LDAP configuration parameters

The OpenKM LDAP integration is based on a couple of LDAP searches to retrieve data.

LDAP queries are composed by tree elements:

  1. Attribute or object to retrieve.
  2. Node base to scope the request.
  3. Filtering options.

Sample query

The query to retrieve mail attribute from an object of type person with sAMAccountName attribute value with {0} - this parameter indicate the userId - from node cn=users,dc=company,dc=local and descendants.

principal.ldap.mail.attribute

mail

principal.ldap.mail.search.base

cn=users,dc=company,dc=local

principal.ldap.mail.search.filter

(&(objectclass=person)(sAMAccountName={0}))

LDAP queries

  • principal.ldap.user.* are used to retrieve user list.
  • principal.ldap.username.* are used to retrieve user name.
  • principal.ldap.mail.* are used to retrieve user mail adress.
  • principal.ldap.role.* are used to retrieve role list.
  • principal.ldap.roles.by.user.* are used to retrieve the roles of a user.
  • principal.ldap.users.by.role.* are used to retrieve users of a role.

For retrieving data, are injected arguments into option filters. For example, for getting the user mail, the application use parameter {0} to set argument value - userId - into filtering options.

Queries that use parameters to filtering:

  • principal.ldap.mail.search.filter=(sAMAccountName={0}). Where {0} is attribute value retrieved from principal.ldap.user.attribute.
  • principal.ldap.roles.by.user.search.filter=(&(objectclass=user)(sAMAccountName={0})). Where {0} is attribute value retrieved from principal.ldap.user.attribute.
  • principal.ldap.username.search.filter=(sAMAccountName={0}). Where {0} is attribute value retrieved from principal.ldap.user.attribute.
  • principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0})). Where {0} is attribute value retrieved from principal.ldap.role.attribute.

Parameters

Field / PropertyTypeDescription
principal.adapter String Class used to connect with LDAP.
system.login.lowercase String By default is empty. In case connecting to AD ( Microsoft Active Directory ) must be set to "true", that force all users to be logged with lowercase user Id. The reason is OpenKM is case sensitive and Microsoft Active Directory not.
principal.ldap.server String LDAP server.
principal.ldap.security.principal String LDAP user distinguished name ( dn ).
principal.ldap.security.credentials String LDAP user password.
principal.ldap.referral String

This property specifies how the referrals sent by AD in the search results are handled by OpenKM. In almost most cases this value is empty.

Note for Active Directory (AD) users: AD servers are apparently unable to handle referrals automatically, which causes a PartialResultException to be thrown whenever a referral is encountered in a search. To avoid this, set the ignorePartialResultException property to true. There is currently no way of manually handling these referrals in the form of ReferralException, i.e. either you get the exception (and your results are lost) or all referrals are ignored (if the server is unable to handle them properly. Neither is there any simple way to get notified that a PartialResultException has been ignored (other than in the log).

More information at Spring LdapTemplate.

 Values might be:

"ignore"

If principal.ldap.referral=ignore, the following exception will be thrown when a referral is encountered:

javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'dc=company,dc=com'

 "follow"

If principal.ldap.referral=follow, OpenKM will automatically follow the referral. To be successful, make sure OpenKM can access the referred server. The errors about ReferralExceptions should not be shown.

"throw"

If principal.ldap.referral=throw, the following exception will be thrown:

com.sun.jndi.ldap.LdapReferralException: Continuation Reference; remaining name 'dc=company,dc=com'

More information at Referrals in the JNDI.

principal.ldap.users.from.roles    Boolean When "true" tries to retrieve all users from roles list.
principal.ldap.user.attribute String

User attribute.

principal.ldap.user.search.base

List List of nodes base.

principal.ldap.user.search.filter

String Filter options.

principal.ldap.username.attribute

String Username attribute

principal.ldap.username.search.base

String Node base.

principal.ldap.username.search.filter

String Filter options.
principal.ldap.mail.attribute String

Mail attribute.

principal.ldap.mail.search.base String

Node base.

principal.ldap.mail.search.filter String Filter options.

principal.ldap.role.attribute

String Role attribute.

principal.ldap.role.search.base

List List of nodes base.

principal.ldap.role.search.filter

String Filter options.

principal.ldap.roles.by.user.attribute

String User attribute.

principal.ldap.roles.by.user.search.base

String Node Base.

principal.ldap.roles.by.user.search.filter

String Filter options.

principal.ldap.users.by.role.attribute

String Role attribute.

principal.ldap.users.by.role.search.base

String Node base.

principal.ldap.users.by.role.search.filter

String Filter options.

Sample configuration

Field / PropertyTypeDescription
principal.adapter String

com.openkm.principal.LdapPrincipalAdapter

system.login.lowercase String

true

principal.ldap.server String

ldap://192.168.1.20:389

principal.ldap.security.principal String

CN=Administrator,OU=OpenKM,DC=company,DC=com

principal.ldap.security.credentials String

password

principal.ldap.referral String

 

principal.ldap.users.from.roles    Boolean

false

principal.ldap.user.attribute String

sAMAccountName

principal.ldap.user.search.base

List

DC=company,DC=com

principal.ldap.user.search.filter

String

objectclass=person

principal.ldap.username.attribute

String

cn

principal.ldap.username.search.base

String

DC=company,DC=com

principal.ldap.username.search.filter

String

(sAMAccountName={0}

principal.ldap.mail.attribute String

mail

principal.ldap.mail.search.base String

DC=company,DC=com

principal.ldap.mail.search.filter String

(sAMAccountName={0}

principal.ldap.role.attribute

String

cn

principal.ldap.role.search.base

List

DC=company,DC=com

principal.ldap.role.search.filter

String

objectclass=group

principal.ldap.roles.by.user.attribute

String

memberOf

principal.ldap.roles.by.user.search.base

String

DC=company,DC=com

principal.ldap.roles.by.user.search.filter

String

(&(objectclass=person)(sAMAccountName={0}))

principal.ldap.users.by.role.attribute

String

member

principal.ldap.users.by.role.search.base

String

DC=company,DC=com

principal.ldap.users.by.role.search.filter

String

(&(objectClass=group)(cn={0}))