Configuration of Active Directory from OpenKM

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Sat Nov 05, 2016 9:08 am

Please do not merge distinct topics on the same post, otherwise the lost the focus ( https://wiki.openkm.com/index.php/SQL_S ... OpenKM_6.2 )

About the error ( if you really are using database authentication which seems is set in the OpenKM.xml file ) I do not know the reason why you are getting it. Did you login succesfuly ? with okmAdmin users happens it or only with another ones ?

vinodhsatyam
Fresh Boarder
Fresh Boarder
Posts: 16
Joined: Tue Oct 04, 2016 11:31 am

Re: Configuration of Active Directory from OpenKM

Post by vinodhsatyam » Thu Jan 19, 2017 12:33 pm

Hi jllort,

We are trying to implement this LDAP integration from the last two months but unsuccessful. Could you please help us inorder to integrate this successfully at the earliest. We followed all the steps suggested by you but still no luck. Please find the attached files for the configuration parameters and AD structure. Also we have created ROLE_ADMIN and ROLE_USER roles in our Active Directory. Please suggest us how to achieve this successfully at the earliest.
Attachments
AD Structure.docx
(63.91 KiB) Downloaded 7 times
Configuration.docx
(99.05 KiB) Downloaded 8 times

jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Fri Jan 20, 2017 7:41 pm

Where in your configuration appear DC=company,DC=com I suppose you are using your own values ? otherwise it's wrong.

Ensure your connection parameters are right ( ip, credentials ). You can check the same queries with this tool https://technet.microsoft.com/en-us/sys ... lorer.aspx

Did you restarted the OpenKM application after changing principal.adapter value ? is mandatory restarting to take effect.

From my inicial check, your configuration seems fine ( except the DC=company,DC=com ). Start with the three attributes what starting with principal.ldap.user.* ( this is what retrieves the user list, usually I start with it, and when you get this three parameter running can continue with the others ).

Take a look at catalina.log if appears some error ?

Sometimes I needed to apply some host resolution in the hosts file. Take a look here: https://wiki.openkm.com/index.php/Troub ... _with_LDAP ( only if you see some errors like is not able to resolve DC=company,DC=com etc... or similar )

vinodhsatyam
Fresh Boarder
Fresh Boarder
Posts: 16
Joined: Tue Oct 04, 2016 11:31 am

Re: Configuration of Active Directory from OpenKM

Post by vinodhsatyam » Mon Jan 23, 2017 12:31 pm

Hi jllort,

Thank you for the response.

I am using my own values at DC=company,DC=com. I am able to successfully fetch the users from Active Directory now.
I am unable to see the list of users under Administration users list tab but able to login into OpenKM with the users after modifying the OpenKM.xml file. I am having two groups of users Mumbai and Bangalore. In OpenKM.xml, I mentioned user-search-base="ou=Mumbai" and was able to successfully login with all the Mumbai users. Could you please let me know how to add the Bangalore group also in user-search-base so that I can login with both Mumbai and Bangalore users. Also let me know whether I can see the entire list of users in OpenKM or not.
The users are able to just login but unable to do any of the operations except the user with ROLE_ADMIN.The user with ROLE_ADMIN is able to do all the operations. Please let me know if anything else need to be configured. Please be informed that I changed the default role "ROLE_USER" to my custom role name "Domain Users" by modifying default.user.role configuration parameter. I haven't modified default ROLE_ADMIN role. Please find the attached for the sample AD structure.
Attachments
AD Structure.jpg

jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Wed Jan 25, 2017 8:09 am

You must set your main base DC=company,DC=com rather than OU unit.
Then you can add filter based in users are member of some role, something like:

Code: Select all

(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
The same can be added in OpenKM.xml

Code: Select all

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=company,DC=com" />
  <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

vinodhsatyam
Fresh Boarder
Fresh Boarder
Posts: 16
Joined: Tue Oct 04, 2016 11:31 am

Re: Configuration of Active Directory from OpenKM

Post by vinodhsatyam » Wed Jan 25, 2017 3:28 pm

Hi jllort,

Thank you for the reply.
I am able to successfully login into OpenKM with the users from all the groups now. But I am unable to see the list of users under Administration Users tab. So I am unable to assign my custom roles to the users. Could you please let me know how to get the list of users in the Users tab under Administration.

jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Thu Jan 26, 2017 5:39 pm

The user list, like the other integration features are based in quering AD server. For listing users must concentrate in these parameters:
https://wiki.openkm.com/index.php/LDAP_examples

Code: Select all

 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
Ensure your connection to ldap is correctly configured in your configuration parameters.
Ensure you have changed the principal.adapter and you have restarted the application principal.adapter=com.openkm.principal.LdapPrincipalAdapter

At the begining can start with a less restrictive query:

Code: Select all

 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(objectclass=user)
 

vinodhsatyam
Fresh Boarder
Fresh Boarder
Posts: 16
Joined: Tue Oct 04, 2016 11:31 am

Re: Configuration of Active Directory from OpenKM

Post by vinodhsatyam » Mon Jan 30, 2017 9:35 am

Hi jllort,

Thank you for the reply.

I am able to login with the users from AD but still unable to get the list of users under Administration. Attaching the values provided in OpenKM.xml and Configuration parameters. Could you please compare these and let me know how to achieve this.


Thanks,
Vinodh
Attachments
xml.png
config.png

jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Tue Jan 31, 2017 9:23 am

The configuration seems right. Take a look at your log. Ensure you are able to connecting to the server.

vinodhsatyam
Fresh Boarder
Fresh Boarder
Posts: 16
Joined: Tue Oct 04, 2016 11:31 am

Re: Configuration of Active Directory from OpenKM

Post by vinodhsatyam » Thu Feb 02, 2017 1:16 pm

Hi jllort,

Thank you for the reply.
I installed OpenKM on some other machine and was able to successfully fetch the users from AD. There might be some connection issue from my account. I want the AD users to be used in jbpm workflow. I need to send a task to a group of users but unable to add the AD users to particular roles in OpenKM. Could you please let me know how to achieve this with AD users.

jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Fri Feb 03, 2017 12:47 pm

The users should be member of groups ( roles from openkm point of view ) from the AD.

AdamChen
Fresh Boarder
Fresh Boarder
Posts: 8
Joined: Mon Mar 13, 2017 7:30 am

Re: Configuration of Active Directory from OpenKM

Post by AdamChen » Mon Mar 13, 2017 7:54 am

Hi jllort! I'm Adam
I can't login with ldap setting is always authentication error!
this is my company ldap tree
DIT --
| Root DSE
| ---- CN=Partition1,DC=moss, DC=com
| ---- ---- cn=Groups
| ---- ---- cn=ron
| ---- ---- cn=Users
| ---- ---- ---- cn=shanghai
| ---- ---- ---- cn=taiwan
| ---- ---- ---- ---- cn=taipei
| ---- ---- ---- ---- cn=taichung

and this is tomcat -> openkm.xml

Code: Select all

	<security: ldap-server id="ldapServer"
	url="ldap://10.0.0.XX:XXX/cn=Partition1,dc=moss,dc=com"
	manager-dn="cn=Partition1,dc=moss,dc=com"
	manager-password="xxxx">
	
	<security:authentication-manager alias="authenticationManager">
		<security:ldap-authentication-provider
			server-ref="ldapServer"
			user-search-base="cn=Users"
			user-search-filter="(sAMAccountName={0})"
			group-search-base="cn=Users"
			group-search-filter="(member={0})"
			group-role-attribute="cn"
			role-prefix="none">
		</security:ldap-authentication-provider>
	<security:authentication-manager>
I just setting this , and I right?

I don't know where I need to write for " OpenKM integration "

thank you for your help!!

jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Tue Mar 14, 2017 7:46 pm

Try configuring as is described here https://docs.openkm.com/kcenter/view/ok ... roles.html

But first, configure OpenKM configuration parameters. When you will success on it, try with login.

AdamChen
Fresh Boarder
Fresh Boarder
Posts: 8
Joined: Mon Mar 13, 2017 7:30 am

Re: Configuration of Active Directory from OpenKM

Post by AdamChen » Thu Mar 16, 2017 4:25 am

Hi jllort, thank you very much for help!

I already setting with ldap !

but now , I got new problem with Users too much

My company for ldap by user almost over 10,000 people

and I found the user list if you over 1,000 will get the error code 4, Sizelimit Exceeded

How can I solve this problem?

jllort
Moderator
Moderator
Posts: 9127
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configuration of Active Directory from OpenKM

Post by jllort » Thu Mar 16, 2017 7:24 pm

All the user must have accessing to OpenKM or only a sub group of them ?

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 1 guest