Active Directory basic configuration

This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise, refer to another example.

LDAP structure

dc=com
    dc=company
        cn=users
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
            cn=ROLE_USER
                member=user3
            cn=ROLE_XXXX
                member=user2
            cn=ROLE_YYYY
                member=user4
                ...
            sAMAccountName=okmAdmin
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com
                userPrincipalName=user2@mail.com
                cn=User Name 3

Configuration parameters

  • User members of ROLE_ADMIN or ROLE_USER are created into users node ( these should be the distinguished names CN=ROLE_ADMIN,cn=users,DC=company,DC=com and CN=ROLE_USER,cn=users,DC=company,DC=com).
  • Groups can be created on any Active Directory node, because DC=company,DC=com is set as base filter, principal.ldap.role.search.base=DC=company,DC=com.
  • All Active Directory groups will be listed because it has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group).

Go to Administration > Configuration parameters:

Field / PropertyTypeDescription
principal.adapter String

com.openkm.principal.LdapPrincipalAdapter

system.login.lowercase String

true

principal.ldap.server String

ldap://192.168.0.6:389

principal.ldap.security.principal String

CN=Administrator,cn=users,dc=company,dc=local

principal.ldap.security.credentials String

password

principal.ldap.referral String

 

principal.ldap.users.from.roles    Boolean

false

principal.ldap.user.attribute String

sAMAccountName

principal.ldap.user.search.base

List

cn=users,dc=company,dc=local

principal.ldap.user.search.filter

String

(objectclass=person)

principal.ldap.username.attribute

String

cn

principal.ldap.username.search.base

String

cn=users,dc=company,dc=local

principal.ldap.username.search.filter

String

(&(objectClass=person)(sAMAccountName={0}))

principal.ldap.mail.attribute

String

mail

principal.ldap.mail.search.base

String

cn=users,dc=company,dc=local

principal.ldap.mail.search.filter

String

(&(objectClass=person)(sAMAccountName={0}))

principal.ldap.role.attribute

String

cn

principal.ldap.role.search.base

List

cn=users,dc=company,dc=local

principal.ldap.role.search.filter

String

(objectclass=group)

principal.ldap.roles.by.user.attribute

String

memberOf

principal.ldap.roles.by.user.search.base

String

DC=company,DC=com

principal.ldap.roles.by.user.search.filter

String

(&(objectClass=person)(sAMAccountName={0}))

principal.ldap.users.by.role.attribute

String

member

principal.ldap.users.by.role.search.base

String

cn={0},cn=users,dc=company,dc=local

principal.ldap.users.by.role.search.filter

String

(objectclass=group)

OpenKM.xml

<security:ldap-server id="ldapServer"
  url="ldap://192.168.0.6:389/DC=ldap,dc=company,dc=local"
  manager-dn="CN=Administrator,cn=users,dc=company,dc=local"
  manager-password="password"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="ldapServer"
    user-search-base="cn=Users"
    user-search-filter="(sAMAccountName={0})"
    group-search-base="cn=Users"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="none">
  </security:ldap-authentication-provider>
</security:authentication-manager>