added LDAP properties file for activiti-app

OpenPj · OpenPj · commit e73ca90bc4a3 · 2020-06-03T14:05:59.000+02:00
diff --git a/Dockerfile b/Dockerfile
@@ -12,5 +12,6 @@ USER root
 COPY logging/logback.xml $TOMCAT_DIR/lib
 
 COPY properties/activiti-app.properties $TOMCAT_DIR/lib
+COPY properties/activiti-ldap.properties $TOMCAT_DIR/lib
 
 COPY activiti-license/*.* $TOMCAT_DIR/lib/
diff --git a/properties/activiti-ldap.properties b/properties/activiti-ldap.properties
@@ -0,0 +1,252 @@
+
+# --------------------------
+# LDAP AUTHENTICATION CONFIG
+# --------------------------
+
+# Note that this is AUTHENTICATION only, not synchronization.
+# For this to work properly, the LDAP synchronization (see below), needs to be 
+# enabled and configured correctly (on one node).
+
+ldap.authentication.enabled=false
+
+# Set to false to allow for case insensitive logins. By default true if omitted or commented out.
+ldap.authentication.casesensitive=true
+
+# Set this property to 'true' to allow for a fallback to database authentication (default is false).
+# This can be useful to have a 'system' user for example which does not represent
+# a real user (and is not in the LDAP user store), but can be used to eg. call the REST API.
+ldap.allow.database.authenticaion.fallback=false
+
+
+# Property to map the user id entered by the user in the login field to that passed through to LDAP.
+#
+# If the users are in a flat list (eg one organizational unit), it's easy, simply set the property 
+# to a value, eg. uid={0},ou=users,dc=alfresco,dc=com
+# This is also the most performant way, as the LDAP bind can be done directly.
+#
+# However, if the users are in structured folders (organizational units for example), a direct pattern cannot be used.
+# In this case, leave the property either empty or comment it. 
+# A query will be done using the ldap.synchronization.personQuery with the ldap.synchronization.userIdAttributeName
+# to find the user, and find it's dn. That dn will then be used to login.
+ldap.authentication.dnPattern=
+
+# Uncomment when using Active directory
+#ldap.authentication.active-directory.enabled=true
+#ldap.authentication.active-directory.domain=alfresco.org
+#ldap.authentication.active-directory.rootDn=DC=alfresco,DC=com
+#ldap.authentication.active-directory.searchFilter=(&(objectClass=user)(userPrincipalName={0}))
+
+
+# ----------------------------
+# LDAP SYNCHRONIZATION CONFIG
+# ----------------------------
+
+# Enables full synchronization. With full sync, all user/groups will be checked whether they are valid or not.
+# By default, runs at midnight, since this is quite a heavy operation.
+# Full synchronization is needed because a partial synchronization cannot detect deletes of groups/users. 
+ldap.synchronization.full.enabled=false
+ldap.synchronization.full.cronExpression=0 0 0 * * ?
+
+# Enabled differential synchronization. This will only check the users/groups which are changes since last sync.
+# A differential sync cannot detect deletes of users/groups. This is done by the full sync.
+ldap.synchronization.differential.enabled=false
+ldap.synchronization.differential.cronExpression=0 0 */4 * * ?
+
+# Paging (default = no paging).
+# If enabled, default page size is 100
+ldap.synchronization.paging.enabled=false
+ldap.synchronization.paging.size=500
+
+# Db batch sizes
+ldap.synchronization.db.insert.batch.size=100
+ldap.synchronization.db.query.batch.size=100
+
+
+# ----------------------
+# LDAP CONNECTION CONFIG
+# ----------------------
+
+# The URL to connect to the LDAP server 
+ldap.authentication.java.naming.provider.url=ldap://localhost:10389
+
+# The default principal to use (only used for LDAP sync)
+ldap.synchronization.java.naming.security.principal=uid=admin,ou=system
+
+# The password for the default principal (only used for LDAP sync)
+ldap.synchronization.java.naming.security.credentials=secret
+
+# The authentication mechanism to use for synchronization
+#ldap.synchronization.java.naming.security.authentication=simple
+
+# LDAPS truststore configuration properties
+#ldap.authentication.truststore.path=
+#ldap.authentication.truststore.passphrase=
+#ldap.authentication.truststore.type=
+# Set to 'ssl' to enable truststore configuration via subsystem's properties
+#ldap.authentication.java.naming.security.protocol=ssl
+
+# The LDAP context factory to use
+#ldap.authentication.java.naming.factory.initial=com.sun.jndi.ldap.LdapCtxFactory
+
+# Requests timeout, in miliseconds, use 0 for none (default)
+#ldap.authentication.java.naming.read.timeout=0
+
+# See http://docs.oracle.com/javase/jndi/tutorial/ldap/referral/jndi.html
+#ldap.synchronization.java.naming.referral=follow
+
+
+
+# -----------
+# USER CONFIG
+# -----------
+
+# The user search base restricts the LDAP user query to a sub section of tree on the LDAP server.
+ldap.synchronization.userSearchBase=ou=users,dc=alfresco,dc=com
+
+# The query to select all objects that represent the users to import.
+# Active Directory example: (&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512))
+ldap.synchronization.personQuery=(objectclass\=inetOrgPerson)
+
+# The query to select objects that represent the users to import that have changed since a certain time.
+# Active Directory example: (&(objectclass\=user)(userAccountControl\:1.2.840.113556.1.4.803\:\=512)(!(whenChanged<\={0})))
+ldap.synchronization.personDifferentialQuery=(&(objectclass\=inetOrgPerson)(!(modifyTimestamp<\={0})))
+
+# The attribute name on people objects found in LDAP to use as the login id in Activiti. Needs to be unique and cannot change!
+ldap.synchronization.userIdAttributeName=uid
+
+# The attribute on person objects in LDAP to map to the first name property of a user
+ldap.synchronization.userFirstNameAttributeName=givenName
+
+# The attribute on person objects in LDAP to map to the last name property of a user
+ldap.synchronization.userLastNameAttributeName=sn
+
+# The attribute on person objects in LDAP to map to the email property of a user
+ldap.synchronization.userEmailAttributeName=mail
+
+# The person type in LDAP
+# Active Directory: user
+ldap.synchronization.userType=inetOrgPerson
+
+# Set the dn of the people that need to be made tenant admin (one tenant). Delimit multiple entries with ;, cause we can't use a comma of course. Note: no trimming of spaces will be applied
+ldap.synchronization.tenantAdminDn=uid=admin,ou=users,dc=alfresco,dc=com
+
+# Set the dn of the people that need to be made tenant manager (multiple tenants). Delimit multiple entries with ;, cause we can't use a comma of course. Note: no trimming of spaces will be applied
+ldap.synchronization.tenantManagerDn=uid=admin,ou=users,dc=alfresco,dc=com
+
+# Set true if users outside userSearchBase should be synchronized (members of the groups found in groupSearchBase). Default: true
+ldap.synchronization.syncAdditionalUsers=true
+
+# ------------
+# GROUP CONFIG
+# ------------
+
+# The group search base restricts the LDAP group query to a sub section of tree on the LDAP server.
+ldap.synchronization.groupSearchBase=ou=groups,dc=alfresco,dc=com
+
+# The query to select all objects that represent the groups to import.
+# Active Directory example: (objectclass\=group)
+ldap.synchronization.groupQuery=(objectclass\=groupOfNames)
+
+# The query to select objects that represent the groups to import that have changed since a certain time.
+# Active Directory example: (&(objectclass\=group)(!(whenChanged<\={0})))
+ldap.synchronization.groupDifferentialQuery=(&(objectclass\=groupOfNames)(!(modifyTimestamp<\={0})))
+
+# The attribute on LDAP group objects to map to the authority name property in Alfresco
+ldap.synchronization.groupIdAttributeName=cn
+
+# The attribute in LDAP on group objects that defines the DN for its members
+ldap.synchronization.groupMemberAttributeName=member
+
+# LDAP Range (default = no range).
+# If enabled, default range size is 1000.
+# This is an Active Directory attribute 
+# and should be used when there are groups with more than
+# 1000 members for AD on Windows Server 2000 or
+# 1500 members for AD on Windows Server 2003+
+# see https://msdn.microsoft.com/en-us/library/ms676302(VS.85).aspx
+ldap.synchronization.groupMemberRangeEnabled=false
+ldap.synchronization.groupMemberRangeSize=1500
+
+# The group type in LDAP
+# Active Directory: group
+ldap.synchronization.groupType=groupOfNames
+
+
+
+# ------------------------
+# GENERIC ATTRIBUTE CONFIG
+# ------------------------
+
+# The dn of an entry. 
+ldap.synchronization.distinguishedNameAttributeName=dn
+
+# The name of the operational attribute recording the last update time for a group or user.
+# Active Directory: whenChanged
+ldap.synchronization.modifyTimestampAttributeName=modifyTimestamp
+
+# The name of the operational attribute recording the create time for a group or user.
+# Active Directory: whenCreated
+ldap.synchronization.createTimestampAttributeName=createTimestamp
+
+# The timestamp format. Unfortunately, this varies between directory servers.
+# Active Directory: yyyyMMddHHmmss'.0Z'
+ldap.synchronization.timestampFormat=yyyyMMddHHmmss.SSS'Z'
+
+# The timestamp format locale language. 'en' by default. Follows the java.util.Locale semantics.
+ldap.synchronization.timestampFormat.locale.language=en
+
+# The timestamp format locale country. 'GB' by default. Follows the java.util.Locale semantics.
+ldap.synchronization.timestampFormat.locale.country=GB
+
+# The timestamp format timezone. 'GMT' by default. Folloez the java.text.SimpleDateFormat semantics.
+ldap.synchronization.timestampFormat.timezone=GMT
+
+
+# -----------------------
+# LDAP CONNECTION POOLING
+# -----------------------
+
+# Options=
+# nothing filled in: no connection pooling
+# 'jdk': use the default jdk pooling mechanism
+# 'spring': use the spring ldap connection pooling facilities. These can be configured further below
+#ldap.synchronization.pooling.type=spring
+
+# Following settings follow the semantics of org.springframework.ldap.pool.factory.PoolingContextSource
+#ldap.synchronization.pooling.minIdle=0
+#ldap.synchronization.pooling.maxIdle=8
+#ldap.synchronization.pooling.maxActive=0
+#ldap.synchronization.pooling.maxTotal=-1
+#ldap.synchronization.pooling.maxWait=-1
+# Options for exhausted action: fail | block | grow
+#ldap.synchronization.pooling.whenExhaustedAction=block
+#ldap.synchronization.pooling.testOnBorrow=false
+#ldap.synchronization.pooling.testOnReturn=false
+#ldap.synchronization.pooling.testWhileIdle=false
+#ldap.synchronization.pooling.timeBetweenEvictionRunsMillis=-1
+#ldap.synchronization.pooling.minEvictableIdleTimeMillis=1800000
+#ldap.synchronization.pooling.numTestsPerEvictionRun=3
+
+# Connection pool validation (see http://docs.spring.io/spring-ldap/docs/2.0.2.RELEASE/reference/#pooling for semantics)
+# Used when any of the testXXX above are set to true
+#ldap.synchronization.pooling.validation.base=
+#ldap.synchronization.pooling.validation.filter=
+# Search control: object, oneLevel, subTree
+#ldap.synchronization.pooling.validation.searchControlsRefs=
+
+#---------------------------
+# KERBEROS SSO CONFIGURATION
+#---------------------------
+
+kerberos.authentication.enabled=false
+#kerberos.authentication.principal=HTTP/test.alfresco.local
+#kerberos.authentication.keytab=C:/alfresco/alfrescohttp.keytab
+kerberos.authentication.krb5.conf=C:/Windows/krb5.ini
+
+#kerberos.allow.ldap.authentication.fallback=false
+#kerberos.allow.database.authentication.fallback=false
+
+# Set to true if you use the short form (samAccountName) of your AD username to log in to Windows rather than the full UPN
+#kerberos.allow.samAccountName.authentication=true
+# Following line must be set to true when Kerberos enabled
+#security.authentication.use-externalid=true
