LDAP best practices for filtering users and roles

Usually you only want to retrieve a subset of users and roles present in your LDAP, to be shown in user interface lists or be able to login into.

Example based on single LDAP group

  • Create a group named OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering users and roles purpose.
  • Assign roles and users are members of OpenKM group.
  • Goal, only users and roles which are members of OpenKM group will be displayed in user interface lists.

For filtering user interface:

Field / PropertyTypeDescription
principal.ldap.user.search.filter String

(&(objectclass=person)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

principal.ldap.role.search.filter String

(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

principal.ldap.users.by.role.search.filter

 String

(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

principal.ldap.roles.by.user.search.filter

 String

(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

For login restriction:

Modify OpenKM.xml with:

<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=company,DC=com))>

Example based on ROLE_USER and ROLE_ADMIN group

  • Create group name OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering roles purpose.
  • Assign roles are members of OpenKM group.
  • Goal, only roles with OpenKM role will be displayed in user interface lists.
  • Goal, only users what are members of ROLE_USER or ROLE_ADMIN group will be displayed in user interface lists.

For filtering user interface:

Field / PropertyTypeDescription
principal.ldap.user.search.filter String

(&(objectclass=person) (|(memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com)(memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com)))

principal.ldap.role.search.filter String

(&(objectclass=group)(memberOf=cn=OpenKM,dc=company,dc=com))

principal.ldap.users.by.role.search.filter

 String

(&(objectClass=group)(cn={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))

principal.ldap.roles.by.user.search.filter

 String

(&(objectClass=person)(sAMAccountName={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))

For login restriction:

Modify OpenKM.xml with:

(&amp;(sAMAccountName={0})(objectClass=person)(|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))

There are some characters restricted in XML, one of these is &. Should be used &amp; in place you usually should use &, otherwise you will get an error on starting the application.