Online demo
Download
Contact

Because information matters

  • LDAP Help - So Close!

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Fri Apr 19, 2024 3:25 pm

LDAP Help - So Close!

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

LDAP Help - So Close!

 #43674  by voyager529
 
Hello everyone!

I'll start by expressing a massive thank-you to everyone who works on this project. It is exactly what I was looking for. I do some IT work for a small church, and they are looking for a document management application; OpenKM fits our needs exactly.

I got it installed and configured on Ubuntu Server 16.04.1 LTS using the 6.3.0 install script (still on that version for now; I'm asking a friend who's more familiar with Tomcat stuff to help update later). Everything seems to be working well, and I cannot wait to show the users the new system.

The problem I'm having is with LDAP. I got it to authenticate, and sync, but while the user list populated successfully, only the okmAdmin account can log in.

This is a very small environment, so I'm perfectly fine with all users being able to log in. What I'm thinking might be the issue is that it doesn't seem to assign the 'OKM_USER" role to LDAP users by default. This makes sense to some extent, but I'm not quite sure how or where to apply those roles, or even if the lack of a role is preventing login.

I've included my LDAP config parameters below; IPs and credentials have been redacted.
Code: Select all
Property								Type		Value
principal.ldap.mail.attribute				String	mail
principal.ldap.mail.search.base				String	dc=fbc,dc=local
principal.ldap.mail.search.filter			String	(uid={0})
principal.ldap.referral					String	
principal.ldap.role.attribute				String	cn
principal.ldap.role.search.base				List		ou=leadership,dc=fbc,dc=local
principal.ldap.role.search.filter			String	(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute			String	
principal.ldap.roles.by.user.search.base		String	
principal.ldap.roles.by.user.search.filter		String	
principal.ldap.security.credentials			String	[password]
principal.ldap.security.principal				String	cn=[administrator],dc=fbc,dc=local
principal.ldap.server					String	ldap://[ip]:389
principal.ldap.user.attribute			String	uid
principal.ldap.user.search.base				List		dc=fbc,dc=local
principal.ldap.user.search.filter				String	(objectClass=inetOrgPerson)
principal.ldap.username.attribute			String	uid
principal.ldap.username.search.base			String	dc=fbc,dc=local
principal.ldap.username.search.filter			String	(uid={0})
principal.ldap.users.by.role.attribute			String	memberUid
principal.ldap.users.by.role.search.base		String	ou=leadership,dc=fbc,dc=local
principal.ldap.users.by.role.search.filter		String	(&(objectClass=posixGroup)(cn={0}))
principal.ldap.users.from.roles				Boolean	Inactive
Thank you for taking a look; I appreciate whatever help can be provided. Also, if I could impose just a bit to keep instructions simple (e.g. provide file paths if an edit is needed, etc); I'm fairly smart, but I don't deal much with Tomcat applications and I'm new to LDAP, so I super appreciate any simplicity that can be afforded.

Thank you again,
Joey

Re: LDAP Help - So Close!

 #43728  by voyager529
 
jllort wrote: Tue Apr 25, 2017 5:48 pm You have OpenLDAP ?

The problem comes from OpenKM.xml ( review this documentation section https://docs.openkm.com/kcenter/view/ok ... login.html ). If you not success on it, share here the OpenKM.xml file ( hide or replace values what you consider should not be shown )
Hello, jllort! Thank you for responding!

I looked through that, and I really really tried to make it match my environment.

Here's my current OpenKM.xml file, which allows me to log in as okmAdmin, but nobody else:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

  <!-- Security configuration -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
      <security:password-encoder hash="md5"/>
      <security:jdbc-user-service 
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>
</beans:beans>
Notably, it says the authentication manager appears to be the local account manager, but my user list is populated with the OpenLDAP users.


I found another post that referenced configuring OpenLDAP via the OpenKM.xml file, so I tried that, and ended up with this OpenKM.xml file:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.25"/>
  <beans:property name="userDn" value="cn=admin,dc=fbc,dc=local"/>
  <beans:property name="password" value="REDACTED"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=fbc,DC=local"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=fbc,DC=local" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=Groups,DC=fbc,DC=local)(memberOf=CN$
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
When I put this one in (and rebooted the server), I couldn't get into the server with any set of credentials. I restored the first one, and got back to okmAdmin working.

Thank you in advance for your continued help.

Joey

Re: LDAP Help - So Close!

 #43765  by voyager529
 
Hello jllort!

I thought I responded last week, but it looks like my response went to /dev/null; guess that's what I get for using public Wi-Fi.

Anyway, I did take a look like you said. here is the OpenKM.xml file as-is, where okmAdmin can log in but no one else can:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

  <!-- Security configuration -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
      <security:password-encoder hash="md5"/>
      <security:jdbc-user-service
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>
</beans:beans>
I went through the link you sent and grabbed the OpenKM.xml file provided there, replacing values where readily apparent. Here's what I ended up with:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.25"/>
  <beans:property name="userDn" value="cn=admin,dc=fbc,dc=local"/>
  <beans:property name="password" value="[REDACTED]"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=fbc,DC=local"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=fbc,DC=local" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=Groups,DC=fbc,DC=local)(memberOf=CN=ROLE_USER,OU=Groups,DC=fbc,DC=local)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
When I put this XML file in place and restarted Tomcat (and the machine as a whole, just to be sure), I couldn't log in at all, as anyone, LDAP, local, or otherwise.

To provide a smidge of context, LDAP is known working with Rocket.Chat, so I know that it's set up properly at least to some degree. Also, to confirm, OpenKM can at least read the user list, as they are replicated there and known to be properly visible.

I restored the original XML file so I could continue working. I appreciate your continued assistance in resolving this matter.

Best,
Joey

Re: LDAP Help - So Close!

 #43767  by jllort
 
In the user node there's and attribute named member ? or do you have an attibute named memberUuid ?
Can to take a screenshot to see all the attributes of a user ? Only I need to see the attributes, not much else.

I think you are applying Active directory attributes when really you do not have and active directory ( that means member and memberOf are not present in your ldap, but without taking a look on your attributes I do not know about are we talking about ).
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -