LDAP and Active Directory uniqueMember user examples

From OpenKM Documentation
Revision as of 20:18, 6 April 2012 by Martin.povolny.yuh (talk | contribs) (LDAP example with uniqueMember)

Jump to: navigation, search

LDAP example with uniqueMember

We are usin users and roles from LDAP. In our LDAP schema we don't use memberUid attribute for group membership, but uniqueMember, see:

http://tools.ietf.org/html/rfc4519#section-2.40


So, when somebody wants to use uniqueMember instead of memberUid, there is need this patch see: File:OpenKM-uniqueMember.rep.

1) Patch enables to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))';

2) When principal.ldap.users.by.role.attribute='uniqueMember', then patch force to replace value of uniqueMember attribute (DN's of user node in ldap) by value of principal.ldap.user.attribute in node with specified DN. This is done by finding result of search with filter (given by property principal.ldap.user.filter) returning value of user attribute (given by property principal.ldap.user.attribute) in LDAP subtree under DN (given by value of uniqueMember).


LDAP Structure

dn: cn=admins@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet

dn: cn=users@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: users@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uniqueMember: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet

dn: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: jack@solnet.cz
displayName: Jack Davis

dn: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: joe@solnet.cz
displayName: Joe Davis

Configuration parameters

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users=true
// ldap
principal.adapter='com.openkm.principal.LdapPrincipalAdapter'
principal.ldap.server='ldap://localhost:389'
principal.ldap.security.principal='uid=admin,o=base'
principal.ldap.security.credentials='super-safe'
// user
principal.ldap.user.search.base='o=base'
principal.ldap.user.search.filter='(&(objectClass=posixAccount)(inetAuthorizedServices=openkm))'
principal.ldap.user.attribute='uid'
// user name
principal.ldap.username.search.base='o=base'
principal.ldap.username.search.filter='(&(objectclass=posixAccount)(inetAuthorizedServices=openkm)(uid={0}))'
principal.ldap.username.attribute='displayName'
// role
principal.ldap.role.search.base='o=base'
principal.ldap.role.search.filter='(objectClass=posixGroup)'
principal.ldap.role.attribute='cn'
// mail
principal.ldap.mail.search.base='o=base'
principal.ldap.mail.search.filter='(&(objectclass=inetMailUser)(uid={0}))'
principal.ldap.mail.attribute='mail'
// users by role
principal.ldap.users.by.role.search.base='o=base'
principal.ldap.users.by.role.search.filter='(&(objectClass=posixGroup)(cn={0}))'
principal.ldap.users.by.role.attribute='uniqueMember'
// roles by user
principal.ldap.roles.by.user.search.base='o=base'
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))'
principal.ldap.roles.by.user.attribute='mail'
// login
system.login.lowercase=true
default.user.role='UserRole'
default.admin.role='admins@solnet.cz'

login-config.xml

<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
       <module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
       <module-option name="bindDN">uid=admin,o=solnet</module-option>
       <module-option name="bindCredential">supper-safe</module-option>
       <module-option name="baseCtxDN">o=solnet</module-option>
       <module-option name="baseFilter">(uid={0})</module-option>
       <module-option name="java.naming.security.authentication">simple</module-option>
       <module-option name="java.naming.referral">follow</module-option>
       <module-option name="roleAttributeIsDN">false</module-option>
       <module-option name="matchOnUserDN">true</module-option>
       <module-option name="roleRecursion">-1</module-option>
       <module-option name="roleFilter">(&amp;(objectClass=solnetGroup)(uniqueMember={0}))</module-option>
       <module-option name="roleAttributeID">cn</module-option>
       <module-option name="rolesCtxDN">o=solnet</module-option>
       <module-option name="defaultRole">UserRole</module-option>
       <module-option name="searchScope">SUBTREE_SCOPE</module-option>
       <module-option name="allowEmptyPasswords">false</module-option>
      </login-module>
    </authentication>
</application-policy>