Hi,
I want all users to be able to login either with login name (uid) or mail address (mail).
Therefor, I modified the spring security bean configuration to enable both ways.
Since the user logged in, his permissions are only available when he uses his UID to login. When he uses his MAIL attribute, no permissions are applied. Means, the user can't the e.g. folders he got read permissions. So it seems, somewhere the attribute used for login is used to match the ldap user specified in permissions. And when he uses MAIL no match is found.
For completeness the ldap configuration inside OpenKM.
I don't know if it is a spring security related problem or a configuration problem inside OpenKM or if it is simply not possible to use both login methods at the same time.
Regards!
I want all users to be able to login either with login name (uid) or mail address (mail).
Therefor, I modified the spring security bean configuration to enable both ways.
Code: Select all
This is working great! The magic happens here:<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:...">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="MY SERVER URL"/>
<beans:property name="userDn" value="cn=ldap"/>
<beans:property name="password" value="MY PWD"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=groups,dc=myrealm"/>
<beans:property name="groupSearchFilter" value="uniqueMember={0}"/>
<beans:property name="groupRoleAttribute" value="uid"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=people,dc=myrealm" />
<beans:constructor-arg index="1" value="(|(uid={0})(mail={0}))" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Code: Select all
Ok, but now the problem.<beans:constructor-arg index="1" value="(|(uid={0})(mail={0}))" />
Since the user logged in, his permissions are only available when he uses his UID to login. When he uses his MAIL attribute, no permissions are applied. Means, the user can't the e.g. folders he got read permissions. So it seems, somewhere the attribute used for login is used to match the ldap user specified in permissions. And when he uses MAIL no match is found.
For completeness the ldap configuration inside OpenKM.
Code: Select all
Thanks for hints.principal.ldap.mail.attribute: mail
principal.ldap.mail.search.base: ou=people,dc=myrealm
principal.ldap.mail.search.filter: (&(objectClass=person)(uid={0}))
principal.ldap.role.attribute: cn
principal.ldap.role.search.base: ou=groups,dc=myrealm
principal.ldap.role.search.filter: (objectClass=groupOfUniqueNames)
principal.ldap.roles.by.user.attribute: memberOf
principal.ldap.roles.by.user.search.base: ou=people,dc=myrealm
principal.ldap.roles.by.user.search.filter: (&(objectClass=person)(uid={0}))
principal.ldap.security.credentials: MY PWD
principal.ldap.security.principal: cn=ldap
principal.ldap.server: ldaps://myrealm.myserver.net:389
principal.ldap.user.attribute: uid
principal.ldap.user.search.base: ou=people,dc=myrealm
principal.ldap.user.search.filter: (objectClass=person)
principal.ldap.username.attribute: cn
principal.ldap.username.search.base: ou=people,dc=myrealm
principal.ldap.username.search.filter: (uid={0})
principal.ldap.users.by.role.attribute: uniqueMember
principal.ldap.users.by.role.search.base: cn={0},ou=groups,dc=myrealm
principal.ldap.users.by.role.search.filter: (objectClass=groupOfUniqueNames)
principal.ldap.users.from.roles: Inactive
I don't know if it is a spring security related problem or a configuration problem inside OpenKM or if it is simply not possible to use both login methods at the same time.
Regards!