Difference between revisions of "Ldap-example1"

From OpenKM Documentation
Jump to: navigation, search
 
(10 intermediate revisions by the same user not shown)
Line 1: Line 1:
=== Description ===
+
OpenLDAP example.
* '''Important''' login ('''ldap://192.168.0.13:389/dc=some,dc=com''') sets default filter base queries at '''dc=some,dc=com with is concatenated by default in all filter queries '''.
 
* Roles ( groups ) filter base is '''ou=roles''' ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent.  <beans:constructor-arg value="'''ou=roles'''"/> really points to <beans:constructor-arg value="'''ou=roles,dc=some,dc=com'''"/>
 
* Users filter base is '''ou=organization''' ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. <beans:constructor-arg index="0" value="'''ou=organization'''" /> to <beans:constructor-arg index="0" value="'''ou=organization,dc=some,dc=com'''" />
 
* User filter is uid={0}
 
* Finally take in consideration the value 1 at <beans:property name="groupSearchFilter" value="'''memberUid={1}'''"/>
 
  
 
=== LDAP structure ===
 
=== LDAP structure ===
Line 11: Line 6:
 
         ou=organization
 
         ou=organization
 
             cn=ROLE_ADMIN
 
             cn=ROLE_ADMIN
                 memberUID=user1
+
                 memberUid=okmAdmin
                 memberUID=user2
+
                memberUid=user1
 +
                 memberUid=user2
 
             cn=ROLE_USER
 
             cn=ROLE_USER
                 memberUID=user3
+
                 memberUid=user3
                 memberUID=user4
+
                 memberUid=user4
 
                 ...
 
                 ...
 
         ou=organization
 
         ou=organization
 
             uid=user1
 
             uid=user1
 
                 mail=user@mail.com
 
                 mail=user@mail.com
 +
                cn=User Name 1
 
             uid=user2
 
             uid=user2
 
                 mail=user2@mail.com
 
                 mail=user2@mail.com
 +
                cn=User Name 3
 
             uid=user3
 
             uid=user3
 
                 mail=user3@mail.com
 
                 mail=user3@mail.com
 +
                cn=User Name 3
 
             uid=user4
 
             uid=user4
 
                 mail=user4@mail.com
 
                 mail=user4@mail.com
 +
                cn=User Name 4
  
 
'''Valid roles:'''
 
'''Valid roles:'''
Line 43: Line 43:
 
* uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )
 
* uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )
  
== Configuration parameters ==
+
== OpenKM.xml ==
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
+
* '''Important''' login ('''ldap://192.168.0.13:389/dc=some,dc=com''') sets default filter base queries at '''dc=some,dc=com with is concatenated by default in all filter queries '''.
principal.ldap.mail.attribute=mail
+
* Roles ( groups ) filter base is '''ou=roles''' ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. <beans:constructor-arg value="'''ou=roles'''"/> really points to <beans:constructor-arg value="'''ou=roles,dc=some,dc=com'''"/>
principal.ldap.mail.search.base=dc=some,dc=com
+
* Users filter base is '''ou=organization''' ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. <beans:constructor-arg index="0" value="'''ou=organization'''" /> to <beans:constructor-arg index="0" value="'''ou=organization,dc=some,dc=com'''" />
principal.ldap.mail.search.filter=(uid={0})
+
* User filter is uid={0}
principal.ldap.role.attribute=cn
+
* Finally take in consideration the value 1 at <beans:property name="groupSearchFilter" value="'''memberUid={1}'''"/>
principal.ldap.role.search.base=ou=roles,dc=some,dc=com
 
principal.ldap.role.search.filter=(objectClass=posixGroup)
 
principal.ldap.roles.by.user.attribute=cn
 
principal.ldap.roles.by.user.search.base=ou=roles,dc=some,dc=com
 
principal.ldap.roles.by.user.search.filter=(memberUid={0})
 
principal.ldap.security.credentials=xxxxxx
 
principal.ldap.security.principal=cn=Manager,dc=some,dc=com
 
principal.ldap.server=ldap://192.168.xxx.xxx:389
 
principal.ldap.user.attribute=uid
 
principal.ldap.user.search.base=ou=users,dc=some,dc=com
 
principal.ldap.user.search.filter=(objectClass=inetOrgPerson)
 
principal.ldap.users.by.role.attribute=memberUid
 
principal.ldap.users.by.role.search.base=ou=roles,dc=some,dc=com
 
principal.ldap.users.by.role.search.filter=(&(objectClass=posixGroup)(cn={0}))
 
system.login.lowercase=true
 
  
== OpenKM.xml ==
 
 
<source lang="xml">
 
<source lang="xml">
 
<?xml version="1.0" encoding="UTF-8"?>
 
<?xml version="1.0" encoding="UTF-8"?>
Line 119: Line 103:
 
      
 
      
 
</beans:beans>
 
</beans:beans>
 +
</source>
 +
 +
== Configuration parameters ==
 +
<source lang="java">
 +
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 +
system.login.lowercase=false
 +
principal.ldap.referral=
 +
 +
principal.ldap.server=ldap://192.168.xxx.xxx:389
 +
principal.ldap.security.principal=cn=Manager,dc=some,dc=com
 +
principal.ldap.security.credentials=xxxxxx
 +
 +
principal.ldap.mail.attribute=mail
 +
principal.ldap.mail.search.base=dc=some,dc=com
 +
principal.ldap.mail.search.filter=(uid={0})
 +
 +
principal.ldap.role.attribute=cn
 +
principal.ldap.role.search.base=ou=roles,dc=some,dc=com
 +
principal.ldap.role.search.filter=(objectClass=posixGroup)
 +
 +
principal.ldap.roles.by.user.attribute=cn
 +
principal.ldap.roles.by.user.search.base=ou=roles,dc=some,dc=com
 +
principal.ldap.roles.by.user.search.filter=(memberUid={0})
 +
 +
principal.ldap.user.attribute=uid
 +
principal.ldap.user.search.base=ou=users,dc=some,dc=com
 +
principal.ldap.user.search.filter=(objectClass=inetOrgPerson)
 +
 +
principal.ldap.users.by.role.attribute=memberUid
 +
principal.ldap.users.by.role.search.base=ou=roles,dc=some,dc=com
 +
principal.ldap.users.by.role.search.filter=(&(objectClass=posixGroup)(cn={0}))
 +
 +
principal.ldap.username.attribute=cn
 +
principal.ldap.username.search.base=ou=users,dc=some,dc=com
 +
principal.ldap.username.search.filter=(uid={0})
 +
</source>
  
 
[[Category: Installation Guide]]
 
[[Category: Installation Guide]]

Latest revision as of 21:22, 16 February 2013

OpenLDAP example.

LDAP structure

dc=com
    dc=some
        ou=organization
            cn=ROLE_ADMIN
                memberUid=okmAdmin
                memberUid=user1
                memberUid=user2
            cn=ROLE_USER
                memberUid=user3
                memberUid=user4
                ...
        ou=organization
            uid=user1
                mail=user@mail.com
                cn=User Name 1
            uid=user2
                mail=user2@mail.com
                cn=User Name 3
            uid=user3
                mail=user3@mail.com
                cn=User Name 3
            uid=user4
                mail=user4@mail.com
                cn=User Name 4

Valid roles:

  • cn=ROLE_X,ou=roles,dc=some,dc=com
  • cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
  • cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com

Invalid roles:

  • cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )

Valid users:

  • uid=USER_X,ou=organization,dc=some,dc=com
  • uid=USER_Y,ou=dept id,ou=organization,dc=some,dc=com
  • uid=USER_Z,ou=dept administrator,ou=organization,dc=some,dc=com

Invalid users:

  • uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )

OpenKM.xml

  • Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
  • Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. <beans:constructor-arg value="ou=roles"/> really points to <beans:constructor-arg value="ou=roles,dc=some,dc=com"/>
  • Users filter base is ou=organization ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. <beans:constructor-arg index="0" value="ou=organization" /> to <beans:constructor-arg index="0" value="ou=organization,dc=some,dc=com" />
  • User filter is uid={0}
  • Finally take in consideration the value 1 at <beans:property name="groupSearchFilter" value="memberUid={1}"/>
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
		<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
  	<beans:property name="password" value="******"/>
  </beans:bean>

	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:property name="userSearch" ref="userSearch"></beans:property>
			</beans:bean>
		</beans:constructor-arg>
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:constructor-arg value="ou=roles"/>
				<beans:property name="groupSearchFilter" value="memberUid={1}"/>
				<beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
        
        <beans:property name="rolePrefix" value="" /> 
        
			</beans:bean>
		</beans:constructor-arg>
  </beans:bean>
  
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=organization" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
    
</beans:beans>

Configuration parameters

 principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 system.login.lowercase=false
 principal.ldap.referral=

 principal.ldap.server=ldap://192.168.xxx.xxx:389
 principal.ldap.security.principal=cn=Manager,dc=some,dc=com
 principal.ldap.security.credentials=xxxxxx

 principal.ldap.mail.attribute=mail
 principal.ldap.mail.search.base=dc=some,dc=com
 principal.ldap.mail.search.filter=(uid={0})

 principal.ldap.role.attribute=cn
 principal.ldap.role.search.base=ou=roles,dc=some,dc=com
 principal.ldap.role.search.filter=(objectClass=posixGroup)

 principal.ldap.roles.by.user.attribute=cn
 principal.ldap.roles.by.user.search.base=ou=roles,dc=some,dc=com
 principal.ldap.roles.by.user.search.filter=(memberUid={0})

 principal.ldap.user.attribute=uid
 principal.ldap.user.search.base=ou=users,dc=some,dc=com
 principal.ldap.user.search.filter=(objectClass=inetOrgPerson)

 principal.ldap.users.by.role.attribute=memberUid
 principal.ldap.users.by.role.search.base=ou=roles,dc=some,dc=com
 principal.ldap.users.by.role.search.filter=(&(objectClass=posixGroup)(cn={0}))

 principal.ldap.username.attribute=cn
 principal.ldap.username.search.base=ou=users,dc=some,dc=com
 principal.ldap.username.search.filter=(uid={0})