mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-29 15:21:53 +00:00
d5e0432589
14587: Added new node service method getNodesWithoutParentAssocsOfType to public-services-security-context.xml (or at least my best guess at it!)
14586: Use US spelling of synchronization in filenames for consistency
14585: Lower the default user registry sync frequency to daily instead of hourly. Now users and groups are pulled over incrementally on login of missing users.
14583: Unit test for ChainingUserRegistrySynchronizer
14571: Migration patch for existing authorities previously held in users store
- Uses AuthorityService to recreate authorities in spaces store with new structure
14555: Authority service changes for LDAP sync improvements
- Moved sys:authorities container to spaces store
- All authorities now stored directly under sys:authorities
- Authorities can now be looked up directly by node service
- Secondary child associations used to model group relationships
- 'Root' groups for UI navigation determined dynamically by node service query
- cm:member association used to relate both authority containers and persons to other authorities
- New cm:inZone association relates persons and authority containers to synchronization 'zones' stored under sys:zones
- Look up of authority zone and all authorities in a zone to enable multi-zone LDAP sync
14524: Dev branch for finishing LDAP zones and upgrade impact
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@14588 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
334 lines
14 KiB
XML
334 lines
14 KiB
XML
<?xml version='1.0' encoding='UTF-8'?>
|
|
<!DOCTYPE beans PUBLIC '-//SPRING//DTD BEAN//EN' 'http://www.springframework.org/dtd/spring-beans.dtd'>
|
|
|
|
<beans>
|
|
<!--
|
|
DAO that rejects changes - LDAP is read only at the moment. It does allow users to be deleted with out warnings
|
|
from the UI.
|
|
-->
|
|
|
|
<bean id="authenticationDao" class="org.alfresco.repo.security.authentication.DefaultMutableAuthenticationDao">
|
|
<property name="allowSetEnabled" value="true" />
|
|
<property name="allowGetEnabled" value="true" />
|
|
<property name="allowDeleteUser" value="true" />
|
|
<property name="allowCreateUser" value="true" />
|
|
</bean>
|
|
|
|
<!-- LDAP authentication configuration -->
|
|
|
|
<!--
|
|
|
|
You can also use JAAS authentication for Kerberos against Active Directory or NTLM if you also require single sign
|
|
on from the web browser. You do not have to use LDAP authentication to synchronise groups and users from an LDAP
|
|
store if it supports other authentication routes, like Active Directory.
|
|
-->
|
|
|
|
<bean id="authenticationComponent" class="org.alfresco.repo.security.authentication.ldap.LDAPAuthenticationComponentImpl"
|
|
parent="authenticationComponentBase">
|
|
<property name="active">
|
|
<value>${ldap.authentication.active}</value>
|
|
</property>
|
|
<property name="LDAPInitialDirContextFactory">
|
|
<ref bean="ldapInitialDirContextFactory" />
|
|
</property>
|
|
<property name="userNameFormat">
|
|
<!--
|
|
|
|
This maps between what the user types in and what is passed through to the underlying LDAP authentication.
|
|
|
|
"%s" - the user id is passed through without modification. Used for LDAP authentication such as DIGEST-MD5,
|
|
anything that is not "simple". "cn=%s,ou=London,dc=company,dc=com" - If the user types in "Joe Bloggs" the
|
|
authenticate as "cn=Joe Bloggs,ou=London,dc=company,dc=com" Usually for simple authentication. Simple
|
|
authentication always uses the DN for the user.
|
|
-->
|
|
<value>${ldap.authentication.userNameFormat}</value>
|
|
</property>
|
|
<property name="nodeService">
|
|
<ref bean="nodeService" />
|
|
</property>
|
|
<property name="personService">
|
|
<ref bean="personService" />
|
|
</property>
|
|
<property name="transactionService">
|
|
<ref bean="transactionService" />
|
|
</property>
|
|
<property name="escapeCommasInBind">
|
|
<value>${ldap.authentication.escapeCommasInBind}</value>
|
|
</property>
|
|
<property name="escapeCommasInUid">
|
|
<value>${ldap.authentication.escapeCommasInUid}</value>
|
|
</property>
|
|
<property name="allowGuestLogin">
|
|
<value>${ldap.authentication.allowGuestLogin}</value>
|
|
</property>
|
|
<property name="defaultAdministratorUserNameList">
|
|
<value>${ldap.authentication.defaultAdministratorUserNames}</value>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- Wrapped version to be used within subsystem -->
|
|
<bean id="AuthenticationComponent" class="org.springframework.transaction.interceptor.TransactionProxyFactoryBean">
|
|
<property name="proxyInterfaces">
|
|
<value>org.alfresco.repo.security.authentication.AuthenticationComponent</value>
|
|
</property>
|
|
<property name="transactionManager">
|
|
<ref bean="transactionManager" />
|
|
</property>
|
|
<property name="target">
|
|
<ref bean="authenticationComponent" />
|
|
</property>
|
|
<property name="transactionAttributes">
|
|
<props>
|
|
<prop key="*">${server.transaction.mode.default}</prop>
|
|
</props>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- Authenticaton service for chaining -->
|
|
<bean id="localAuthenticationService" class="org.alfresco.repo.security.authentication.AuthenticationServiceImpl">
|
|
<property name="authenticationDao">
|
|
<ref bean="authenticationDao" />
|
|
</property>
|
|
<property name="ticketComponent">
|
|
<ref bean="ticketComponent" />
|
|
</property>
|
|
<property name="authenticationComponent">
|
|
<ref bean="authenticationComponent" />
|
|
</property>
|
|
<property name="sysAdminCache">
|
|
<ref bean="sysAdminCache" />
|
|
</property>
|
|
</bean>
|
|
|
|
<!--
|
|
|
|
This bean is used to support general LDAP authentication. It is also used to provide read only access to users and
|
|
groups to pull them out of the LDAP reopsitory
|
|
-->
|
|
|
|
<bean id="ldapInitialDirContextFactory" class="org.alfresco.repo.security.authentication.ldap.LDAPInitialDirContextFactoryImpl">
|
|
<property name="initialDirContextEnvironment">
|
|
<map>
|
|
<!-- The LDAP provider -->
|
|
<entry key="java.naming.factory.initial">
|
|
<value>${ldap.authentication.java.naming.factory.initial}</value>
|
|
</entry>
|
|
|
|
<!-- The url to the LDAP server -->
|
|
<!-- Note you can use space separated urls - they will be tried in turn until one works -->
|
|
<!-- This could be used to authenticate against one or more ldap servers (you will not know which one ....) -->
|
|
<entry key="java.naming.provider.url">
|
|
<value>${ldap.authentication.java.naming.provider.url}</value>
|
|
</entry>
|
|
|
|
<!-- The authentication mechanism to use -->
|
|
<!-- Some sasl authentication mechanisms may require a realm to be set -->
|
|
<!-- java.naming.security.sasl.realm -->
|
|
<!-- The available options will depend on your LDAP provider -->
|
|
<entry key="java.naming.security.authentication">
|
|
<value>${ldap.authentication.java.naming.security.authentication}</value>
|
|
</entry>
|
|
|
|
<!-- The id of a user who can read group and user information -->
|
|
<!-- This does not go through the pattern substitution defined above and is used "as is" -->
|
|
<entry key="java.naming.security.principal">
|
|
<value>${ldap.authentication.java.naming.security.principal}</value>
|
|
</entry>
|
|
|
|
<!-- The password for the user defined above -->
|
|
<entry key="java.naming.security.credentials">
|
|
<value>${ldap.authentication.java.naming.security.credentials}</value>
|
|
</entry>
|
|
</map>
|
|
</property>
|
|
</bean>
|
|
|
|
<!-- Regularly exports user and group information from LDAP -->
|
|
|
|
<bean id="userRegistry" class="org.alfresco.repo.security.sync.ldap.LDAPUserRegistry">
|
|
<property name="active">
|
|
<value>${ldap.synchronization.active}</value>
|
|
</property>
|
|
<!--
|
|
The query to select all objects that represent the groups to import.
|
|
|
|
For Open LDAP, using a basic schema, the following is probably what you want:
|
|
(objectclass=groupOfNames)
|
|
|
|
For Active Directory:
|
|
(objectclass=group)
|
|
-->
|
|
<property name="groupQuery">
|
|
<value>${ldap.synchronization.groupQuery}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The query to select objects that represent the groups to import that have changed since a certain time.
|
|
|
|
For Open LDAP, using a basic schema, the following is probably what you want:
|
|
(&(objectclass=groupOfNames)(!(modifyTimestamp<={0})))
|
|
|
|
For Active Directory:
|
|
(&(objectclass=group)(!(modifyTimestamp<={0})))
|
|
-->
|
|
<property name="groupDifferentialQuery">
|
|
<value>${ldap.synchronization.groupDifferentialQuery}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The query to select all objects that represent the users to import.
|
|
|
|
For Open LDAP, using a basic schema, the following is probably what you want:
|
|
(objectclass=inetOrgPerson)
|
|
|
|
For Active Directory:
|
|
(objectclass=user)
|
|
-->
|
|
<property name="personQuery">
|
|
<value>${ldap.synchronization.personQuery}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The query to select objects that represent the users to import that have changed since a certain time.
|
|
|
|
For Open LDAP, using a basic schema, the following is probably what you want:
|
|
(&(objectclass=inetOrgPerson)(!(modifyTimestamp<={0})))
|
|
|
|
For Active Directory:
|
|
(&(objectclass=user)(!(modifyTimestamp<={0})))
|
|
-->
|
|
<property name="personDifferentialQuery">
|
|
<value>${ldap.synchronization.personDifferentialQuery}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
|
|
-->
|
|
<property name="groupSearchBase">
|
|
<value>${ldap.synchronization.groupSearchBase}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
|
|
-->
|
|
<property name="userSearchBase">
|
|
<value>${ldap.synchronization.userSearchBase}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The unique identifier for the user.
|
|
-->
|
|
<property name="userIdAttributeName">
|
|
<value>${ldap.synchronization.userIdAttributeName}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The name of the operational attribute recording the last update time for a group or user.
|
|
-->
|
|
<property name="modifyTimestampAttributeName">
|
|
<value>${ldap.synchronization.modifyTimestampAttributeName}</value>
|
|
</property>
|
|
|
|
<!--
|
|
An attribute that is a unique identifier for each group found.
|
|
This is also the name of the group with the current group implementation.
|
|
This is mandatory for any groups found.
|
|
|
|
OpenLDAP: "cn" as it is mandatory on groupOfNames
|
|
Active Directory: "cn"
|
|
|
|
-->
|
|
<property name="groupIdAttributeName">
|
|
<value>${ldap.synchronization.groupIdAttributeName}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The objectClass attribute for group members.
|
|
For each member of a group, the distinguished name is given.
|
|
The object is looked up by its DN. If the object is of this class it is treated as a group.
|
|
-->
|
|
<property name="groupType">
|
|
<value>${ldap.synchronization.groupType}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The objectClass attribute for person members.
|
|
For each member of a group, the distinguished name is given.
|
|
The object is looked up by its DN. If the object is of this class it is treated as a person.
|
|
-->
|
|
<property name="personType">
|
|
<value>${ldap.synchronization.personType}</value>
|
|
</property>
|
|
|
|
<!--
|
|
The repeating attribute on group objects (found by query or as sub groups)
|
|
used to define membership of the group. This is assumed to hold distinguished names of
|
|
other groups or users/people; the above types are used to determine this.
|
|
|
|
OpenLDAP: "member" as it is mandatory on groupOfNames
|
|
Active Directory: "member"
|
|
|
|
-->
|
|
<property name="memberAttribute">
|
|
<value>${ldap.synchronization.groupMemberAttributeName}</value>
|
|
</property>
|
|
|
|
<!--
|
|
This property defines a mapping between attributes held on LDAP user objects and
|
|
the properties of user objects held in the repository. The key is the QName of an attribute in
|
|
the repository, the value is the attribute name from the user/inetOrgPerson/.. object in the
|
|
LDAP repository.
|
|
-->
|
|
<property name="attributeMapping">
|
|
<map>
|
|
<entry key="cm:userName">
|
|
<!-- Must match the same attribute as userIdAttributeName -->
|
|
<value>${ldap.synchronization.userIdAttributeName}</value>
|
|
</entry>
|
|
<entry key="cm:firstName">
|
|
<!-- OpenLDAP: "givenName" -->
|
|
<!-- Active Directory: "givenName" -->
|
|
<value>${ldap.synchronization.userFirstNameAttributeName}</value>
|
|
</entry>
|
|
<entry key="cm:lastName">
|
|
<!-- OpenLDAP: "sn" -->
|
|
<!-- Active Directory: "sn" -->
|
|
<value>${ldap.synchronization.userLastNameAttributeName}</value>
|
|
</entry>
|
|
<entry key="cm:email">
|
|
<!-- OpenLDAP: "mail" -->
|
|
<!-- Active Directory: "???" -->
|
|
<value>${ldap.synchronization.userEmailAttributeName}</value>
|
|
</entry>
|
|
<entry key="cm:organizationId">
|
|
<!-- OpenLDAP: "o" -->
|
|
<!-- Active Directory: "???" -->
|
|
<value>${ldap.synchronization.userOrganizationalIdAttributeName}</value>
|
|
</entry>
|
|
<!-- Always use the default -->
|
|
<entry key="cm:homeFolderProvider">
|
|
<null/>
|
|
</entry>
|
|
</map>
|
|
</property>
|
|
<!-- Set a default home folder provider -->
|
|
<!-- Defaults only apply for values above -->
|
|
<property name="attributeDefaults">
|
|
<map>
|
|
<entry key="cm:homeFolderProvider">
|
|
<value>${ldap.synchronization.defaultHomeFolderProvider}</value>
|
|
</entry>
|
|
</map>
|
|
</property>
|
|
|
|
<!-- Services -->
|
|
<property name="LDAPInitialDirContextFactory">
|
|
<ref bean="ldapInitialDirContextFactory"/>
|
|
</property>
|
|
<property name="namespaceService">
|
|
<ref bean="namespaceService"/>
|
|
</property>
|
|
|
|
</bean>
|
|
|
|
</beans> |