dc=com
    dc=company
        cn=users
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
            cn=ROLE_USER
                member=user3
            cn=ROLE_XXXX
                member=user2
            cn=ROLE_YYYY
                member=user4
                ...
            sAMAccountName=okmAdmin
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com
                userPrincipalName=user2@mail.com
                cn=User Name 3

Configuration parameters

User members of ROLE_ADMIN or ROLE_USER are created into users node ( these should be the distinguished names CN=ROLE_ADMIN,cn=users,DC=company,DC=com and CN=ROLE_USER,cn=users,DC=company,DC=com).
Groups can be created on any Active Directory node, because DC=company,DC=com is set as base filter, principal.ldap.role.search.base=DC=company,DC=com.
All Active Directory groups will be listed because it has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group).

Go to Administration > Configuration parameters:

Field / Property	Type	Description
principal.adapter	String	com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase	String	true
principal.ldap.server	String	ldap://192.168.0.6:389
principal.ldap.security.principal	String	CN=Administrator,cn=users,dc=company,dc=local
principal.ldap.security.credentials	String	password
principal.ldap.referral	String
principal.ldap.users.from.roles	Boolean	false
principal.ldap.user.attribute	String	sAMAccountName
principal.ldap.user.search.base	List	cn=users,dc=company,dc=local
principal.ldap.user.search.filter	String	(objectclass=person)
principal.ldap.username.attribute	String	cn
principal.ldap.username.search.base	String	cn=users,dc=company,dc=local
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute	String	mail
principal.ldap.mail.search.base	String	cn=users,dc=company,dc=local
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.role.attribute	String	cn
principal.ldap.role.search.base	List	cn=users,dc=company,dc=local
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf
principal.ldap.roles.by.user.search.base	String	DC=company,DC=com
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member
principal.ldap.users.by.role.search.base	String	cn={0},cn=users,dc=company,dc=local
principal.ldap.users.by.role.search.filter	String	(objectclass=group)

OpenKM.xml

<security:ldap-server id="ldapServer"
  url="ldap://192.168.0.6:389/DC=ldap,dc=company,dc=local"
  manager-dn="CN=Administrator,cn=users,dc=company,dc=local"
  manager-password="password"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="ldapServer"
    user-search-base="cn=Users"
    user-search-filter="(sAMAccountName={0})"
    group-search-base="cn=Users"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="none">
  </security:ldap-authentication-provider>
</security:authentication-manager>

Table of contents [ Hide Show ]

LDAP structure
Configuration parameters
OpenKM.xml

Active Directory basic configuration

This is the suggested configuration to be used when roles and users are both defined in the same node, otherwise, refer to another example.

LDAP structure

dc=com
    dc=company
        cn=users
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
            cn=ROLE_USER
                member=user3
            cn=ROLE_XXXX
                member=user2
            cn=ROLE_YYYY
                member=user4
                ...
            sAMAccountName=okmAdmin
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com
                userPrincipalName=user2@mail.com
                cn=User Name 3

Configuration parameters

User members of ROLE_ADMIN or ROLE_USER are created into users node ( these should be the distinguished names CN=ROLE_ADMIN,cn=users,DC=company,DC=com and CN=ROLE_USER,cn=users,DC=company,DC=com).
Groups can be created on any Active Directory node, because DC=company,DC=com is set as base filter, principal.ldap.role.search.base=DC=company,DC=com.
All Active Directory groups will be listed because it has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group).

Go to Administration > Configuration parameters:

Field / Property	Type	Description
principal.adapter	String	com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase	String	true
principal.ldap.server	String	ldap://192.168.0.6:389
principal.ldap.security.principal	String	CN=Administrator,cn=users,dc=company,dc=local
principal.ldap.security.credentials	String	password
principal.ldap.referral	String
principal.ldap.users.from.roles	Boolean	false
principal.ldap.user.attribute	String	sAMAccountName
principal.ldap.user.search.base	List	cn=users,dc=company,dc=local
principal.ldap.user.search.filter	String	(objectclass=person)
principal.ldap.username.attribute	String	cn
principal.ldap.username.search.base	String	cn=users,dc=company,dc=local
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute	String	mail
principal.ldap.mail.search.base	String	cn=users,dc=company,dc=local
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.role.attribute	String	cn
principal.ldap.role.search.base	List	cn=users,dc=company,dc=local
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf
principal.ldap.roles.by.user.search.base	String	DC=company,DC=com
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member
principal.ldap.users.by.role.search.base	String	cn={0},cn=users,dc=company,dc=local
principal.ldap.users.by.role.search.filter	String	(objectclass=group)

OpenKM.xml

<security:ldap-server id="ldapServer"
  url="ldap://192.168.0.6:389/DC=ldap,dc=company,dc=local"
  manager-dn="CN=Administrator,cn=users,dc=company,dc=local"
  manager-password="password"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="ldapServer"
    user-search-base="cn=Users"
    user-search-filter="(sAMAccountName={0})"
    group-search-base="cn=Users"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="none">
  </security:ldap-authentication-provider>
</security:authentication-manager>