1. Home
  2. OpenKM 7.1
  3. Setup
  4. LDAP configuration
  5. LDAP best practices for filtering users and roles
  1.  

OpenKM 7.1
Hardware and software requirements
Installation
Setup
Antivirus configuration
Cleaning older activity log data
Configuring Apache HTTP Reverse-Proxy
Configuring Apache HTTPS Reverse-Proxy
Configuring Nginx HTTP Reverse-Proxy
Configuring Apache HTTP to rewrite old OpenKM URL
Configuring Lucene Analyzer
Configuring CADViewer
Configuring OCR engine
Configuring SWFTools
Configuring OpenSSL
Configuring mail
Configuring Tomcat memory utilization
Configuring Tomcat port
Configuring Tomcat session timeout
Configuring Tomcat timezone
Configuring openkm.xml
Configuring jBPM
Configuring ONLYOFFICE
Configuring Collabora Online
Configuring safe trash purge
Configuring search highlighter
Configuring Tomcat to work behind an Internet proxy
Configuring VidSigner
Change repository home
Change default role names
Enable extensions
Enable WebDAV
LDAP configuration
OpenLDAP example with URL base at login
Active Directory example with referral enabled
Active Directory example with login based on filtering users by roles
Active Directory basic configuration
Active Directory advanced configuration
Active Directory mixed configuration
Active Directory mixed configuration with LDAP synced
LDAP best practices for filtering users and roles
ClearOS LDAP configuration
LDAP troubleshooting
Log configuration
LibreOffice configuration
Security configuration
SSO Configuration
Configuring Two Factor Authentication
Configuring document expiration
Configuring CIFS
Cache configuration
Configuring email digital signature
Configuring anonymous user
Prometheus configuration
Troubleshooting
Administration guide
User guide
Update guide
Development

LDAP best practices for filtering users and roles

Usually you only want to retrieve a subset of users and roles present in your LDAP, to be shown in user interface lists or to be able to log in.

Example based on a single LDAP group

  • Create a group named OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering users and roles.
  • Assign roles and users as members of the OpenKM group.
  • Goal: only users and roles that are members of the OpenKM group will be displayed in user interface lists.

For filtering the user interface:

Field / PropertyTypeDescription
principal.ldap.user.search.filter String

(&(objectclass=person)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))
principal.ldap.role.search.filter String

(&(objectclass=group)(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

principal.ldap.users.by.role.search.filter

  String

(&(objectclass=group)(cn={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

principal.ldap.roles.by.user.search.filter

  String

(&(objectClass=person)(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,dc=company,dc=com))

For login restrictions:

Modify openkm.properties with:

ldap.user.search.filter=(&(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=company,DC=com))>

If you use openkm.xml, then use:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=OpenKM,CN=users,DC=company,DC=com))>

Example based on ROLE_USER and ROLE_ADMIN groups

  • Create a group named OpenKM (CN=OpenKM,CN=users,DC=company,DC=com). It will be used for filtering roles.
  • Assign roles as members of the OpenKM group.
  • Goal: only roles in the OpenKM group will be displayed in user interface lists.
  • Goal: only users that are members of the ROLE_USER or ROLE_ADMIN groups will be displayed in user interface lists.

For filtering the user interface:

Field / PropertyTypeDescription
principal.ldap.user.search.filter String

(&(objectclass=person) (|(memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com)(memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com)))
principal.ldap.role.search.filter String

(&(objectclass=group)(memberOf=cn=OpenKM,dc=company,dc=com))

principal.ldap.users.by.role.search.filter

  String

(&(objectClass=group)(cn={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))

principal.ldap.roles.by.user.search.filter

  String

(&(objectClass=person)(sAMAccountName={0})(memberOf=cn=OpenKM,cn=users,DC=company,DC=com))

For login restrictions:

Modify openkm.properties with:

ldap.user.search.filter=(&(sAMAccountName={0})(objectClass=person)(|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))

If you use openkm.xml, then use:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(objectClass=person)(|(memberOf=CN=ROLE_USER,CN=users,dc=weyler,dc=local)(memberOf=CN=ROLE_ADMIN,CN=users,dc=weyler,dc=local)))

Some characters are restricted in XML; one of these is &. You should use &amp; in places where you would usually use &, otherwise you will get an error when starting the application.

© OpenKM kcenter v.1.0.0 (build: d51a7b0). All Rights Reserved. Documentation license