Difference between revisions of "Ldap-example1"
From OpenKM Documentation
(20 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | + | OpenLDAP example. | |
− | + | ||
− | + | === LDAP structure === | |
− | + | dc=com | |
− | + | dc=some | |
+ | ou=organization | ||
+ | cn=ROLE_ADMIN | ||
+ | memberUid=okmAdmin | ||
+ | memberUid=user1 | ||
+ | memberUid=user2 | ||
+ | cn=ROLE_USER | ||
+ | memberUid=user3 | ||
+ | memberUid=user4 | ||
+ | ... | ||
+ | ou=organization | ||
+ | uid=user1 | ||
+ | mail=user@mail.com | ||
+ | cn=User Name 1 | ||
+ | uid=user2 | ||
+ | mail=user2@mail.com | ||
+ | cn=User Name 3 | ||
+ | uid=user3 | ||
+ | mail=user3@mail.com | ||
+ | cn=User Name 3 | ||
+ | uid=user4 | ||
+ | mail=user4@mail.com | ||
+ | cn=User Name 4 | ||
− | Valid roles: | + | '''Valid roles:''' |
− | * cn=ROLE_X,ou=roles,dc=some,dc=com | + | * cn=ROLE_X,'''ou=roles,dc=some,dc=com''' |
− | * cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com | + | * cn=ROLE_Y,ou=dept marketing,'''ou=roles,dc=some,dc=com''' |
− | * cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com | + | * cn=ROLE_Z,ou=dept sales,'''ou=roles,dc=some,dc=com''' |
− | Invalid roles: | + | '''Invalid roles:''' |
* cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com ) | * cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com ) | ||
+ | '''Valid users:''' | ||
+ | * uid=USER_X,'''ou=organization,dc=some,dc=com''' | ||
+ | * uid=USER_Y,ou=dept id,'''ou=organization,dc=some,dc=com''' | ||
+ | * uid=USER_Z,ou=dept administrator,'''ou=organization,dc=some,dc=com''' | ||
− | + | '''Invalid users:''' | |
− | * uid= | + | * uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com ) |
− | |||
− | |||
− | + | == OpenKM.xml == | |
− | * | + | * '''Important''' login ('''ldap://192.168.0.13:389/dc=some,dc=com''') sets default filter base queries at '''dc=some,dc=com with is concatenated by default in all filter queries '''. |
+ | * Roles ( groups ) filter base is '''ou=roles''' ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. <beans:constructor-arg value="'''ou=roles'''"/> really points to <beans:constructor-arg value="'''ou=roles,dc=some,dc=com'''"/> | ||
+ | * Users filter base is '''ou=organization''' ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. <beans:constructor-arg index="0" value="'''ou=organization'''" /> to <beans:constructor-arg index="0" value="'''ou=organization,dc=some,dc=com'''" /> | ||
+ | * User filter is uid={0} | ||
+ | * Finally take in consideration the value 1 at <beans:property name="groupSearchFilter" value="'''memberUid={1}'''"/> | ||
<source lang="xml"> | <source lang="xml"> | ||
Line 75: | Line 103: | ||
</beans:beans> | </beans:beans> | ||
+ | </source> | ||
+ | |||
+ | == Configuration parameters == | ||
+ | <source lang="java"> | ||
+ | principal.adapter=com.openkm.principal.LdapPrincipalAdapter | ||
+ | system.login.lowercase=false | ||
+ | principal.ldap.referral= | ||
+ | |||
+ | principal.ldap.server=ldap://192.168.xxx.xxx:389 | ||
+ | principal.ldap.security.principal=cn=Manager,dc=some,dc=com | ||
+ | principal.ldap.security.credentials=xxxxxx | ||
+ | |||
+ | principal.ldap.mail.attribute=mail | ||
+ | principal.ldap.mail.search.base=dc=some,dc=com | ||
+ | principal.ldap.mail.search.filter=(uid={0}) | ||
+ | |||
+ | principal.ldap.role.attribute=cn | ||
+ | principal.ldap.role.search.base=ou=roles,dc=some,dc=com | ||
+ | principal.ldap.role.search.filter=(objectClass=posixGroup) | ||
+ | |||
+ | principal.ldap.roles.by.user.attribute=cn | ||
+ | principal.ldap.roles.by.user.search.base=ou=roles,dc=some,dc=com | ||
+ | principal.ldap.roles.by.user.search.filter=(memberUid={0}) | ||
+ | |||
+ | principal.ldap.user.attribute=uid | ||
+ | principal.ldap.user.search.base=ou=users,dc=some,dc=com | ||
+ | principal.ldap.user.search.filter=(objectClass=inetOrgPerson) | ||
+ | |||
+ | principal.ldap.users.by.role.attribute=memberUid | ||
+ | principal.ldap.users.by.role.search.base=ou=roles,dc=some,dc=com | ||
+ | principal.ldap.users.by.role.search.filter=(&(objectClass=posixGroup)(cn={0})) | ||
+ | |||
+ | principal.ldap.username.attribute=cn | ||
+ | principal.ldap.username.search.base=ou=users,dc=some,dc=com | ||
+ | principal.ldap.username.search.filter=(uid={0}) | ||
+ | </source> | ||
[[Category: Installation Guide]] | [[Category: Installation Guide]] |
Latest revision as of 21:22, 16 February 2013
OpenLDAP example.
LDAP structure
dc=com dc=some ou=organization cn=ROLE_ADMIN memberUid=okmAdmin memberUid=user1 memberUid=user2 cn=ROLE_USER memberUid=user3 memberUid=user4 ... ou=organization uid=user1 mail=user@mail.com cn=User Name 1 uid=user2 mail=user2@mail.com cn=User Name 3 uid=user3 mail=user3@mail.com cn=User Name 3 uid=user4 mail=user4@mail.com cn=User Name 4
Valid roles:
- cn=ROLE_X,ou=roles,dc=some,dc=com
- cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
- cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com
Invalid roles:
- cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )
Valid users:
- uid=USER_X,ou=organization,dc=some,dc=com
- uid=USER_Y,ou=dept id,ou=organization,dc=some,dc=com
- uid=USER_Z,ou=dept administrator,ou=organization,dc=some,dc=com
Invalid users:
- uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )
OpenKM.xml
- Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
- Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. <beans:constructor-arg value="ou=roles"/> really points to <beans:constructor-arg value="ou=roles,dc=some,dc=com"/>
- Users filter base is ou=organization ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. <beans:constructor-arg index="0" value="ou=organization" /> to <beans:constructor-arg index="0" value="ou=organization,dc=some,dc=com" />
- User filter is uid={0}
- Finally take in consideration the value 1 at <beans:property name="groupSearchFilter" value="memberUid={1}"/>
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
<beans:property name="password" value="******"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=roles"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=organization" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Configuration parameters
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase=false
principal.ldap.referral=
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.security.principal=cn=Manager,dc=some,dc=com
principal.ldap.security.credentials=xxxxxx
principal.ldap.mail.attribute=mail
principal.ldap.mail.search.base=dc=some,dc=com
principal.ldap.mail.search.filter=(uid={0})
principal.ldap.role.attribute=cn
principal.ldap.role.search.base=ou=roles,dc=some,dc=com
principal.ldap.role.search.filter=(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute=cn
principal.ldap.roles.by.user.search.base=ou=roles,dc=some,dc=com
principal.ldap.roles.by.user.search.filter=(memberUid={0})
principal.ldap.user.attribute=uid
principal.ldap.user.search.base=ou=users,dc=some,dc=com
principal.ldap.user.search.filter=(objectClass=inetOrgPerson)
principal.ldap.users.by.role.attribute=memberUid
principal.ldap.users.by.role.search.base=ou=roles,dc=some,dc=com
principal.ldap.users.by.role.search.filter=(&(objectClass=posixGroup)(cn={0}))
principal.ldap.username.attribute=cn
principal.ldap.username.search.base=ou=users,dc=some,dc=com
principal.ldap.username.search.filter=(uid={0})