LDAP best practices for filtering users and roles
Usually you only want to retrieve a subset of users and roles present in your LDAP, to be shown in user interface lists or be able to login into.
Example based on single LDAP group
- Create a group named OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering users and roles purpose.
- Assign roles and users are members of OpenKM group.
- Goal, only users and roles which are members of OpenKM group will be displayed in user interface lists.
For filtering user interface:
Field / Property | Type | Description |
---|---|---|
principal.ldap.user.search.filter | String |
(&(objectclass=person)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com)) |
principal.ldap.role.search.filter | String |
(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com)) |
principal.ldap.users.by.role.search.filter |
String |
(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com)) |
principal.ldap.roles.by.user.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com)) |
For login restriction:
Modify OpenKM.xml with:
<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=company,DC=com))>
Example based on ROLE_USER and ROLE_ADMIN group
- Create group name OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering roles purpose.
- Assign roles are members of OpenKM group.
- Goal, only roles with OpenKM role will be displayed in user interface lists.
- Goal, only users what are members of ROLE_USER or ROLE_ADMIN group will be displayed in user interface lists.
For filtering user interface:
Field / Property | Type | Description |
---|---|---|
principal.ldap.user.search.filter | String |
(&(objectclass=person) (|(memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com)(memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com))) |
principal.ldap.role.search.filter | String |
(&(objectclass=group)(memberOf=cn=OpenKM,dc=company,dc=com)) |
principal.ldap.users.by.role.search.filter |
String |
(&(objectClass=group)(cn={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com)) |
principal.ldap.roles.by.user.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com)) |
For login restriction:
Modify OpenKM.xml with:
(&(sAMAccountName={0})(objectClass=person)(|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))
There are some characters restricted in XML, one of these is &. Should be used & in place you usually should use &, otherwise you will get an error on starting the application.