Difference between revisions of "Ldap-example2"

Latest revision as of 10:45, 12 March 2013

Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.

LDAP structure

dc=com
    dc=company
        ou=OPENKM
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
                member=user2
            cn=ROLE_USER
                member=user3
                member=user4
            cn=ROLE_XXXX
            cn=ROLE_YYYY
                ...
        ou=organization1
            sAMAccountName=okmAdmin
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
                mail=user2@mail.com
                cn=User Name 3
        ou=organization2
            sAMAccountName=user3
                memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                mail=user3@mail.com
                cn=User Name 3
            sAMAccountName=user4
                memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
                mail=user4@mail.com
                cn=User Name 4

Valid groups:

cn=ROLE_ADMIN,ou=OPENKM,dc=company,dc=com
cn=ROLE_USER,ou=OPENKM,dc=company,dc=com
cn=ROLE_XXXX,ou=OPENKM,dc=company,dc=com
cn=ROLE_YYYY,ou=OPENKM,dc=company,dc=com

Valid users:

cn=user1,ou=organization1,dc=company,dc=com
cn=user2,ou=organization1,dc=company,dc=com
cn=user3,ou=organization2,dc=company,dc=com
cn=user4,ou=organization2,dc=company,dc=com

Any distinguished name include by default dc=company,dc=com

OpenKM.xml

Parameter follow indicate several domains servers working together ( balanced ).
Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, <beans:constructor-arg index="0" value="DC=company,DC=com" />.
Any user athenticated in active directory can login because has not any filtering clausule in <beans:constructor-arg index="1" value="sAMAccountName={0}" />
Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, <beans:constructor-arg value="DC=company,DC=com"/>.

<!-- LDAP Complex -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
    <beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
    <beans:property name="password" value="****"/>
    <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
  </beans:bean>
 
  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:property name="userSearch" ref="userSearch"/>
      </beans:bean>
    </beans:constructor-arg>
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=company,DC=com"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
      </beans:bean>
    </beans:constructor-arg>
  </beans:bean>

  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="DC=company,DC=com" />
    <beans:constructor-arg index="1" value="sAMAccountName={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

Configuration parameters

Parameter follow indicate several domains servers working together ( balanced ). principal.ldap.referral=follow
Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.user.search.base=DC=company,DC=com.
All active directory users will be listed, because has not applied any filter restriction principal.ldap.user.search.filter=(objectclass=user)
Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, principal.ldap.role.search.base=DC=company,DC=com.
All active directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group)

 principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 system.login.lowercase=true
 principal.ldap.referral=follow

 principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
 principal.ldap.server=ldap://192.168.xxx.xxx:389
 principal.ldap.security.credentials=*****

 principal.ldap.mail.attribute=mail
 principal.ldap.mail.search.base=DC=company,DC=com
 principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))

 principal.ldap.role.attribute=cn
 principal.ldap.role.search.base=DC=company,DC=com
 principal.ldap.role.search.filter=(objectclass=group)

 principal.ldap.roles.by.user.attribute=memberOf
 principal.ldap.roles.by.user.search.base=DC=company,DC=com
 principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))

 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(objectclass=user)

 principal.ldap.username.attribute=cn
 principal.ldap.username.search.base=DC=company,DC=com
 principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))

 principal.ldap.users.by.role.attribute=member
 principal.ldap.users.by.role.search.base=DC=company,DC=com
 principal.ldap.users.by.role.search.filter=(&(objectClass=group)(CN={0}))

@@ Line 1: / Line 1: @@
-== Description ==
+Active directory connection which allows to connect any active directory authenticated user. Example covers the case when more than one active directory domains works together and is needed parameter follow.
-* Parameter '''follow''' indicates several domains servers working together ( balanced ). Should be configured in OpenKM.xml and configuration parameters.
-* Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.user.search.base=DC=company,DC=com'''.
-* Roles can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.role.search.base=DC=company,DC=com'''.
-=== LDAP structure ===
+== LDAP structure ==
   dc=com
       dc=company
@@ Line 16: / Line 12: @@
                   member=user3
                   member=user4
+             cn=ROLE_XXXX
+             cn=ROLE_YYYY
                   ...
           ou=organization1
               sAMAccountName=okmAdmin
                   memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
-                  mail=user@mail.com
+                  mail=okmAdmin@mail.com
                   cn=OpenKM Administrator
               sAMAccountName=user1
                   memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
-                  mail=user@mail.com
+                  mail=user1@mail.com
                   cn=User Name 1
               sAMAccountName=user2
@@ Line 39: / Line 37: @@
                   mail=user4@mail.com
                   cn=User Name 4
+'''Valid groups:'''
+* cn=ROLE_ADMIN,'''ou=OPENKM,dc=company,dc=com'''
+* cn=ROLE_USER,'''ou=OPENKM,dc=company,dc=com'''
+* cn=ROLE_XXXX,'''ou=OPENKM,dc=company,dc=com'''
+* cn=ROLE_YYYY,'''ou=OPENKM,dc=company,dc=com'''
+'''Valid users:'''
+* cn=user1,'''ou=organization1,dc=company,dc=com'''
+* cn=user2,'''ou=organization1,dc=company,dc=com'''
+* cn=user3,'''ou=organization2,dc=company,dc=com'''
+* cn=user4,'''ou=organization2,dc=company,dc=com'''
+{{Note|Any distinguished name include by default '''<nowiki>dc=company,dc=com</nowiki>'''}}
 == OpenKM.xml ==
+* Parameter '''follow''' indicate several domains servers working together ( balanced ).
+* Users defined in any active directory node will be able to login, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg index="0" value="DC=company,DC=com" />'''.
+* Any user athenticated in active directory can login because has not any filtering clausule in '''<beans:constructor-arg index="1" value="sAMAccountName={0}" />'''
+* Groups readed by OpenKM can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''<beans:constructor-arg value="DC=company,DC=com"/>'''.
 <source lang="xml">
 <!-- LDAP Complex -->
@@ Line 91: / Line 108: @@
 </source>
 == Configuration parameters ==
+* Parameter '''follow''' indicate several domains servers working together ( balanced ). '''principal.ldap.referral=follow'''
+* Users can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.user.search.base=DC=company,DC=com'''.
+* All active directory users will be listed, because has not applied any filter restriction '''principal.ldap.user.search.filter=(objectclass=user)'''
+* Groups can be defined in any active directory node, because has defined DC=company,DC=com as base filter, '''principal.ldap.role.search.base=DC=company,DC=com'''.
+* All active directory groups will be listed, because has not applied any filter restriction '''principal.ldap.role.search.filter=(objectclass=group)'''
 <source lang="java">
   principal.adapter=com.openkm.principal.LdapPrincipalAdapter
@@ Line 115: / Line 138: @@
   principal.ldap.user.attribute=sAMAccountName
   principal.ldap.user.search.base=DC=company,DC=com
-  principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com)(memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com)))
+  principal.ldap.user.search.filter=(objectclass=user)
-  principal.ldap.username.attribute=sAMAccountName
+  principal.ldap.username.attribute=cn
   principal.ldap.username.search.base=DC=company,DC=com
   principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))

Difference between revisions of "Ldap-example2"

Latest revision as of 10:45, 12 March 2013

LDAP structure

OpenKM.xml

Configuration parameters

Navigation menu

Views

Personal tools

Navigation

Search

Tools