Difference between revisions of "Active Directory - OpenKM 5.1"

From OpenKM Documentation
Jump to: navigation, search
(Created page with '== Basic configuration == This is the suggested configuration that should be used when roles and users are both defined in same node,otherside refer to advanced configuration. T…')
 
 
(76 intermediate revisions by 3 users not shown)
Line 1: Line 1:
 +
{{TOCright}} __TOC__
 
== Basic configuration ==
 
== Basic configuration ==
This is the suggested configuration that should be used when roles and users are both defined in same node,otherside refer to advanced configuration.
+
This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise refer to the advanced configuration.
  
To configure Active Directory we must make some changes in [[OpenKM.cfg]] configuration file and in login-config.xml file that can be found at ''$JBOSS_HOME/server/default/conf''. For both changes you need to restart JBoss server.
+
Active directory configuration has two parts; Login configuration and OpenKM integration.
  
'''OpenKM.cfg''' file example ( you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values )
+
'''In this example''' you must change '''192.168.0.6, Administrator, password and weyler''' values to your active directory values.
 +
 
 +
{{Note|In this example all users are under same node '''cn=users,dc=weyler,dc=local''' and roles are under the same node '''cn=users,dc=weyler,dc=local''' too.}}
 +
 
 +
=== Login configuration ===
 +
Change the login-config.xml file at $JBOSS_HOME/server/default/conf
 +
 
 +
{{Advice|You must restart jboss after changing login-config.xml.}}
 +
 
 +
There're two configuration options, both valid:
 +
 
 +
==== Filter roles by users who are members ====
 +
<source lang="xml">
 +
<application-policy name="OpenKM">
 +
  <authentication>
 +
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 +
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
 +
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
 +
      <module-option name="java.naming.security.authentication">simple</module-option>
 +
      <module-option name="bindCredential">password</module-option>
 +
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
 +
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
 +
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
 +
      <module-option name="roleFilter">(member={1})</module-option>
 +
      <module-option name="roleAttributeID">cn</module-option>
 +
      <module-option name="roleAttributeIsDN">false</module-option>
 +
      <module-option name="roleRecursion">2</module-option>
 +
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 +
      <module-option name="allowEmptyPasswords">false</module-option>
 +
    </login-module>
 +
  </authentication>
 +
</application-policy>
 +
</source>
 +
 
 +
==== Getting roles by user ====
 +
<source lang="xml">
 +
<application-policy name="OpenKM">
 +
  <authentication>
 +
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
 +
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
 +
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
 +
      <module-option name="java.naming.security.authentication">simple</module-option>
 +
      <module-option name="bindCredential">password</module-option>
 +
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
 +
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
 +
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
 +
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
 +
      <module-option name="roleAttributeID">memberOf</module-option>
 +
      <module-option name="roleAttributeIsDN">true</module-option>
 +
      <module-option name="roleNameAttributeID">cn</module-option>
 +
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 +
      <module-option name="allowEmptyPasswords">false</module-option>
 +
    </login-module>
 +
  </authentication>
 +
</application-policy>
 +
</source>
 +
 
 +
{{Note|Take care if your ldap server is configured under ssl then you should use ldaps://}}
 +
 
 +
=== OpenKM integration ===
 +
To configure Active Directory we must make some changes in [[Configuration view]]. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.
  
 
<source lang="java">
 
<source lang="java">
Line 16: Line 77:
 
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.user.search.filter=(objectclass=person)
 
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn
+
principal.ldap.user.attribute=sAMAccountName
  
 
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
 
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
Line 22: Line 83:
 
principal.ldap.role.attribute=cn
 
principal.ldap.role.attribute=cn
  
principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
+
principal.ldap.mail.search.base=cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(objectclass=person)
+
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
 
principal.ldap.mail.attribute=mail
 
principal.ldap.mail.attribute=mail
  
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
+
principal.ldap.username.search.base=cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectClass=group)(cn={0}))
+
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
</source>
+
principal.ldap.username.attribute=cn
 
 
Starting with '''OpenKM 5.0.4''' we added more "users by role" and "roles by user" configuration properties:
 
  
<source lang="java">
 
 
principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
 
principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
 
principal.ldap.users.by.role.search.filter=(objectclass=group)
 
principal.ldap.users.by.role.search.filter=(objectclass=group)
 
principal.ldap.users.by.role.attribute=member
 
principal.ldap.users.by.role.attribute=member
  
principal.ldap.roles.by.user.search.base=cn={0},cn=users,dc=weyler,dc=local
+
principal.ldap.roles.by.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(objectClass=person)  
+
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
 
principal.ldap.roles.by.user.attribute=memberOf
 
principal.ldap.roles.by.user.attribute=memberOf
 
</source>
 
</source>
  
'''OpenKM 4.1 and older'''
+
{{Advice|With '''OpenKM 5.0.4''' we added more "users by role" and "roles by user" configuration properties, that are not present on older versions.}}
 +
 
 +
{{Advice|With '''OpenKM 5.1.10''' we added more "username" configuration properties, that are not present on older versions.}}
 +
 
 +
In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable
 +
 
 
<source lang="java">
 
<source lang="java">
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
+
system.login.lowercase=on
principal.ldap.user.atribute=cn
 
principal.ldap.role.atribute=cn
 
principal.ldap.mail.atribute=mail
 
 
</source>
 
</source>
  
In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable
+
The reason is simply because Windows does not make any dictiontion between upper and lower case when validating user name credentials.
 +
 
 +
==== OpenKM Integration - Filtering users and roles ====
 +
Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM.
 +
If you want to restrict the users who can log into OpenKM, you should change these:
  
 
<source lang="java">
 
<source lang="java">
system.login.lowercase=on
+
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
 +
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
 +
principal.ldap.users.by.role.search.filter=(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
 +
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
 +
</source>
 +
 
 +
Also add this option in login-config.xml:
 +
 
 +
<source lang="xml">
 +
<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>
 
</source>
 
</source>
  
property in [[OpenKM.cfg]]. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.
+
{{Note|If you see an exception like this, probably you need to use advanced configuration:
 +
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name <nowiki>'cn=users,dc=weyler,dc=local'</nowiki>
 +
read these articles:
 +
* [http://download.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html Referrals in the JNDI]
 +
* [http://java.sun.com/products/jndi/jndi-ldap-gl.html JNDI Implementor Guidelines for LDAP Service Providers]
 +
* [http://giocosmiano.blogspot.com/2011/02/resolving-javaxnamingpartialresultexcep.html Resolving javax.naming.PartialResultException thrown by JBoss 5.1 LdapExtLoginModule]
 +
 
 +
The type of referral in LdapPrincipalAdapter can be configured using the configuration property '''principal.ldap.referral'''.}}
 +
 
 +
== Advanced configuration ==
 +
This configuration should be used when roles and users are defined on different active directory nodes.
  
'''login-config.xml''' file example ( you must change '''192.168.0.6, Administrador, password and weyler''' values to your active directory values )
+
Active directory configuration has two parts; Login configuration and OpenKM integration.
 +
 
 +
'''In this example''' you must change '''192.168.0.6, Administrator, password and weyler''' values to your active directory values.
 +
 
 +
{{Note|In this example the main ldap is node '''dc&#61;weyler,dc&#61;local''', users and roles distributed in different active directory nodes.}}
 +
 
 +
=== Login configuration ===
 +
Change the login-config.xml file in $JBOSS_HOME/server/default/conf
 +
 
 +
{{Advice|You must restart jboss after changing login-config.xml.}}
  
 
<source lang="xml">
 
<source lang="xml">
<application-policy name="OpenKM">
+
<application-policy name="OpenKM">  
   <authentication>
+
   <authentication>  
 
     <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >  
 
     <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >  
 
       <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>  
 
       <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>  
       <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
+
       <module-option name="bindDN">CN=Administrador,CN=users,dc=weyler,dc=local</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
+
      <module-option name="java.naming.referral">follow</module-option>  
       <module-option name="bindCredential">password</module-option>
+
       <module-option name="java.naming.security.authentication">simple</module-option>  
       <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
+
       <module-option name="bindCredential">password</module-option>  
       <module-option name="baseFilter">(sAMAccountName={0})</module-option>
+
       <module-option name="baseCtxDN">dc=weyler,dc=local</module-option>  
       <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
+
       <module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=user))</module-option>  
       <module-option name="roleFilter">(member={1})</module-option>
+
       <module-option name="rolesCtxDN">dc=weyler,dc=local</module-option>  
       <module-option name="roleAttributeID">cn</module-option>
+
       <module-option name="roleFilter">(member={1})</module-option>  
       <module-option name="roleAttributeIsDN">false</module-option>
+
       <module-option name="roleAttributeID">cn</module-option>  
       <module-option name="roleRecursion">2</module-option>
+
       <module-option name="roleAttributeIsDN">false</module-option>  
       <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
+
       <module-option name="roleRecursion">2</module-option>  
      <module-option name="defaultRole">UserRole</module-option>
+
       <module-option name="searchScope">SUBTREE_SCOPE</module-option>  
       <module-option name="allowEmptyPasswords">false</module-option>
+
       <module-option name="allowEmptyPasswords">false</module-option>  
 
     </login-module>  
 
     </login-module>  
   </authentication>
+
   </authentication>  
</application-policy>
+
</application-policy>  
 
</source>
 
</source>
  
If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg:
+
{{Note|Take care if your ldap server is configured under ssl then you should use ldaps://}}
 +
 
 +
=== OpenKM integration ===
 +
To configure Active Directory we must make some changes in [[Configuration view]]. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.
  
 
<source lang="java">
 
<source lang="java">
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
+
system.login.lowercase=on
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
+
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
</source>
+
 
 +
principal.ldap.server=ldap://192.168.0.6
 +
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
 +
principal.ldap.security.credentials=password
 +
 
 +
principal.ldap.user.search.base=dc=weyler,dc=local
 +
principal.ldap.user.search.filter=(objectclass=person)
 +
principal.ldap.user.attribute=sAMAccountName
 +
 
 +
principal.ldap.role.search.base=dc=weyler,dc=local
 +
principal.ldap.role.search.filter=(objectclass=group)
 +
principal.ldap.role.attribute=cn
  
This means that only users within the UserRole groups will be shown as valid OpenKM users, and only roles which are included in the OpenKM group will be shown in OpenKM.
+
principal.ldap.mail.search.base=dc=weyler,dc=local
 +
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
 +
principal.ldap.mail.attribute=mail
  
Also add this option one in login-config.xml:
+
principal.ldap.username.search.base=dc=weyler,dc=local
 +
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
 +
principal.ldap.username.attribute=cn
  
<source lang="xml">
+
principal.ldap.users.by.role.search.base=dc=weyler,dc=local
<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>
+
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
</source>
+
principal.ldap.users.by.role.attribute=member
  
And remove this one:
+
principal.ldap.roles.by.user.search.base=dc=weyler,dc=local
 +
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
 +
principal.ldap.roles.by.user.attribute=memberOf
  
<source lang="xml">
+
principal.ldap.referral=follow
<module-option name="defaultRole">UserRole</module-option>
 
 
</source>
 
</source>
  
All this means that only users member of the UserRole groups are able to log into OpenKM.
+
{{Advice|With '''OpenKM 5.0.4''' we added more "users by role", "roles by user" and "referral" configuration properties, which are not present in older versions.}}
  
{{Note|If you see an exception like this:
+
In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name <nowiki>'cn=users,dc=weyler,dc=local'</nowiki>
 
read these articles:
 
* [http://download.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html Referrals in the JNDI]
 
* [http://giocosmiano.blogspot.com/2011/02/resolving-javaxnamingpartialresultexcep.html Resolving javax.naming.PartialResultException thrown by JBoss 5.1 LdapExtLoginModule]}}
 
  
== Enable debug at login process ==
+
<source lang="java">
It's good practice enable login debug when you make any change in autentication mechanism. Edit the file /server/default/conf/jboss-log4j.xml and add the category ( remember you must restart jboss to it takes effect ):
+
system.login.lowercase=on
<source lang="xml">
 
<category name="org.jboss.security">
 
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
 
</category>
 
 
</source>
 
</source>
  
or
+
The reason is simply because Windows does not make any distinction between upper and lower case when validating user name credentials.
  
<source lang="xml">
+
==== OpenKM Integration - Filtering users and roles ====
<category name="org.jboss.security">
+
Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM.
    <priority value="TRACE" class="org.jboss.logging.XLevel"/>
+
If you want to restrict the users who can log into OpenKM, you should change these:
    <appender-ref ref="SECURITY_F"/>
 
</category>
 
  
<appender name="SECURITY_F" class="org.jboss.logging.appender.DailyRollingFileAppender">
+
<source lang="java">
    <param name="Append" value="true"/>
+
principal.ldap.user.search.filter=(&(objectclass=person) (|(memberOf=CN=UserRole,dc=weyler,dc=local)(memberOf=CN=AdminRole,dc=weyler,dc=local)))
    <param name="DatePattern" value="'.'yyyy-MM-dd"/>
+
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,dc=weyler,dc=local))
    <param name="File" value="${jboss.server.home.dir}/log/jboss.security.log"/>
+
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
    <layout class="org.apache.log4j.PatternLayout">
+
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
        <param name="ConversionPattern" value="%d{ABSOLUTE} %-5p [%c] %m%n"/>
 
    </layout>
 
</appender>
 
 
</source>
 
</source>
  
More info at [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug].
+
{{Note|In the example we assume that role OpenKM is in node '''<nowiki>CN=OpenKM,CN=users,DC=weyler,DC=local</nowiki>'''.}}
  
== Active directory utilities ==
+
Also add this option in login-config.xml:
We recommend take a look at these tools:
 
* [http://directory.apache.org/studio/ Apache Directory Studio]
 
* [http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx Active Directory Explorer Utility]
 
  
See also:
+
<source lang="xml">
* [[Testing LDAP configuration]]
+
<module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>
* [http://forum.openkm.com/viewtopic.php?f=13&t=3535 Forum: Usuario administrador LDAP v.4]
+
</source>
* [http://primalcortex.wordpress.com/2007/11/28/jboss-and-jaas-debug/ JBoss and JAAS debug]
 
* [http://community.jboss.org/message/427398 LDAP authentication using LDAPExtUserModuleImpl is case-inse]
 
* [http://community.jboss.org/wiki/LdapExtLoginModule LdapExtLoginModule]
 
* [http://community.jboss.org/wiki/LdapLoginModule LdapLoginModule]
 
* [http://community.jboss.org/thread/159069 Problems with LdapExtLoginModule]
 
 
 
* [[Active Directory OpenKM 5.0]] [[File:Padlock.gif]]
 
* [[Active Directory OpenKM 4.1]] [[File:Padlock.gif]] ( and valid for older versions )
 
  
 +
== LDAP example with uniqueMember ==
 +
See [[LDAP and Active Directory uniqueMember user examples]].
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]
[[Category:OKM Network]]
 

Latest revision as of 19:36, 1 December 2012

Basic configuration

This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise refer to the advanced configuration.

Active directory configuration has two parts; Login configuration and OpenKM integration.

In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.


Nota clasica.png In this example all users are under same node cn=users,dc=weyler,dc=local and roles are under the same node cn=users,dc=weyler,dc=local too.

Login configuration

Change the login-config.xml file at $JBOSS_HOME/server/default/conf


Nota idea.png You must restart jboss after changing login-config.xml.

There're two configuration options, both valid:

Filter roles by users who are members

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

Getting roles by user

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

Nota clasica.png Take care if your ldap server is configured under ssl then you should use ldaps://

OpenKM integration

To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=cn=users,dc=weyler,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf

Nota idea.png With OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties, that are not present on older versions.


Nota idea.png With OpenKM 5.1.10 we added more "username" configuration properties, that are not present on older versions.

In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable

system.login.lowercase=on

The reason is simply because Windows does not make any dictiontion between upper and lower case when validating user name credentials.

OpenKM Integration - Filtering users and roles

Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:

principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.users.by.role.search.filter=(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

Also add this option in login-config.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>

Nota clasica.png If you see an exception like this, probably you need to use advanced configuration:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'cn=users,dc=weyler,dc=local'

read these articles:

The type of referral in LdapPrincipalAdapter can be configured using the configuration property principal.ldap.referral.

Advanced configuration

This configuration should be used when roles and users are defined on different active directory nodes.

Active directory configuration has two parts; Login configuration and OpenKM integration.

In this example you must change 192.168.0.6, Administrator, password and weyler values to your active directory values.


Nota clasica.png In this example the main ldap is node dc=weyler,dc=local, users and roles distributed in different active directory nodes.

Login configuration

Change the login-config.xml file in $JBOSS_HOME/server/default/conf


Nota idea.png You must restart jboss after changing login-config.xml.

<application-policy name="OpenKM"> 
  <authentication> 
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,CN=users,dc=weyler,dc=local</module-option> 
      <module-option name="java.naming.referral">follow</module-option> 
      <module-option name="java.naming.security.authentication">simple</module-option> 
      <module-option name="bindCredential">password</module-option> 
      <module-option name="baseCtxDN">dc=weyler,dc=local</module-option> 
      <module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=user))</module-option> 
      <module-option name="rolesCtxDN">dc=weyler,dc=local</module-option> 
      <module-option name="roleFilter">(member={1})</module-option> 
      <module-option name="roleAttributeID">cn</module-option> 
      <module-option name="roleAttributeIsDN">false</module-option> 
      <module-option name="roleRecursion">2</module-option> 
      <module-option name="searchScope">SUBTREE_SCOPE</module-option> 
      <module-option name="allowEmptyPasswords">false</module-option> 
    </login-module> 
  </authentication> 
</application-policy>

Nota clasica.png Take care if your ldap server is configured under ssl then you should use ldaps://

OpenKM integration

To configure Active Directory we must make some changes in Configuration view. You only need to restart jboss the first time you change the principal.adapter parameter. Other changes can be made on the fly.

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=dc=weyler,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=dc=weyler,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf

principal.ldap.referral=follow

Nota idea.png With OpenKM 5.0.4 we added more "users by role", "roles by user" and "referral" configuration properties, which are not present in older versions.

In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable

system.login.lowercase=on

The reason is simply because Windows does not make any distinction between upper and lower case when validating user name credentials.

OpenKM Integration - Filtering users and roles

Create a role called OpenKM. Assign this role to users and roles. It'll be used to filter users and roles. Only users and roles with OpenKM role will be displayed in OpenKM. If you want to restrict the users who can log into OpenKM, you should change these:

principal.ldap.user.search.filter=(&(objectclass=person) (|(memberOf=CN=UserRole,dc=weyler,dc=local)(memberOf=CN=AdminRole,dc=weyler,dc=local)))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,dc=weyler,dc=local))
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

Nota clasica.png In the example we assume that role OpenKM is in node CN=OpenKM,CN=users,DC=weyler,DC=local.

Also add this option in login-config.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=user)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))</module-option>

LDAP example with uniqueMember

See LDAP and Active Directory uniqueMember user examples.