Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
Post Reply
ulinuha
Fresh Boarder
Fresh Boarder
Posts: 7
Joined: Mon Nov 13, 2017 9:08 am

Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by ulinuha » Fri Feb 09, 2018 2:44 am

Hello...

I have successfully configured authentication through LDAP by setting OpenKM.xml and the settings in the admin page.
I have set DefaultRole parameter in OpenKM.xml to ROLE_USER because i have only "read only" mode access to LDAP server.

In this case, is there any easy way to enter the OpenKM with Admin Role beside switching from LDAP to database adapter or switching DefaultRole from ROLE_USER to ADMIN_USER?

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by jllort » Sun Feb 11, 2018 8:17 am

When you use Default role, really you are setting this role to all the users. That means all your AD users will be assigned with this role and everybody will have accessing to the OpenKM. Is that what really do you want ?

ulinuha
Fresh Boarder
Fresh Boarder
Posts: 7
Joined: Mon Nov 13, 2017 9:08 am

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by ulinuha » Mon Feb 12, 2018 1:57 am

Yes I wanna set all the users to be as ROLE_USER, and it works by setting the defaultrole parameter. However when i wanna configure something in admin page i have a difficulty to enter the admin page. It is because i have to switch the defaultrole parameter to ROLE_ADMIN again and then after finishing doing the admin stuff, i have to swtich back again the defaultrole to ROLE_USER again. In this case I'm not the admin of the LDAP server, so i can't modify it (make specific role: admin & user role in it).

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by jllort » Thu Feb 15, 2018 5:47 pm

This is because your user have not assigned ROLE_ADMIN or if they have assigned the configuration in the OpenKM.xml is wrong.

Share here your OpenKM.xml without passwords and we will take a look on it.

ulinuha
Fresh Boarder
Fresh Boarder
Posts: 7
Joined: Mon Nov 13, 2017 9:08 am

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by ulinuha » Wed Feb 21, 2018 6:29 am

Yes i can't set ROLE_ADMIN via LDAP (I'm not the administrator, so i only have "read onl"y access). Is there any way to set ROLE_ADMIN via OPENKM admin page instead?

Here's the code:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?> <beans:beans 
xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
  
<security:authentication-manager 
alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" 
/> </security:authentication-manager>
  
<beans:bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg 
value="ldap://xxxx:389"/>
  <beans:property name="userDn" value="xxxx"/>
  <beans:property name="password" value="xxxx"/> 
</beans:bean> <beans:bean id="ldapAuthProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean 
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" 
value="division=IT"/>
      <beans:property name="groupRoleAttribute" 
value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" 
value="false" />
      <beans:property name="rolePrefix" value="" />
	  <beans:property name="defaultRole" 
value="ROLE_USER" />
    </beans:bean>
  </beans:constructor-arg> </beans:bean> <beans:bean 
id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="O=MyOrg" />
  <beans:constructor-arg index="1" value="uid={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" /> 
</beans:bean>
</beans:beans>

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by jllort » Thu Feb 22, 2018 7:44 pm

In professional version we have mixed configuration where users comes from AD and roles are into OpenKM database, but in community this feature has not been released.

Watching your configuration seems you are using openldap, for each role you should create and attribute memberUid with the value of each user into.

The problem is in this section of the xml:

Code: Select all

<beans:bean 
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" 
value="division=IT"/>
      <beans:property name="groupRoleAttribute" 
value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" 
value="false" />
      <beans:property name="rolePrefix" value="" />
	  <beans:property name="defaultRole" 
value="ROLE_USER" />
    </beans:bean>
Where you should have something like:

Code: Select all

<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=roles"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
 
        <beans:property name="rolePrefix" value="" /> 
 
            </beans:bean>
Take a look at this section of the documentation https://docs.openkm.com/kcenter/view/ok ... login.html

The problem with openldap is for setting the relation between roles and user. You must declare attribute into roles and also attribute into user for bidirectional relation ( the second relation is not mandatory , will only take effect from UI when you are getting roles by user, but the first is mandatory you must add an attribute into each role to set the relation between users and roles ).

afurtado
Fresh Boarder
Fresh Boarder
Posts: 4
Joined: Thu Mar 08, 2018 7:36 pm

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by afurtado » Fri Mar 09, 2018 12:57 pm

Hey I am having issues with LDAP integration, is there any chance you could help me out?

jllort
Moderator
Moderator
Posts: 10243
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

Post by jllort » Sat Mar 10, 2018 10:21 am

As I indicated in previous post share with us the data and we'll try to help you. I suggest in you case might be good idea open a new post specific for your case.

Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests