Page 2 of 3

Re: Configuration of Active Directory from OpenKM

PostPosted:Sat Nov 05, 2016 9:08 am
by jllort
Please do not merge distinct topics on the same post, otherwise the lost the focus ( https://wiki.openkm.com/index.php/SQL_S ... OpenKM_6.2 )

About the error ( if you really are using database authentication which seems is set in the OpenKM.xml file ) I do not know the reason why you are getting it. Did you login succesfuly ? with okmAdmin users happens it or only with another ones ?

Re: Configuration of Active Directory from OpenKM

PostPosted:Thu Jan 19, 2017 12:33 pm
by vinodhsatyam
Hi jllort,

We are trying to implement this LDAP integration from the last two months but unsuccessful. Could you please help us inorder to integrate this successfully at the earliest. We followed all the steps suggested by you but still no luck. Please find the attached files for the configuration parameters and AD structure. Also we have created ROLE_ADMIN and ROLE_USER roles in our Active Directory. Please suggest us how to achieve this successfully at the earliest.

Re: Configuration of Active Directory from OpenKM

PostPosted:Fri Jan 20, 2017 7:41 pm
by jllort
Where in your configuration appear DC=company,DC=com I suppose you are using your own values ? otherwise it's wrong.

Ensure your connection parameters are right ( ip, credentials ). You can check the same queries with this tool https://technet.microsoft.com/en-us/sys ... lorer.aspx

Did you restarted the OpenKM application after changing principal.adapter value ? is mandatory restarting to take effect.

From my inicial check, your configuration seems fine ( except the DC=company,DC=com ). Start with the three attributes what starting with principal.ldap.user.* ( this is what retrieves the user list, usually I start with it, and when you get this three parameter running can continue with the others ).

Take a look at catalina.log if appears some error ?

Sometimes I needed to apply some host resolution in the hosts file. Take a look here: https://wiki.openkm.com/index.php/Troub ... _with_LDAP ( only if you see some errors like is not able to resolve DC=company,DC=com etc... or similar )

Re: Configuration of Active Directory from OpenKM

PostPosted:Mon Jan 23, 2017 12:31 pm
by vinodhsatyam
Hi jllort,

Thank you for the response.

I am using my own values at DC=company,DC=com. I am able to successfully fetch the users from Active Directory now.
I am unable to see the list of users under Administration users list tab but able to login into OpenKM with the users after modifying the OpenKM.xml file. I am having two groups of users Mumbai and Bangalore. In OpenKM.xml, I mentioned user-search-base="ou=Mumbai" and was able to successfully login with all the Mumbai users. Could you please let me know how to add the Bangalore group also in user-search-base so that I can login with both Mumbai and Bangalore users. Also let me know whether I can see the entire list of users in OpenKM or not.
The users are able to just login but unable to do any of the operations except the user with ROLE_ADMIN.The user with ROLE_ADMIN is able to do all the operations. Please let me know if anything else need to be configured. Please be informed that I changed the default role "ROLE_USER" to my custom role name "Domain Users" by modifying default.user.role configuration parameter. I haven't modified default ROLE_ADMIN role. Please find the attached for the sample AD structure.

Re: Configuration of Active Directory from OpenKM

PostPosted:Wed Jan 25, 2017 8:09 am
by jllort
You must set your main base DC=company,DC=com rather than OU unit.
Then you can add filter based in users are member of some role, something like:
Code: Select all
(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
The same can be added in OpenKM.xml
Code: Select all
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=company,DC=com" />
  <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

Re: Configuration of Active Directory from OpenKM

PostPosted:Wed Jan 25, 2017 3:28 pm
by vinodhsatyam
Hi jllort,

Thank you for the reply.
I am able to successfully login into OpenKM with the users from all the groups now. But I am unable to see the list of users under Administration Users tab. So I am unable to assign my custom roles to the users. Could you please let me know how to get the list of users in the Users tab under Administration.

Re: Configuration of Active Directory from OpenKM

PostPosted:Thu Jan 26, 2017 5:39 pm
by jllort
The user list, like the other integration features are based in quering AD server. For listing users must concentrate in these parameters:
https://wiki.openkm.com/index.php/LDAP_examples
Code: Select all
 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
Ensure your connection to ldap is correctly configured in your configuration parameters.
Ensure you have changed the principal.adapter and you have restarted the application principal.adapter=com.openkm.principal.LdapPrincipalAdapter

At the begining can start with a less restrictive query:
Code: Select all
 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(objectclass=user)
 

Re: Configuration of Active Directory from OpenKM

PostPosted:Mon Jan 30, 2017 9:35 am
by vinodhsatyam
Hi jllort,

Thank you for the reply.

I am able to login with the users from AD but still unable to get the list of users under Administration. Attaching the values provided in OpenKM.xml and Configuration parameters. Could you please compare these and let me know how to achieve this.


Thanks,
Vinodh

Re: Configuration of Active Directory from OpenKM

PostPosted:Tue Jan 31, 2017 9:23 am
by jllort
The configuration seems right. Take a look at your log. Ensure you are able to connecting to the server.

Re: Configuration of Active Directory from OpenKM

PostPosted:Thu Feb 02, 2017 1:16 pm
by vinodhsatyam
Hi jllort,

Thank you for the reply.
I installed OpenKM on some other machine and was able to successfully fetch the users from AD. There might be some connection issue from my account. I want the AD users to be used in jbpm workflow. I need to send a task to a group of users but unable to add the AD users to particular roles in OpenKM. Could you please let me know how to achieve this with AD users.

Re: Configuration of Active Directory from OpenKM

PostPosted:Fri Feb 03, 2017 12:47 pm
by jllort
The users should be member of groups ( roles from openkm point of view ) from the AD.

Re: Configuration of Active Directory from OpenKM

PostPosted:Mon Mar 13, 2017 7:54 am
by AdamChen
Hi jllort! I'm Adam
I can't login with ldap setting is always authentication error!
this is my company ldap tree
DIT --
| Root DSE
| ---- CN=Partition1,DC=moss, DC=com
| ---- ---- cn=Groups
| ---- ---- cn=ron
| ---- ---- cn=Users
| ---- ---- ---- cn=shanghai
| ---- ---- ---- cn=taiwan
| ---- ---- ---- ---- cn=taipei
| ---- ---- ---- ---- cn=taichung

and this is tomcat -> openkm.xml
Code: Select all
	<security: ldap-server id="ldapServer"
	url="ldap://10.0.0.XX:XXX/cn=Partition1,dc=moss,dc=com"
	manager-dn="cn=Partition1,dc=moss,dc=com"
	manager-password="xxxx">
	
	<security:authentication-manager alias="authenticationManager">
		<security:ldap-authentication-provider
			server-ref="ldapServer"
			user-search-base="cn=Users"
			user-search-filter="(sAMAccountName={0})"
			group-search-base="cn=Users"
			group-search-filter="(member={0})"
			group-role-attribute="cn"
			role-prefix="none">
		</security:ldap-authentication-provider>
	<security:authentication-manager>
I just setting this , and I right?

I don't know where I need to write for " OpenKM integration "

thank you for your help!!

Re: Configuration of Active Directory from OpenKM

PostPosted:Tue Mar 14, 2017 7:46 pm
by jllort
Try configuring as is described here https://docs.openkm.com/kcenter/view/ok ... roles.html

But first, configure OpenKM configuration parameters. When you will success on it, try with login.

Re: Configuration of Active Directory from OpenKM

PostPosted:Thu Mar 16, 2017 4:25 am
by AdamChen
Hi jllort, thank you very much for help!

I already setting with ldap !

but now , I got new problem with Users too much

My company for ldap by user almost over 10,000 people

and I found the user list if you over 1,000 will get the error code 4, Sizelimit Exceeded

How can I solve this problem?

Re: Configuration of Active Directory from OpenKM

PostPosted:Thu Mar 16, 2017 7:24 pm
by jllort
All the user must have accessing to OpenKM or only a sub group of them ?