Active Directory basic configuration
This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise, refer to another example.
LDAP structure
dc=com
dc=company
cn=users
cn=ROLE_ADMIN
member=okmAdmin
member=user1
cn=ROLE_USER
member=user3
cn=ROLE_XXXX
member=user2
cn=ROLE_YYYY
member=user4
...
sAMAccountName=okmAdmin
memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
userPrincipalName=okmAdmin@mail.com
cn=OpenKM Administrator
sAMAccountName=user1
memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
userPrincipalName=user1@mail.com
cn=User Name 1
sAMAccountName=user2
memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com
userPrincipalName=user2@mail.com
cn=User Name 3
Configuration parameters
- User members of ROLE_ADMIN or ROLE_USER are created into users node ( these should be the distinguished names CN=ROLE_ADMIN,cn=users,DC=company,DC=com and CN=ROLE_USER,cn=users,DC=company,DC=com).
- Groups can be created on any Active Directory node, because DC=company,DC=com is set as base filter, principal.ldap.role.search.base=DC=company,DC=com.
- All Active Directory groups will be listed because it has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group).
Go to Administration > Configuration parameters:
Field / Property | Type | Description |
---|---|---|
principal.adapter | String |
com.openkm.principal.LdapPrincipalAdapter |
system.login.lowercase | String |
true |
principal.ldap.server | String |
ldap://192.168.0.6:389 |
principal.ldap.security.principal | String |
CN=Administrator,cn=users,dc=company,dc=local |
principal.ldap.security.credentials | String |
password |
principal.ldap.referral | String |
|
principal.ldap.users.from.roles | Boolean |
false |
principal.ldap.user.attribute | String |
sAMAccountName |
principal.ldap.user.search.base |
List |
cn=users,dc=company,dc=local |
principal.ldap.user.search.filter |
String |
(objectclass=person) |
principal.ldap.username.attribute |
String |
cn |
principal.ldap.username.search.base |
String |
cn=users,dc=company,dc=local |
principal.ldap.username.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
principal.ldap.mail.attribute |
String |
|
principal.ldap.mail.search.base |
String |
cn=users,dc=company,dc=local |
principal.ldap.mail.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
principal.ldap.role.attribute |
String |
cn |
principal.ldap.role.search.base |
List |
cn=users,dc=company,dc=local |
principal.ldap.role.search.filter |
String |
(objectclass=group) |
principal.ldap.roles.by.user.attribute |
String |
memberOf |
principal.ldap.roles.by.user.search.base |
String |
DC=company,DC=com |
principal.ldap.roles.by.user.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
principal.ldap.users.by.role.attribute |
String |
member |
principal.ldap.users.by.role.search.base |
String |
cn={0},cn=users,dc=company,dc=local |
principal.ldap.users.by.role.search.filter |
String |
(objectclass=group) |
OpenKM.xml
<security:ldap-server id="ldapServer"
url="ldap://192.168.0.6:389/DC=ldap,dc=company,dc=local"
manager-dn="CN=Administrator,cn=users,dc=company,dc=local"
manager-password="password"/>
<security:authentication-manager alias="authenticationManager">
<security:ldap-authentication-provider
server-ref="ldapServer"
user-search-base="cn=Users"
user-search-filter="(sAMAccountName={0})"
group-search-base="cn=Users"
group-search-filter="(member={0})"
group-role-attribute="cn"
role-prefix="none">
</security:ldap-authentication-provider>
</security:authentication-manager>