Spring Security - MVC: Using an LDAP Authentication Provider.

OpenKM integration

To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=cn=users,dc=weyler,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf

In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable

system.login.lowercase=on

The reason is simply because Windows does not make any dictiontion between upper and lower case when validating user name credentials.

OpenKM Integration - Filtering users and roles

Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:

principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.users.by.role.search.filter=(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

Also add this option in OpenKM.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>

Nota clasica.png If you see an exception like this, probably you need to use advanced configuration:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'cn=users,dc=weyler,dc=local'

read these articles:

The type of referral in LdapPrincipalAdapter can be configured using the configuration property principal.ldap.referral.

Advanced configuration

This configuration should be used when roles and users are defined on different active directory nodes.

Active directory configuration has two parts; Login configuration and OpenKM integration.

In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.


Nota clasica.png In this example the main ldap is node dc=weyler,dc=local, users and roles distributed in different active directory nodes.

Login configuration

Change the OpenKM.xml file in $TOMCAT_HOME:


Nota idea.png You must restart Tomcat after changing OpenKM.xml.

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
  
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.6:389/dc=weyler,dc=local"/>
  <beans:property name="userDn" value="CN=Administrator,cn=users,dc=weyler,dc=local"/>
  <beans:property name="password" value="password"/>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" value="memberOf={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" /> 
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="" />
  <beans:constructor-arg index="1" value="sAMAccountName={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

Nota clasica.png Take care if your ldap server is configured under ssl then you should use ldaps://

OpenKM integration

To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=dc=weyler,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf

principal.ldap.referral=follow

In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable

system.login.lowercase=on

The reason is simply because Windows does not make any distinction between upper and lower case when validating user name credentials.

OpenKM Integration - Filtering users and roles

Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:

principal.ldap.user.search.filter=(&(objectclass=person) (|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,dc=weyler,dc=local))
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

Nota clasica.png In the example we assume that role OpenKM is in node CN=OpenKM,CN=users,DC=weyler,DC=local.

Also add this option in OpenKM.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=user)(|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))</module-option>

LDAP example with uniqueMember

See LDAP and Active Directory uniqueMember user examples.