Page 1 of 1

Filtering Active Directory Group Memebership

PostPosted:Sat Jun 28, 2014 10:29 am
by sirhc5050
After spending quite a bit of time running through the LDAP/AD examples on the WIKI I have successfully gotten Active Directory working. However I am having a problem with the list of roles.

My settings match LDAP-example3, however when I go to the "Users" list in administration the table shows the complete list of group membership for the user. Due to the security requirements of the network one user may be part of as many as 30 Role or Access groups.

I am hoping that there is something obvious that I am missing but after comparing line by line to the example and finding differences only in the OU/DC names I am stumped.

Any assistance would be appreciated.
Code: Select all
Settings:
principal.ldap.mail.attribute			String	 mail	 
principal.ldap.mail.search.base			String	 DC=MYDOM,DC=PARENTDOM,DC=TLD	 
principal.ldap.mail.search.filter		        String	 (&(objectclass=person)(sAMAccountName={0}))	 
principal.ldap.referral				String	 follow	 
principal.ldap.role.attribute			String	 cn	 
principal.ldap.role.search.base			List	 OU=OpenKM,OU=Resources,OU=Security Groups,OU=CHIP, DC=MYDOM,DC=PARENTDOM,DC=TLD	 
principal.ldap.role.search.filter		        String	 objectclass=group	 
principal.ldap.roles.by.user.attribute		String	 memberOf	 
principal.ldap.roles.by.user.search.base	String	 DC=MYDOM,DC=PARENTDOM,DC=TLD	 
principal.ldap.roles.by.user.search.filter	String	 (&(objectClass=user)(sAMAccountName={0}))	 
principal.ldap.security.credentials		String	 *************************	 
principal.ldap.security.principal		        String	 CN=OpenKM LDAP Account,OU=Service Accounts,OU=CHIP IT, DC=MYDOM,DC=PARENTDOM,DC=TLD	 
principal.ldap.server				        String	 ldap://***.***.***.11	 
principal.ldap.user.attribute			String	 sAMAccountName	 
principal.ldap.user.search.base			List	 DC=MYDOM,DC=PARENTDOM,DC=TLD	 
principal.ldap.user.search.filter		       String	 (&(objectclass=user) (|(memberOf=CN=ROLE_USER,OU=OpenKM,OU=Resources,OU=Security Groups,OU=CHIP, DC=MYDOM,DC=PARENTDOM,DC=TLD)(memberOf=CN=ROLE_ADMIN,OU=OpenKM,OU=Resources,OU=Security Groups,OU=CHIP, DC=MYDOM,DC=PARENTDOM,DC=TLD)))	 
principal.ldap.username.attribute		String	 cn	 
principal.ldap.username.search.base		String	 DC=MYDOM,DC=PARENTDOM,DC=TLD	 
principal.ldap.username.search.filter		String	 (sAMAccountName={0})	 
principal.ldap.users.by.role.attribute		String	 member	 
principal.ldap.users.by.role.search.base	String	  DC=MYDOM,DC=PARENTDOM,DC=TLD	 
principal.ldap.users.by.role.search.filter	String	 (&(objectClass=group)(cn={0}))	 
principal.ldap.users.from.roles			Boolean	 Inactive

Re: Filtering Active Directory Group Memebership

PostPosted:Mon Jun 30, 2014 6:34 am
by jllort
The problem is on role list that are showing more roles than will be used to openkm, or the problem is that are showing all the roles assigned to a user ?

Re: Filtering Active Directory Group Memebership

PostPosted:Mon Jun 30, 2014 12:07 pm
by sirhc5050
The problem is that it is showing all of the groups that the user is a member of in active directory. I would prefer that the system only show ROLE_ADMIN or ROLE_USER.

Re: Filtering Active Directory Group Memebership

PostPosted:Tue Jul 01, 2014 10:08 am
by jllort
In this case you should create your own adapter, because default openkm ldap adapter is not filtering based on user roles what are not used into openkm it from administration. Shows by default all users roles. Need to buld your own principalAdapter http://sourceforge.net/p/openkm/code/HE ... apter.java