Create a group named OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering users and roles purpose.
Assign roles and users are members of OpenKM group.
Goal, only users and roles which are members of OpenKM group will be displayed in user interface lists.

For filtering user interface:

Field / Property	Type	Description
principal.ldap.user.search.filter	String	(&(objectclass=person)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))
principal.ldap.role.search.filter	String	(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))
principal.ldap.users.by.role.search.filter	String	(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

For login restriction:

Modify OpenKM.xml with:

<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=company,DC=com))>

Example based on ROLE_USER and ROLE_ADMIN group

Create group name OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering roles purpose.
Assign roles are members of OpenKM group.
Goal, only roles with OpenKM role will be displayed in user interface lists.
Goal, only users what are members of ROLE_USER or ROLE_ADMIN group will be displayed in user interface lists.

For filtering user interface:

Field / Property	Type	Description
principal.ldap.user.search.filter	String	(&(objectclass=person) (\|(memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com)(memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com)))
principal.ldap.role.search.filter	String	(&(objectclass=group)(memberOf=cn=OpenKM,dc=company,dc=com))
principal.ldap.users.by.role.search.filter	String	(&(objectClass=group)(cn={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))

For login restriction:

Modify OpenKM.xml with:

(&amp;(sAMAccountName={0})(objectClass=person)(|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))

There are some characters restricted in XML, one of these is &. Should be used & in place you usually should use &, otherwise you will get an error on starting the application.

Table of contents [ Hide Show ]

Example based on single LDAP group
Example based on ROLE_USER and ROLE_ADMIN group

LDAP best practices for filtering users and roles

Usually you only want to retrieve a subset of users and roles present in your LDAP, to be shown in user interface lists or be able to login into.

Example based on single LDAP group

Create a group named OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering users and roles purpose.
Assign roles and users are members of OpenKM group.
Goal, only users and roles which are members of OpenKM group will be displayed in user interface lists.

For filtering user interface:

Field / Property	Type	Description
principal.ldap.user.search.filter	String	(&(objectclass=person)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))
principal.ldap.role.search.filter	String	(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))
principal.ldap.users.by.role.search.filter	String	(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

For login restriction:

Modify OpenKM.xml with:

<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=company,DC=com))>

Example based on ROLE_USER and ROLE_ADMIN group

Create group name OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering roles purpose.
Assign roles are members of OpenKM group.
Goal, only roles with OpenKM role will be displayed in user interface lists.
Goal, only users what are members of ROLE_USER or ROLE_ADMIN group will be displayed in user interface lists.

For filtering user interface:

Field / Property	Type	Description
principal.ldap.user.search.filter	String	(&(objectclass=person) (\|(memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com)(memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com)))
principal.ldap.role.search.filter	String	(&(objectclass=group)(memberOf=cn=OpenKM,dc=company,dc=com))
principal.ldap.users.by.role.search.filter	String	(&(objectClass=group)(cn={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))

For login restriction:

Modify OpenKM.xml with:

(&amp;(sAMAccountName={0})(objectClass=person)(|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))

There are some characters restricted in XML, one of these is &. Should be used & in place you usually should use &, otherwise you will get an error on starting the application.