Difference between revisions of "Active Directory"

From OpenKM Documentation
Jump to: navigation, search
(Active directory utility)
 
(45 intermediate revisions by 3 users not shown)
Line 1: Line 1:
To configure Active Directory we must make some changes in [[OpenKM.cfg]] configuration file and in login-config.xml file that can be found at ''$JBOSS_HOME/server/default/conf''. For both changes you need to restart JBoss server.
+
{{TOCright}} __TOC__
  
'''OpenKM.cfg''' file example ( you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values )
+
== Configuration ==
 +
* [[Active Directory - OpenKM 6.2| OpenKM 6.2]]
 +
* [[Active Directory - OpenKM 5.1| OpenKM 5.1]]
 +
* [[Active Directory - OpenKM 5.0| OpenKM 5.0]]
 +
* [[Active Directory - OpenKM 4.1| OpenKM 4.1]] ( valid for older versions )
  
<source lang="java">
+
== Enable debug on login process ==
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
+
=== OpenKM 6.2 - Tomcat ===
principal.ldap.server=ldap://192.168.0.6
+
Edit the log4j configuration file located at '''$TOMCAT_HOME/conf/log4j.properties''' and add:
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
 
principal.ldap.security.credentials=password
 
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.user.search.filter=(objectclass=person)
 
principal.ldap.user.attribute=cn
 
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.role.search.filter=(objectclass=group)
 
principal.ldap.role.attribute=cn
 
principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
 
principal.ldap.mail.search.filter=(objectclass=person)
 
principal.ldap.mail.attribute=mail
 
system.login.lowercase=on
 
</source>
 
 
 
'''OpenKM 4.1 and older'''
 
<source lang="java">
 
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
 
principal.ldap.user.atribute=cn
 
principal.ldap.role.atribute=cn
 
principal.ldap.mail.atribute=mail
 
</source>
 
 
 
In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable
 
  
 
<source lang="java">
 
<source lang="java">
system.login.lowercase=on
+
log4j.logger.org.springframework.security=DEBUG
 
</source>
 
</source>
  
property in [[OpenKM.cfg]]. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.
+
Tomcat released with OpenKM has a configured a listener which watch the '''log4.properties''' files for changes, so you don't need to restart Tomcat to make these changes effectives.
  
'''login-config.xml''' file example ( you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values )
+
=== OpenKM 5.1 - JBoss ===
 +
It's good practice to enable login debugging when you make any change to the authentication mechanism. Edit the file '''$JBOSS_HOME/server/default/conf/jboss-log4j.xml''' and add the category ( remember you must restart jboss for it to take effect ):
  
 
<source lang="xml">
 
<source lang="xml">
<application-policy name="OpenKM">
+
<category name="org.jboss.security">
  <authentication>
+
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >  
+
</category>
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
 
      <module-option name="java.naming.security.authentication">simple</module-option>
 
      <module-option name="bindCredential">password</module-option>
 
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
 
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
 
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
 
      <module-option name="roleFilter">(member={1})</module-option>
 
      <module-option name="roleAttributeID">cn</module-option>
 
      <module-option name="roleAttributeIsDN">false</module-option>
 
      <module-option name="roleRecursion">2</module-option>
 
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 
      <module-option name="defaultRole">UserRole</module-option>
 
      <module-option name="allowEmptyPasswords">false</module-option>
 
    </login-module>
 
  </authentication>
 
</application-policy>
 
</source>
 
 
 
If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg:
 
 
 
<source lang="java">
 
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
 
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
 
 
</source>
 
</source>
  
This means that only users within the UserRole groups will be shown as valid OpenKM users, and only roles which are included in the OpenKM group will be shown in OpenKM.
+
or
 
 
Also add this option one in login-config.xml:
 
  
 
<source lang="xml">
 
<source lang="xml">
<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>
+
<category name="org.jboss.security">
</source>
+
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 +
    <appender-ref ref="SECURITY_F"/>
 +
</category>
  
And remove this one:
+
<appender name="SECURITY_F" class="org.jboss.logging.appender.DailyRollingFileAppender">
 
+
    <param name="Append" value="true"/>
<source lang="xml">
+
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
<module-option name="defaultRole">UserRole</module-option>
+
    <param name="File" value="${jboss.server.home.dir}/log/jboss.security.log"/>
 +
    <layout class="org.apache.log4j.PatternLayout">
 +
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c] %m%n"/>
 +
    </layout>
 +
</appender>
 
</source>
 
</source>
  
All this means that only users member of the UserRole groups are able to log into OpenKM.
+
More info at [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug].
 
 
== Enable debug at login process ==
 
It's good practice enable login debug when you make any change in autentication mechanism. Edit the file /server/default/conf/jboss-log4j.xml and add the category ( remember you must restart jboss to it takes effect ):
 
<source lang="xml">
 
<category name="org.jboss.security">
 
    <priority value="DEBUG" />
 
</category>
 
</source>
 
  
== Active directory utility ==
+
== Active directory utilities ==
We recomend take a look at Active Directory Explorer utility [http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx]
+
We recommend to take a look at these tools:
 +
* [http://directory.apache.org/studio/ Apache Directory Studio]
 +
* [http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx Active Directory Explorer Utility]
  
 
See also:
 
See also:
 +
* [[Testing LDAP configuration]]
 
* [http://forum.openkm.com/viewtopic.php?f=13&t=3535 Forum: Usuario administrador LDAP v.4]
 
* [http://forum.openkm.com/viewtopic.php?f=13&t=3535 Forum: Usuario administrador LDAP v.4]
 
* [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug]
 
* [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug]
 +
* [http://krams915.blogspot.com.es/2011/01/ldap-apache-directory-studio-basic.html LDAP - Apache Directory Studio: A Basic Tutorial]
 
* [http://community.jboss.org/message/427398 LDAP authentication using LDAPExtUserModuleImpl is case-inse]
 
* [http://community.jboss.org/message/427398 LDAP authentication using LDAPExtUserModuleImpl is case-inse]
 +
* [http://community.jboss.org/wiki/LdapExtLoginModule LdapExtLoginModule]
 +
* [http://community.jboss.org/wiki/LdapLoginModule LdapLoginModule]
 +
* [http://community.jboss.org/thread/159069 Problems with LdapExtLoginModule]
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]
[[Category:OKM Network]]
 

Latest revision as of 11:13, 27 December 2012

Configuration

Enable debug on login process

OpenKM 6.2 - Tomcat

Edit the log4j configuration file located at $TOMCAT_HOME/conf/log4j.properties and add: 

log4j.logger.org.springframework.security=DEBUG

Tomcat released with OpenKM has a configured a listener which watch the log4.properties files for changes, so you don't need to restart Tomcat to make these changes effectives.

OpenKM 5.1 - JBoss

It's good practice to enable login debugging when you make any change to the authentication mechanism. Edit the file $JBOSS_HOME/server/default/conf/jboss-log4j.xml and add the category ( remember you must restart jboss for it to take effect ): 

<category name="org.jboss.security">
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
</category>

or 

<category name="org.jboss.security">
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
    <appender-ref ref="SECURITY_F"/>
</category>

<appender name="SECURITY_F" class="org.jboss.logging.appender.DailyRollingFileAppender">
    <param name="Append" value="true"/>
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
    <param name="File" value="${jboss.server.home.dir}/log/jboss.security.log"/>
    <layout class="org.apache.log4j.PatternLayout">
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c] %m%n"/>
    </layout>
</appender>

More info at JBoss and JAAS debug.

Active directory utilities

We recommend to take a look at these tools:

See also:

Retrieved from "https://www.openkm.com/wiki/index.php?title=Active_Directory&oldid=8360"