Difference between revisions of "Active Directory"
| Line 83: | Line 83: | ||
All this means that only users member of the UserRole groups are able to log into OpenKM. | All this means that only users member of the UserRole groups are able to log into OpenKM. | ||
| − | |||
== Enable debug at login process == | == Enable debug at login process == | ||
| Line 95: | Line 94: | ||
== Active directory utility == | == Active directory utility == | ||
We recomend take a look at Active Directory Explorer utility [http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx] | We recomend take a look at Active Directory Explorer utility [http://technet.microsoft.com/en-us/sysinternals/bb963907.aspx] | ||
| − | |||
See also: | See also: | ||
Revision as of 20:31, 16 November 2010
To configure Active Directory we must make some changes in OpenKM.cfg configuration file and in login-config.xml file that can be found at $JBOSS_HOME/server/default/conf. For both changes you need to restart JBoss server.
OpenKM.cfg file example ( you must change 192.168.0.6, Administrador, password and weyler values to your active directory values )
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,cn=users,dc=weyler,dc=local
principal.ldap.security.credentials=password
principal.ldap.user.search.base=cn=users,dc=weyler,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn
principal.ldap.role.search.base=cn=users,dc=weyler,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail
system.login.lowercase=on
OpenKM 4.1 and older
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.user.atribute=cn
principal.ldap.role.atribute=cn
principal.ldap.mail.atribute=mail
In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable
system.login.lowercase=on
property in OpenKM.cfg. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.
login-config.xml file example ( you must change 192.168.0.6, Administrador, password and weyler values to your active directory values )
<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="defaultRole">UserRole</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg:
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,DC=weyler,DC=local))
This means that only users within the UserRole groups will be shown as valid OpenKM users, and only roles which are included in the OpenKM group will be shown in OpenKM.
Also add this option one in login-config.xml:
<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>
And remove this one:
<module-option name="defaultRole">UserRole</module-option>
All this means that only users member of the UserRole groups are able to log into OpenKM.
Enable debug at login process
It's good practice enable login debug when you make any change in autentication mechanism. Edit the file /server/default/conf/jboss-log4j.xml and add the category ( remember you must restart jboss to it takes effect ):
<category name="org.jboss.security">
<priority value="DEBUG" />
</category>
Active directory utility
We recomend take a look at Active Directory Explorer utility [1]
See also:
