LDAP configuration parameters

The OpenKM LDAP integration is based on a couple of LDAP searches to retrieve data.

LDAP queries are composed by tree elements:

  1. Attribute or object to retrieve.
  2. Node base to scope the request.
  3. Filtering options.

Sample query

The query to retrieve mail attribute from an object of type person with sAMAccountName attribute value with {0} - this parameter indicate the userId - from node cn=users,dc=company,dc=local and descendants.

principal.ldap.mail.attribute

mail

principal.ldap.mail.search.base

cn=users,dc=company,dc=local

principal.ldap.mail.search.filter

(&(objectclass=person)(sAMAccountName={0}))

LDAP queries

  • principal.ldap.user.* are used to retrieve user list.
  • principal.ldap.username.* are used to retrieve user name.
  • principal.ldap.mail.* are used to retrieve user mail adress.
  • principal.ldap.role.* are used to retrieve role list.
  • principal.ldap.roles.by.user.* are used to retrieve the roles of a user.
  • principal.ldap.users.by.role.* are used to retrieve users of a role.

For retrieving data, are injected arguments into option filters. For example, for getting the user mail, the application use parameter {0} to set argument value - userId - into filtering options.

Queries that use parameters to filtering:

  • principal.ldap.mail.search.filter=(sAMAccountName={0}). Where {0} is attribute value retrieved from principal.ldap.user.attribute.
  • principal.ldap.roles.by.user.search.filter=(&(objectclass=user)(sAMAccountName={0})). Where {0} is attribute value retrieved from principal.ldap.user.attribute.
  • principal.ldap.username.search.filter=(sAMAccountName={0}). Where {0} is attribute value retrieved from principal.ldap.user.attribute.
  • principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})). Where {0} is attribute value retrieved from principal.ldap.role.attribute.

Parameters

Field / PropertyTypeDescription
principal.adapter String Class used to connect with LDAP.
system.login.lowercase String By default is empty. In case connecting to AD ( Microsoft Active Directory ) must be set to "true", that force all users to be logged with lowercase user Id. The reason is OpenKM is case sensitive and Microsoft Active Directory not.
principal.ldap.server String LDAP server.
principal.ldap.security.principal String LDAP user distinguished name ( dn ).
principal.ldap.security.credentials String LDAP user password.
principal.ldap.referral String In almost most cases this value is empty. Use "follow" to indicate several domain servers working together ( balanced ).
principal.ldap.users.from.roles    Boolean When "true" tries to retrieve all users from roles list.
principal.ldap.user.attribute String

User attribute.

principal.ldap.user.search.base

List List of nodes base.

principal.ldap.user.search.filter

String Filter options.

principal.ldap.username.attribute

String Username attribute

principal.ldap.username.search.base

String Node base.

principal.ldap.username.search.filter

String Filter options.
principal.ldap.mail.attribute String

Mail attribute.

principal.ldap.mail.search.base String

Node base.

principal.ldap.mail.search.filter String Filter options.

principal.ldap.role.attribute

String Role attribute.

principal.ldap.role.search.base

List List of nodes base.

principal.ldap.role.search.filter

String Filter options.

principal.ldap.roles.by.user.attribute

String User attribute.

principal.ldap.roles.by.user.search.base

String Node Base.

principal.ldap.roles.by.user.search.filter

String Filter options.

principal.ldap.users.by.role.attribute

String Role attribute.

principal.ldap.users.by.role.search.base

String Node base.

principal.ldap.users.by.role.search.filter

String Filter options.

Sample configuration

Field / PropertyTypeDescription
principal.adapter String

com.openkm.principal.LdapPrincipalAdapter

system.login.lowercase String

true

principal.ldap.server String

ldap://192.168.1.20:389

principal.ldap.security.principal String

CN=Administrator,OU=OpenKM,DC=company,DC=com

principal.ldap.security.credentials String

password

principal.ldap.referral String

 

principal.ldap.users.from.roles    Boolean

false

principal.ldap.user.attribute String

sAMAccountName

principal.ldap.user.search.base

List

DC=company,DC=com

principal.ldap.user.search.filter

String

objectclass=person

principal.ldap.username.attribute

String

cn

principal.ldap.username.search.base

String

DC=company,DC=com

principal.ldap.username.search.filter

String

(sAMAccountName={0}

principal.ldap.mail.attribute String

mail

principal.ldap.mail.search.base String

DC=company,DC=com

principal.ldap.mail.search.filter String

(sAMAccountName={0}

principal.ldap.role.attribute

String

cn

principal.ldap.role.search.base

List

DC=company,DC=com

principal.ldap.role.search.filter

String

objectclass=group

principal.ldap.roles.by.user.attribute

String

memberOf

principal.ldap.roles.by.user.search.base

String

DC=company,DC=com

principal.ldap.roles.by.user.search.filter

String

(&(objectclass=person)(sAMAccountName={0}))

principal.ldap.users.by.role.attribute

String

member

principal.ldap.users.by.role.search.base

String

DC=company,DC=com

principal.ldap.users.by.role.search.filter

String

(&(objectClass=group)(cn={0}))