dc=com
    dc=company
        cn=users
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
            cn=ROLE_USER
                member=user3
            cn=ROLE_XXXX
                member=user2
            cn=ROLE_YYYY
                member=user4
                ...
            sAMAccountName=okmAdmin
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com
                userPrincipalName=user2@mail.com
                cn=User Name 3

Configuration parameters

User members of ROLE_ADMIN or ROLE_USER are created into users node ( these should be the distinguished names CN=ROLE_ADMIN,cn=users,DC=company,DC=com and CN=ROLE_USER,cn=users,DC=company,DC=com).
Groups can be created on any Active Directory node, because DC=company,DC=com is set as base filter, principal.ldap.role.search.base=DC=company,DC=com.
All Active Directory groups will be listed because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group).

Go to Administration > Configuration parameters:

Field / Property	Type	Description
principal.adapter	String	com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase	String	true
principal.ldap.server	String	ldap://192.168.0.6:389
principal.ldap.security.principal	String	CN=Administrator,cn=users,dc=company,dc=local
principal.ldap.security.credentials	String	password
principal.ldap.referral	String
principal.ldap.users.from.roles	Boolean	false
principal.ldap.user.attribute	String	sAMAccountName
principal.ldap.user.search.base	List	dc=company,dc=local
principal.ldap.user.search.filter	String	(objectclass=person)
principal.ldap.username.attribute	String	cn
principal.ldap.username.search.base	String	dc=company,dc=local
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute	String	mail
principal.ldap.mail.search.base	String	dc=company,dc=local
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.role.attribute	String	cn
principal.ldap.role.search.base	List	dc=company,dc=local
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf
principal.ldap.roles.by.user.search.base	String	DC=company,DC=com
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member
principal.ldap.users.by.role.search.base	String	dc=company,dc=local
principal.ldap.users.by.role.search.filter	String	(&(objectClass=group)(cn={0}))

OpenKM.xml

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
 
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.6:389/dc=company,dc=local"/>
  <beans:property name="userDn" value="CN=Administrator,cn=users,dc=company,dc=local"/>
  <beans:property name="password" value="password"/>
</beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" value="memberOf={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" /> 
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>
 
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="" />
  <beans:constructor-arg index="1" value="sAMAccountName={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

Table of contents [ Hide Show ]

LDAP structure
Configuration parameters
OpenKM.xml

Active Directory advanced configuration

LDAP structure

dc=com
    dc=company
        cn=users
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
            cn=ROLE_USER
                member=user3
            cn=ROLE_XXXX
                member=user2
            cn=ROLE_YYYY
                member=user4
                ...
            sAMAccountName=okmAdmin
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com
                userPrincipalName=user2@mail.com
                cn=User Name 3

Configuration parameters

User members of ROLE_ADMIN or ROLE_USER are created into users node ( these should be the distinguished names CN=ROLE_ADMIN,cn=users,DC=company,DC=com and CN=ROLE_USER,cn=users,DC=company,DC=com).
Groups can be created on any Active Directory node, because DC=company,DC=com is set as base filter, principal.ldap.role.search.base=DC=company,DC=com.
All Active Directory groups will be listed because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group).

Go to Administration > Configuration parameters:

Field / Property	Type	Description
principal.adapter	String	com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase	String	true
principal.ldap.server	String	ldap://192.168.0.6:389
principal.ldap.security.principal	String	CN=Administrator,cn=users,dc=company,dc=local
principal.ldap.security.credentials	String	password
principal.ldap.referral	String
principal.ldap.users.from.roles	Boolean	false
principal.ldap.user.attribute	String	sAMAccountName
principal.ldap.user.search.base	List	dc=company,dc=local
principal.ldap.user.search.filter	String	(objectclass=person)
principal.ldap.username.attribute	String	cn
principal.ldap.username.search.base	String	dc=company,dc=local
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute	String	mail
principal.ldap.mail.search.base	String	dc=company,dc=local
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.role.attribute	String	cn
principal.ldap.role.search.base	List	dc=company,dc=local
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf
principal.ldap.roles.by.user.search.base	String	DC=company,DC=com
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member
principal.ldap.users.by.role.search.base	String	dc=company,dc=local
principal.ldap.users.by.role.search.filter	String	(&(objectClass=group)(cn={0}))

OpenKM.xml

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
 
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.6:389/dc=company,dc=local"/>
  <beans:property name="userDn" value="CN=Administrator,cn=users,dc=company,dc=local"/>
  <beans:property name="password" value="password"/>
</beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" value="memberOf={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" /> 
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>
 
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="" />
  <beans:constructor-arg index="1" value="sAMAccountName={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>