Authenticating with AD

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
Post Reply
DrydenK
Fresh Boarder
Fresh Boarder
Posts: 11
Joined: Fri Aug 31, 2018 12:30 pm

Authenticating with AD

Post by DrydenK » Wed Sep 05, 2018 5:57 pm

Hi,
I' trying to authenticate users with my AD, but it's not working.

I followed https://docs.openkm.com/kcenter/view/ok ... ation.html. After entering all the required information in the administration panel, OpenKM has successfully retrieved the users and roles from my domain. Then, after setting the principal.adapter property to com.openkm.principal.LdapPrincipalAdapter and replacing Openkm.xml with the one suggested in the web page (and updating the url, manager-dn and manager-password), I restarted tomcat the enable those settings.

Following catalina.out, after some time, I got the following error:

Code: Select all

05-Sep-2018 10:46:14.222 SEVERE [localhost-startStop-1] org.springframework.web.context.ContextLoader.initWebApplicationContext Context initialization failed
 org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from URL [file:/home/openkm/tomcat-8.5.24/OpenKM.xml] is invalid; nested exception
 is org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 64; The prefix "security" for element "security:authentication-manager" is not bound.
I've tried some variations in the OpenKM.xml, without success. Do special characters ($, @, % and other) need to be escaped? Do I have to install some OS library to make it work? Does it make any difference to use FQDN or IP in the url?

I'm using OpenKM 6.3.6, build 787d181f
OS is Ubuntu 18.4 x64

tks,

Roberto

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Authenticating with AD

Post by jllort » Thu Sep 06, 2018 6:02 pm

Something wrong into XML.

1- Take care with passwords with strange character what might need to be scaped into the XML.
2- Ensure you have commented database xml configuration section.

What OpenKM version are you using?

Can you share your OpenKM.xml commenting private information to take a look on it.

DrydenK
Fresh Boarder
Fresh Boarder
Posts: 11
Joined: Fri Aug 31, 2018 12:30 pm

Re: Authenticating with AD

Post by DrydenK » Mon Sep 10, 2018 2:01 pm

As mentioned in the first post, I'm using version 6.3.6, build 87d181f.

My Openkm.xml file is the following:

Code: Select all

<security:ldap-server id="ldapServer"
  url="ldap://ad.fdn.fundunesp.unesp.br:389/DC=<domain>"
  manager-dn="<admin_user, copied from Apache Directory>"
  manager-password="<my_admin_user_pass>"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="ldapServer"
    user-search-base="cn=Users"
    user-search-filter="(sAMAccountName={0})"
    group-search-base="cn=Users"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="none">
  </security:ldap-authentication-provider>
</security:authentication-manager>
Roberto

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Authenticating with AD

Post by jllort » Thu Sep 13, 2018 6:25 am

I do not like this minimalist configuration I suggest go in the direction explained in this documentation section, you will have more control of what really happens with the integration https://docs.openkm.com/kcenter/view/ok ... roles.html

First, start with OpenKM administration configuration ( OpenKM LDAP parameters ) and when success there, go with authentication, this is the easiest way for doing it and you will restart the server less times ( where usually it is expended a lot of time ).

DrydenK
Fresh Boarder
Fresh Boarder
Posts: 11
Joined: Fri Aug 31, 2018 12:30 pm

[Solved] Re: Authenticating with AD

Post by DrydenK » Thu Sep 13, 2018 1:30 pm

GREAT!!!!!

This version works nicely. There was only one hiccup: The documentation in that page is outdated and needs to be fixed. In the XML, where it reads
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/b ... ns-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/s ... ty-3.1.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/t ... sk-3.1.xsd">

It should be

xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/b ... ns-3.2.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/s ... ty-3.2.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/t ... sk-3.2.xsd">

If you don't replace the '3.1' entries with '3.2', Tomcat fails with the following message:
13-Sep-2018 10:04:22.970 INFO [localhost-startStop-1] org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions Lo ading XML bean definitions from URL [file:/home/openkm/tomcat-8.5.24/OpenKM.xml]
13-Sep-2018 10:04:23.020 SEVERE [localhost-startStop-1] org.springframework.web.context.ContextLoader.initWebApplicationContext Context in itialization failed
org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: You cannot use a spring-security-2.0.xsd or spring-security-3.0.xsd or spring-security-3.1.xsd schema with Spring Security 3.2. Please update your schema declarations to the 3.2 schema.

Anyway, tks for the help.

Roberto

PS: Where do I report the above problem with the documentation?

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Authenticating with AD

Post by jllort » Fri Sep 14, 2018 6:18 pm

Also you can remove the numbers and should working. In newer versions of the OpenKM.xml file we have removed them.

DrydenK
Fresh Boarder
Fresh Boarder
Posts: 11
Joined: Fri Aug 31, 2018 12:30 pm

Re: Authenticating with AD

Post by DrydenK » Fri Sep 14, 2018 6:25 pm

Ok. It would be nice to update the documentation with that information. Who would be responsible for that?

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Authenticating with AD

Post by jllort » Sat Sep 15, 2018 8:12 am

OpenKM staff are who manage documentation. Add the issue https://github.com/openkm/document-mana ... tem/issues and we will change OpenKM.xml and also documentation information

ColH
Fresh Boarder
Fresh Boarder
Posts: 3
Joined: Wed Sep 19, 2018 2:44 pm

Re: Authenticating with AD

Post by ColH » Fri Sep 21, 2018 12:37 pm

Sorry if this is a dumb question, but is it necessary to change both the OpenKM.xml file and to set the principal.ldap.* settings in the Admin web page? They seem to be the same kind of values etc in many cases, and I'm not sure what the relationship is between the two.

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Authenticating with AD

Post by jllort » Sat Sep 22, 2018 8:23 am

Are the same, but the parameters from the administration are used by OpenKM to retrieve user and roles list. The OpenKM.xml is used for authentication. I suggest first work with administration parameters and when you success on it, then work with OpenKM.xml, usually is the quick way to success on it.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests