Difference between revisions of "Ldap-example2"
From OpenKM Documentation
| Line 39: | Line 39: | ||
mail=user4@mail.com | mail=user4@mail.com | ||
cn=User Name 4 | cn=User Name 4 | ||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
== OpenKM.xml == | == OpenKM.xml == | ||
| Line 124: | Line 89: | ||
<beans:property name="searchSubtree" value="true" /> | <beans:property name="searchSubtree" value="true" /> | ||
</beans:bean> | </beans:bean> | ||
| + | </source> | ||
| + | |||
| + | == Configuration parameters == | ||
| + | <source lang="java"> | ||
| + | principal.adapter=com.openkm.principal.LdapPrincipalAdapter | ||
| + | system.login.lowercase=true | ||
| + | principal.ldap.referral=follow | ||
| + | |||
| + | principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com | ||
| + | principal.ldap.server=ldap://192.168.xxx.xxx:389 | ||
| + | principal.ldap.security.credentials=***** | ||
| + | |||
| + | principal.ldap.mail.attribute=mail | ||
| + | principal.ldap.mail.search.base=DC=company,DC=com | ||
| + | principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0})) | ||
| + | |||
| + | principal.ldap.role.attribute=cn | ||
| + | principal.ldap.role.search.base=DC=company,DC=com | ||
| + | principal.ldap.role.search.filter=(objectclass=group) | ||
| + | |||
| + | principal.ldap.roles.by.user.attribute=memberOf | ||
| + | principal.ldap.roles.by.user.search.base=DC=company,DC=com | ||
| + | principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0})) | ||
| + | |||
| + | principal.ldap.user.attribute=sAMAccountName | ||
| + | principal.ldap.user.search.base=DC=company,DC=com | ||
| + | principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com)(memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com))) | ||
| + | |||
| + | principal.ldap.username.attribute=sAMAccountName | ||
| + | principal.ldap.username.search.base=DC=company,DC=com | ||
| + | principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0})) | ||
| + | |||
| + | principal.ldap.users.by.role.attribute=member | ||
| + | principal.ldap.users.by.role.search.base=DC=company,DC=com | ||
| + | principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0})) | ||
</source> | </source> | ||
[[Category: Installation Guide]] | [[Category: Installation Guide]] | ||
Revision as of 22:04, 16 February 2013
Description
- Parameter follow indicates several domains servers working together ( balanced ). Should be configured in OpenKM.xml and configuration parameters.
- Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com.
- Roles can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
- Any user athenticated in active directory can login because has not any filtering clausule in OpenKM.xml <beans:constructor-arg index="1" value="sAMAccountName={0}" />
LDAP structure
dc=com
dc=company
ou=OPENKM
cn=ROLE_ADMIN
member=okmAdmin
member=user1
member=user2
cn=ROLE_USER
member=user3
member=user4
...
ou=organization1
sAMAccountName=okmAdmin
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=user@mail.com
cn=OpenKM Administrator
sAMAccountName=user1
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=user@mail.com
cn=User Name 1
sAMAccountName=user2
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=user2@mail.com
cn=User Name 3
ou=organization2
sAMAccountName=user3
memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
mail=user3@mail.com
cn=User Name 3
sAMAccountName=user4
memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
mail=user4@mail.com
cn=User Name 4
OpenKM.xml
<!-- LDAP Complex -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
<beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
<beans:property name="password" value="****"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="DC=company,DC=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="DC=company,DC=com" />
<beans:constructor-arg index="1" value="sAMAccountName={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
Configuration parameters
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase=true
principal.ldap.referral=follow
principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.security.credentials=*****
principal.ldap.mail.attribute=mail
principal.ldap.mail.search.base=DC=company,DC=com
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.role.attribute=cn
principal.ldap.role.search.base=DC=company,DC=com
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.roles.by.user.search.base=DC=company,DC=com
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.search.base=DC=company,DC=com
principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com)(memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com)))
principal.ldap.username.attribute=sAMAccountName
principal.ldap.username.search.base=DC=company,DC=com
principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute=member
principal.ldap.users.by.role.search.base=DC=company,DC=com
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0}))
