Difference between revisions of "Active Directory - OpenKM 5.1"

From OpenKM Documentation
Jump to: navigation, search
Line 10: Line 10:
 
{{Note|Understanding '''cn={0},cn=users,dc=weyler,dc=local''' example.
 
{{Note|Understanding '''cn={0},cn=users,dc=weyler,dc=local''' example.
  
*In user case, for example to user openkm, the query string after replacement will be '''cn=openkm,cn=users,dc=weyler,dc=local'''.
+
*In user search, for example by user openkm, the query string after replacement will be '''cn=openkm,cn=users,dc=weyler,dc=local'''.
*In role case, for example to role AdminRole the query string after replacement will be '''cn=AdminRole,cn=users,dc=weyler,dc=local'''.
+
*In role search, for example by role AdminRole the query string after replacement will be '''cn=AdminRole,cn=users,dc=weyler,dc=local'''.
 +
*In mail search, for example by user openkm, the query string after replacement will be '''cn=openkm,cn=users,dc=weyler,dc=local'''.
  
 
Pay attention in both cases we're filtering by absolute reference of the node.}}
 
Pay attention in both cases we're filtering by absolute reference of the node.}}

Revision as of 10:52, 21 October 2011

Basic configuration

This is the suggested configuration should be used when roles and users are both defined in same node, otherside refer to advanced configuration.

To configure Active Directory we must make some changes in Configuration_view only is needed restarting jboss first time you change principal.adapter parameter, other changes can be made on fly.

In this example you must change 192.168.0.6, Administrador, password and weyler values to your active directory values.


Nota clasica.png In this example all users are under same node cn=users,dc=weyler,dc=local and roles are under same node cn=users,dc=weyler,dc=local too.


Nota clasica.png Understanding cn={0},cn=users,dc=weyler,dc=local example.
  • In user search, for example by user openkm, the query string after replacement will be cn=openkm,cn=users,dc=weyler,dc=local.
  • In role search, for example by role AdminRole the query string after replacement will be cn=AdminRole,cn=users,dc=weyler,dc=local.
  • In mail search, for example by user openkm, the query string after replacement will be cn=openkm,cn=users,dc=weyler,dc=local.
Pay attention in both cases we're filtering by absolute reference of the node.

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password

principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn

principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail

principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(objectClass=person) 
principal.ldap.roles.by.user.attribute=memberOf

Nota idea.png With OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties, are not present on older versions.

In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable

system.login.lowercase=on

property in OpenKM.cfg. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.

login-config.xml file example ( you must change 192.168.0.6, Administrador, password and weyler values to your active directory values )

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="defaultRole">UserRole</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg:

principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))

This means that only users within the UserRole groups will be shown as valid OpenKM users, and only roles which are included in the OpenKM group will be shown in OpenKM.

Also add this option one in login-config.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>

And remove this one:

<module-option name="defaultRole">UserRole</module-option>

All this means that only users member of the UserRole groups are able to log into OpenKM.


Nota clasica.png If you see an exception like this:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'cn=users,dc=weyler,dc=local'

read these articles: