LDAP and Active Directory uniqueMember user examples
LDAP example with uniqueMember
We are using users and roles from LDAP. In our LDAP schema we don't have memberUid attribute for group membership, but uniqueMember, see:
http://tools.ietf.org/html/rfc4519#section-2.40
To use uniqueMember instead of memberUid, you need this patch: File:OpenKM-uniqueMember.rep.
1) Patch allows to use {1} in principal.ldap.roles.by.user.search.filter replaced by DN of user object in LDAP, for example: principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))';
2) If you set principal.ldap.users.by.role.attribute='uniqueMember', then the patch replaces the value of uniqueMember attribute (DN's of user node in ldap) with the value of principal.ldap.user.attribute in the node with specified DN. This is done by a search in LDAP with filter given in principal.ldap.user.filter property that returns value of user attribute (given in principal.ldap.user.attribute property ) in LDAP subtree under DN (given by value of uniqueMember).
LDAP Structure
dn: cn=admins@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: admins@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
dn: cn=users@solnet.cz,ou=Groups,dc=solnet,dc=cz,o=solnet
objectClass: posixGroup
objectClass: groupOfUniqueNames
cn: users@solnet.cz
uniqueMember: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uniqueMember: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
dn: uid=jack@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: jack@solnet.cz
displayName: Jack Davis
dn: uid=joe@solnet.cz,ou=People,dc=solnet,dc=cz,o=solnet
uid: joe@solnet.cz
displayName: Joe Davis
Configuration parameters
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users=true
// ldap
principal.adapter='com.openkm.principal.LdapPrincipalAdapter'
principal.ldap.server='ldap://localhost:389'
principal.ldap.security.principal='uid=admin,o=base'
principal.ldap.security.credentials='super-safe'
// user
principal.ldap.user.search.base='o=base'
principal.ldap.user.search.filter='(&(objectClass=posixAccount)(inetAuthorizedServices=openkm))'
principal.ldap.user.attribute='uid'
// user name
principal.ldap.username.search.base='o=base'
principal.ldap.username.search.filter='(&(objectclass=posixAccount)(inetAuthorizedServices=openkm)(uid={0}))'
principal.ldap.username.attribute='displayName'
// role
principal.ldap.role.search.base='o=base'
principal.ldap.role.search.filter='(objectClass=posixGroup)'
principal.ldap.role.attribute='cn'
// mail
principal.ldap.mail.search.base='o=base'
principal.ldap.mail.search.filter='(&(objectclass=inetMailUser)(uid={0}))'
principal.ldap.mail.attribute='mail'
// users by role
principal.ldap.users.by.role.search.base='o=base'
principal.ldap.users.by.role.search.filter='(&(objectClass=posixGroup)(cn={0}))'
principal.ldap.users.by.role.attribute='uniqueMember'
// roles by user
principal.ldap.roles.by.user.search.base='o=base'
principal.ldap.roles.by.user.search.filter='(&(objectClass=posixGroup)(uniqueMember={1}))'
principal.ldap.roles.by.user.attribute='mail'
// login
system.login.lowercase=true
default.user.role='UserRole'
default.admin.role='admins@solnet.cz'
login-config.xml
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name="java.naming.provider.url">ldap://127.0.0.1:389</module-option>
<module-option name="bindDN">uid=admin,o=solnet</module-option>
<module-option name="bindCredential">supper-safe</module-option>
<module-option name="baseCtxDN">o=solnet</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="roleFilter">(&(objectClass=solnetGroup)(uniqueMember={0}))</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="rolesCtxDN">o=solnet</module-option>
<module-option name="defaultRole">UserRole</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>