Difference between revisions of "LDAP and Active Directory uniqueMember user examples"
(→LDAP example with uniqueMember) |
(→LDAP example with uniqueMember) |
||
Line 6: | Line 6: | ||
− | So, when somebody wants to use uniqueMember instead of memberUid, there is need this patch see: [[File:OpenKM-uniqueMember. | + | So, when somebody wants to use uniqueMember instead of memberUid, there is need this patch see: [[File:OpenKM-uniqueMember.rep]]. |
1) Patch enables to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: | 1) Patch enables to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: |
Revision as of 20:18, 6 April 2012
LDAP example with uniqueMember
We are usin users and roles from LDAP. In our LDAP schema we don't use memberUid attribute for group membership, but uniqueMember, see:
http://tools.ietf.org/html/rfc4519#section-2.40
So, when somebody wants to use uniqueMember instead of memberUid, there is need this patch see: File:OpenKM-uniqueMember.rep.
1) Patch enables to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))';
2) When principal.ldap.users.by.role.attribute='uniqueMember', then patch force to replace value of uniqueMember attribute (DN's of user node in ldap) by value of principal.ldap.user.attribute in node with specified DN. This is done by finding result of search with filter (given by property principal.ldap.user.filter) returning value of user attribute (given by property principal.ldap.user.attribute) in LDAP subtree under DN (given by value of uniqueMember).
LDAP Structure
dn: cn=admins@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
dn: cn=users@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: users@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uniqueMember: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
dn: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: jack@solnet.cz
displayName: Jack Davis
dn: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: joe@solnet.cz
displayName: Joe Davis
Configuration parameters
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users=true
// ldap
principal.adapter='com.openkm.principal.LdapPrincipalAdapter'
principal.ldap.server='ldap://localhost:389'
principal.ldap.security.principal='uid=admin,o=base'
principal.ldap.security.credentials='super-safe'
// user
principal.ldap.user.search.base='o=base'
principal.ldap.user.search.filter='(&(objectClass=posixAccount)(inetAuthorizedServices=openkm))'
principal.ldap.user.attribute='uid'
// user name
principal.ldap.username.search.base='o=base'
principal.ldap.username.search.filter='(&(objectclass=posixAccount)(inetAuthorizedServices=openkm)(uid={0}))'
principal.ldap.username.attribute='displayName'
// role
principal.ldap.role.search.base='o=base'
principal.ldap.role.search.filter='(objectClass=posixGroup)'
principal.ldap.role.attribute='cn'
// mail
principal.ldap.mail.search.base='o=base'
principal.ldap.mail.search.filter='(&(objectclass=inetMailUser)(uid={0}))'
principal.ldap.mail.attribute='mail'
// users by role
principal.ldap.users.by.role.search.base='o=base'
principal.ldap.users.by.role.search.filter='(&(objectClass=posixGroup)(cn={0}))'
principal.ldap.users.by.role.attribute='uniqueMember'
// roles by user
principal.ldap.roles.by.user.search.base='o=base'
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))'
principal.ldap.roles.by.user.attribute='mail'
// login
system.login.lowercase=true
default.user.role='UserRole'
default.admin.role='admins@solnet.cz'
login-config.xml
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
<module-option name="bindDN">uid=admin,o=solnet</module-option>
<module-option name="bindCredential">supper-safe</module-option>
<module-option name="baseCtxDN">o=solnet</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="roleFilter">(&(objectClass=solnetGroup)(uniqueMember={0}))</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="rolesCtxDN">o=solnet</module-option>
<module-option name="defaultRole">UserRole</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>