OpenLDAP example retrieving attributes by name

LDAP Structure

dc=com
    dc=some
        ou=roles
            cn=ROLE_ADMIN
                member=cn=okmAdmin,ou=users,dc=some,dc=com
                member=cn=user1,ou=users,dc=some,dc=com
                member=cn=user2,ou=users,dc=some,dc=com
            cn=ROLE_USER
                member=cn=user3,ou=users,dc=some,dc=com
                ...
        ou=users
            uid=user1
                mail=user@mail.com
                cn=User Name 1
                memberOf=cn=ROLE_ADMIN,ou=roles,dc=some,dc=com
            uid=user2
                mail=user2@mail.com
                cn=User Name 3
                memberOf=cn=ROLE_ADMIN,ou=roles,dc=some,dc=com
            uid=user3
                mail=user3@mail.com
                cn=User Name 3
                memberOf=cn=ROLE_USER,ou=roles,dc=some,dc=com
            uid=Manager
                mail=manager@mail.com
                cn=Manager

Valid roles:

  • cn=ROLE_X,ou=roles,dc=some,dc=com
  • cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
  • cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com

Invalid roles:

  • cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )

Valid users:

  • uid=USER_X,ou=users,dc=some,dc=com
  • uid=USER_Y,ou=dept id,ou=users,dc=some,dc=com
  • uid=USER_Z,ou=dept administrator,ou=users,dc=some,dc=com

Invalid users:

  • uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )

Configuration parameters

Go to Administration > Configuration parameters:

Field / PropertyTypeDescription
principal.adapter String

com.openkm.principal.OpenLdapPrincipalAdapter

system.login.lowercase String

false

principal.ldap.server String

ldap://192.168.xxx.xxx:389

principal.ldap.security.principal String

cn=Manager,ou=users,dc=some,dc=com

principal.ldap.security.credentials String

password

principal.ldap.referral String

 

principal.ldap.users.from.roles Boolean

false

principal.ldap.user.attribute String

uid

principal.ldap.user.search.base

List

ou=users,dc=some,dc=com

principal.ldap.user.search.filter

String

(objectClass=inetOrgPerson)

principal.ldap.username.attribute

String

cn

principal.ldap.username.search.base

String

ou=users,dc=some,dc=com

principal.ldap.username.search.filter

String

(uid={0})

principal.ldap.mail.attribute String

mail

principal.ldap.mail.search.base String

dc=some,dc=com

principal.ldap.mail.search.filter String

(uid={0})

principal.ldap.role.attribute

String

cn

principal.ldap.role.search.base

List

ou=roles,dc=some,dc=com

principal.ldap.role.search.filter

String

(objectClass=groupOfNames)

principal.ldap.roles.by.user.attribute

String

memberOf

principal.ldap.roles.by.user.search.base

String

ou=users,dc=some,dc=com

principal.ldap.roles.by.user.search.filter

String

(&(objectClass=inetOrgPerson)(uid={0}))

principal.ldap.users.by.role.attribute

String

member

principal.ldap.users.by.role.search.base

String

ou=roles,dc=some,dc=com

principal.ldap.users.by.role.search.filter

String

(&(objectClass=groupOfNames)(cn={0}))

OpenKM.xml

  • Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
  • Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. ou=roles"/> really points to ou=roles,dc=some,dc=com"/>
  • Users filter base is ou=users ( real distinguised name is ou=users,dc=some,dc=com ). Any valid user should have it as parent. to
  • User filter is uid={0}
  • Finally take in consideration the value 1 at member={0}"/>
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldaps://192.168.0.13:389/dc=some,dc=com"/>
        <beans:property name="userDn" value="cn=Manager,ou=users,dc=some,dc=com"/>
  	<beans:property name="password" value="***"/>
  </beans:bean>
 
    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=roles"/>
                <beans:property name="groupSearchFilter" value="member={0}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
 
        <beans:property name="rolePrefix" value="" /> 
 
            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>
 
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=users" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
 
</beans:beans>