Online demo
Download
Contact

Because information matters

  • Issue with configuration of Active Directory

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Tue Apr 16, 2024 9:08 pm

Issue with configuration of Active Directory

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

Issue with configuration of Active Directory

 #42852  by svig
 
We have the following structure for our active directory.
Code: Select all
dc=com
     dc=isgecnet
          ou=All Admins
               cn=securityadmin
          ou=All Groups
               cn=ROLE_ADMIN
                    cn=openkmad
We are able to fetch role_admin from AD to OpenKM User screen. But while logging after changing OpenKM.xml and restarting tomcat, we are getting the following error:
Code: Select all
2016-12-23 09:46:07,444 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider- Processing authentication request for user: openkmad
2016-12-23 09:46:07,447 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch- Searching for user 'openkmad', with user search [ searchFilter: '(&(sAMAccountName={0})(memberOf=cn=ROLE_ADMIN,ou=All Groups,dc=isgecnet,dc=com))', searchBase: 'ou=All Groups,dc=isgecnet,dc=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2016-12-23 09:46:07,618 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate- Searching for entry under DN '', base = 'ou=All Groups,dc=isgecnet,dc=com', filter = '(&(sAMAccountName={0})(memberOf=cn=ROLE_ADMIN,ou=All Groups,dc=isgecnet,dc=com))'
2016-12-23 09:46:07,620 [http-bio-0.0.0.0-8080-exec-3] INFO  com.openkm.spring.LoggerListener- Authentication ERROR: openkmad
2016-12-23 09:46:07,620 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter- Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials

OpenKM.xml
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

  <!-- Security configuration -->
<security:ldap-server id="ldapServer"
  url="ldap://192.9.xxx.xxx:389"
  manager-dn="cn=securityadmin, ou=Admin Accounts, dc=isgecnet, dc=com"
  manager-password="xxxxxxx"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="ldapServer"
    user-search-base="ou=All Groups,dc=isgecnet,dc=com"
    user-search-filter="(&(sAMAccountName={0})(memberOf=cn=ROLE_ADMIN,ou=All Groups,dc=isgecnet,dc=com))"
    group-search-base="ou=All Groups,dc=isgecnet,dc=com"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="">
  </security:ldap-authentication-provider>
</security:authentication-manager>

</beans:beans>
Please help. Thanks for your support.

Re: Issue with configuration of Active Directory

 #42857  by svig
 
Thanks for the suggestion.

I have configured basis the example and now getting the attached error.
Error Screenshot
Error Screenshot
OpenKM-AD Error.png (58.42 KiB) Viewed 3398 times
OpenKM.XML
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.9.200.51"/>
  <beans:property name="userDn" value="cn=securityadmin,ou=Admin Accounts,dc=isgecnet,dc=com"/>
  <beans:property name="password" value="isgec@123"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=isgecnet,DC=com"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=isgecnet,DC=com" />
  <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=All Groups,DC=isgecnet,DC=com)(memberOf=CN=ROLE_USER,OU=All Groups,DC=isgecnet,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
Also need to know if we are able to view the AD roles in OpenKM without amending the OpenKM.xml then do we need to change anything in the OpenKM.cfg for login.

Thanks for the support.

Re: Issue with configuration of Active Directory

 #42859  by jllort
 
You do not need to apply any change in OpenKM.cfg only is needed modifying OpenKM.xml ( after it, is mandatory restarting the application ). And not much else ( modify configuration parameters at Administracion > Configuration for listing users and roles from OpenKM UI ).

Re: Issue with configuration of Active Directory

 #42865  by svig
 
Thanks for your suggestion. I have already modified OpenKM.cfg and can view the Active Directory roles in UI.

But after changing OpenKM.xml and restarting the tomcat, I am getting the following error.
Code: Select all
2016-12-26 18:38:15,574 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.authentication.ProviderManager- Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2016-12-26 18:38:15,574 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider- Processing authentication request for user: openkmad
2016-12-26 18:38:15,574 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch- Searching for user 'openkmad', with user search [ searchFilter: '(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=All Groups,DC=isgecnet,DC=com)(memberOf=CN=ROLE_USER,OU=All Groups,DC=isgecnet,DC=com)))', searchBase: 'ou=All Groups,DC=isgecnet,DC=com', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2016-12-26 18:38:15,578 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate- Searching for entry under DN '', base = 'ou=All Groups,dc=isgecnet,dc=com', filter = '(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=All Groups,DC=isgecnet,DC=com)(memberOf=CN=ROLE_USER,OU=All Groups,DC=isgecnet,DC=com)))'
2016-12-26 18:38:15,578 [http-bio-0.0.0.0-8080-exec-9] INFO  com.openkm.spring.LoggerListener- Authentication ERROR: openkmad
2016-12-26 18:38:15,578 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter- Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
The OpenKM.xml is as follows.
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.9.200.51"/>
  <beans:property name="userDn" value="cn=securityadmin,ou=Admin Accounts,dc=isgecnet,dc=com"/>
  <beans:property name="password" value="isgec@123"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>ignore</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="ou=All Groups,DC=isgecnet,DC=com"/>
       <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="ou=All Groups,DC=isgecnet,DC=com" />
  <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=All Groups,DC=isgecnet,DC=com)(memberOf=CN=ROLE_USER,OU=All Groups,DC=isgecnet,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
Request you to please let me know what I am missing in the configuration.

Re: Issue with configuration of Active Directory

 #42871  by svig
 
We were able to integrate with the active directory with the following configuration.
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.9.200.51"/>
  <beans:property name="userDn" value="cn=securityadmin,ou=Admin Accounts,dc=isgecnet,dc=com"/>
  <beans:property name="password" value="isgec@123"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="cn=ROLE_ADMIN,ou=All Groups,DC=isgecnet,DC=com"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=isgecnet,DC=com" />
  <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=All Groups,DC=isgecnet,DC=com)(memberOf=CN=ROLE_USER,OU=All Groups,DC=isgecnet,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
Appreciate the help provided. Thanks.

Re: Issue with configuration of Active Directory

 #42883  by jllort
 
Ldap - AD - integration is not a trivial task, and usually must expend some hours until you find the correct configuration. Unfortunately this configuration is black or white, greys are not allowed, if it's not 100% correctly will not get it running ( and the warning or error message does not help much ).
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -