OpenLDAP example retrieving attributes by name
LDAP Structure
dc=com
dc=some
ou=roles
cn=ROLE_ADMIN
member=cn=okmAdmin,ou=users,dc=some,dc=com
member=cn=user1,ou=users,dc=some,dc=com
member=cn=user2,ou=users,dc=some,dc=com
cn=ROLE_USER
member=cn=user3,ou=users,dc=some,dc=com
...
ou=users
uid=user1
mail=user@mail.com
cn=User Name 1
memberOf=cn=ROLE_ADMIN,ou=roles,dc=some,dc=com
uid=user2
mail=user2@mail.com
cn=User Name 3
memberOf=cn=ROLE_ADMIN,ou=roles,dc=some,dc=com
uid=user3
mail=user3@mail.com
cn=User Name 3
memberOf=cn=ROLE_USER,ou=roles,dc=some,dc=com
uid=Manager
mail=manager@mail.com
cn=Manager
Valid roles:
- cn=ROLE_X,ou=roles,dc=some,dc=com
- cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
- cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com
Invalid roles:
- cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )
Valid users:
- uid=USER_X,ou=users,dc=some,dc=com
- uid=USER_Y,ou=dept id,ou=users,dc=some,dc=com
- uid=USER_Z,ou=dept administrator,ou=users,dc=some,dc=com
Invalid users:
- uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )
Configuration parameters
Go to Administration > Configuration parameters:
Field / Property | Type | Description |
---|---|---|
principal.adapter | String |
com.openkm.principal.OpenLdapPrincipalAdapter |
system.login.lowercase | String |
false |
principal.ldap.server | String |
ldap://192.168.xxx.xxx:389 |
principal.ldap.security.principal | String |
cn=Manager,ou=users,dc=some,dc=com |
principal.ldap.security.credentials | String |
password |
principal.ldap.referral | String |
|
principal.ldap.users.from.roles | Boolean |
false |
principal.ldap.user.attribute | String |
uid |
principal.ldap.user.search.base |
List |
ou=users,dc=some,dc=com |
principal.ldap.user.search.filter |
String |
(objectClass=inetOrgPerson) |
principal.ldap.username.attribute |
String |
cn |
principal.ldap.username.search.base |
String |
ou=users,dc=some,dc=com |
principal.ldap.username.search.filter |
String |
(uid={0}) |
principal.ldap.mail.attribute | String |
|
principal.ldap.mail.search.base | String |
dc=some,dc=com |
principal.ldap.mail.search.filter | String |
(uid={0}) |
principal.ldap.role.attribute |
String |
cn |
principal.ldap.role.search.base |
List |
ou=roles,dc=some,dc=com |
principal.ldap.role.search.filter |
String |
(objectClass=groupOfNames) |
principal.ldap.roles.by.user.attribute |
String |
memberOf |
principal.ldap.roles.by.user.search.base |
String |
ou=users,dc=some,dc=com |
principal.ldap.roles.by.user.search.filter |
String |
(&(objectClass=inetOrgPerson)(uid={0})) |
principal.ldap.users.by.role.attribute |
String |
member |
principal.ldap.users.by.role.search.base |
String |
ou=roles,dc=some,dc=com |
principal.ldap.users.by.role.search.filter |
String |
(&(objectClass=groupOfNames)(cn={0})) |
OpenKM.xml
- Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
- Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. ou=roles"/> really points to ou=roles,dc=some,dc=com"/>
- Users filter base is ou=users ( real distinguised name is ou=users,dc=some,dc=com ). Any valid user should have it as parent. to
- User filter is uid={0}
- Finally take in consideration the value 1 at member={0}"/>
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldaps://192.168.0.13:389/dc=some,dc=com"/>
<beans:property name="userDn" value="cn=Manager,ou=users,dc=some,dc=com"/>
<beans:property name="password" value="***"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=roles"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=users" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>