Been working at this for a while, hope this helps somebody...
Tested with OpenKM Community 6.2.3, ClearOS Community 6.4.0
Need to install the Certificate Manager and Directory Server modules.
* Create an okmAdmin user in ClearOS.
* Create role_admin, role_users groups in ClearOS, populate.
Note: ClearOS crunches upper case in group names, convert to upper case in OpenKM.xml.
OpenKM.xml:
You can create an alias (CNAME) called ldap if you wish.
Tested with OpenKM Community 6.2.3, ClearOS Community 6.4.0
Need to install the Certificate Manager and Directory Server modules.
* Create an okmAdmin user in ClearOS.
* Create role_admin, role_users groups in ClearOS, populate.
Note: ClearOS crunches upper case in group names, convert to upper case in OpenKM.xml.
OpenKM.xml:
Code: Select all
Configuration:<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task-3.1.xsd">
<!-- Security configuration -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldaps://ldap.mydomain.local:636/dc=mydomain,dc=local"/>
<beans:property name="userDn" value="cn=Manager,ou=Internal,dc=mydomain,dc=local"/>
<beans:property name="password" value="pass1234"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=groups,ou=Accounts"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=Users,ou=Accounts" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Code: Select all
ClearOS by default only allows LDAPS. You should create a certificate on ClearOS with the leftmost RDN of the Subject being the common name (FQDN) of your ClearOS server. Easy way is to only specify the common name, and when signing use a policy that is permissive.INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.adapter', 'string', 'com.openkm.principal.LdapPrincipalAdapter');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.database.filter.inactive.users', 'boolean', 'true');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.hide.connection.roles', 'boolean', 'false');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.mail.attribute', 'string', 'mail');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.mail.search.base', 'string', 'dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.mail.search.filter', 'string', '(&(objectclass=inetOrgPerson)(uid={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.referral', 'string', '');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.role.attribute', 'string', 'cn');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.role.search.base', 'list', 'ou=Groups,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.role.search.filter', 'string', '(objectClass=posixGroup)');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.roles.by.user.attribute', 'string', 'memberOf');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.roles.by.user.search.base', 'string', 'ou=Users,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.roles.by.user.search.filter', 'string', '(&(objectClass=person)(uid={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.security.credentials', 'string', 'pass1234');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.security.principal', 'string', 'cn=Manager,ou=Internal,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.server', 'string', 'ldaps://ldap.mydomain.local:636');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.user.attribute', 'string', 'uid');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.user.search.base', 'list', 'ou=Users,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.user.search.filter', 'string', '(objectClass=inetOrgPerson)');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.username.attribute', 'string', 'cn');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.username.search.base', 'string', 'ou=Users,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.username.search.filter', 'string', '(&(objectclass=inetOrgPerson)(uid={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.by.role.attribute', 'string', 'member');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.by.role.search.base', 'string', 'ou=Groups,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.by.role.search.filter', 'string', '(&(objectClass=posixGroup)(cn={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.from.roles', 'boolean', 'false');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('system.login.lowercase', 'boolean', 'true');
You can create an alias (CNAME) called ldap if you wish.
Code: Select all
Add the CA cert to the nssdb:# openssl req -out ldap.csr -key private/sys-0-key.pem -new
# openssl ca -policy policy_anything -days 3650 -out /etc/pki/CA/certs/ldap.mydomain.local.crt -infiles ldap.csr
Code: Select all
The LDAP server certificate needs to be saved in the nssdb with the name of Server-Cert.# certutil -A -d /etc/pki/nssdb/ -n "CA certificate" -t "CT,," -a -i /etc/pki/CA/ca-cert.pem
Code: Select all
In /etc/openldap/slapd.conf: # openssl pkcs12 -export -inkey /etc/pki/CA/private/sys-0-key.pem -in /etc/pki/CA/certs/ldap.mydomain.local.crt -out /root/Server-Cert.p12 -nodes -name 'Server-Cert'
# pk12util -i /root/Server-Cert.p12 -d /etc/pki/nssdb/
Code: Select all
Allow LDAP in ClearOS to be queried by OpenKM - edit the end of slapd.conf thusly:TLSCACertificatePath /etc/pki/nssdb
TLSCertificateFile Server-Cert
TLSVerifyClient never
Code: Select all
Copy ClearOS' public CA certificate to the OpenKM server and add it to OpenKM's keystore:access to *
by self write
by peername.ip=127.0.0.1 read
...
by peername.ip=<OpenKM's IP address> read
Code: Select all
# keytool -import -trustcacerts -keystore /opt/openkm-6.2.3-community/java/jre/lib/security/cacerts -alias myca -file /etc/pki/tls/certs/myca.pem