Active Directory example with referral enabled
This example covers the scenario where more than one Active Directory domains work together, and it's needed the following parameter.
LDAP Structure
dc=com
dc=company
ou=OPENKM
cn=ROLE_ADMIN
member=okmAdmin
member=user1
member=user2
cn=ROLE_USER
member=user3
member=user4
cn=ROLE_XXXX
cn=ROLE_YYYY
...
ou=organization1
sAMAccountName=okmAdmin
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=okmAdmin@mail.com
cn=OpenKM Administrator
sAMAccountName=user1
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=user1@mail.com
cn=User Name 1
sAMAccountName=user2
memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=company,DC=com
mail=user2@mail.com
cn=User Name 3
ou=organization2
sAMAccountName=user3
memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
mail=user3@mail.com
cn=User Name 3
sAMAccountName=user4
memberOf=CN=ROLE_USER,OU=OPENKM,DC=company,DC=com
mail=user4@mail.com
cn=User Name 4
Valid groups:
- cn=ROLE_ADMIN,ou=OPENKM,dc=company,dc=com
- cn=ROLE_USER,ou=OPENKM,dc=company,dc=com
- cn=ROLE_XXXX,ou=OPENKM,dc=company,dc=com
- cn=ROLE_YYYY,ou=OPENKM,dc=company,dc=com
Valid users:
- cn=user1,ou=organization1,dc=company,dc=com
- cn=user2,ou=organization1,dc=company,dc=com
- cn=user3,ou=organization2,dc=company,dc=com
- cn=user4,ou=organization2,dc=company,dc=com
Any distinguished name includes by default dc=company,dc=com
Configuration parameters
Go to Administration > Configuration parameters:
Field / Property | Type | Description |
---|---|---|
principal.adapter | String |
com.openkm.principal.LdapPrincipalAdapter |
system.login.lowercase | String |
true |
principal.ldap.server | String |
ldap://192.168.xxx.xxx:389 |
principal.ldap.security.principal | String |
CN=Administrator,OU=OPENKM,DC=company,DC=com |
principal.ldap.security.credentials | String |
password |
principal.ldap.referral | String |
follow |
principal.ldap.users.from.roles | Boolean |
false |
principal.ldap.user.attribute | String |
sAMAccountName |
principal.ldap.user.search.base |
List |
DC=company,DC=com |
principal.ldap.user.search.filter |
String |
(objectclass=user) |
principal.ldap.username.attribute |
String |
cn |
principal.ldap.username.search.base |
String |
DC=company,DC=com |
principal.ldap.username.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
principal.ldap.mail.attribute | String |
|
principal.ldap.mail.search.base | String |
DC=company,DC=com |
principal.ldap.mail.search.filter | String |
(&(objectClass=person)(sAMAccountName={0})) |
principal.ldap.role.attribute |
String |
cn |
principal.ldap.role.search.base |
List |
DC=company,DC=com |
principal.ldap.role.search.filter |
String |
(objectclass=group) |
principal.ldap.roles.by.user.attribute |
String |
memberOf |
principal.ldap.roles.by.user.search.base |
String |
DC=company,DC=com |
principal.ldap.roles.by.user.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
principal.ldap.users.by.role.attribute |
String |
member |
principal.ldap.users.by.role.search.base |
String |
DC=company,DC=com |
principal.ldap.users.by.role.search.filter |
String |
(&(objectClass=group)(CN={0})) |
OpenKM.xml
- Parameter follow indicates several domains servers working together ( balanced ).
- Users defined in any Active Directory node will be able to log in, because it has defined DC=company,DC=com as the base filter.
- Any user authenticated in Active Directory can log in because it has not any filtering clause.
- Groups read by OpenKM can be defined in an Active Directory node, because it has defined DC=company,DC=com as the base filter.
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.xxx.xxx:389"/>
<beans:property name="userDn" value="CN=Administrator,OU=OPENKM,DC=company,DC=com"/>
<beans:property name="password" value="****"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="DC=company,DC=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="DC=company,DC=com" />
<beans:constructor-arg index="1" value="sAMAccountName={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>