Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

https://forum.openkm.com/viewtopic.php?t=21657

Page 1 of 1

Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Fri Feb 09, 2018 2:44 am
by ulinuha
Hello...

I have successfully configured authentication through LDAP by setting OpenKM.xml and the settings in the admin page.
I have set DefaultRole parameter in OpenKM.xml to ROLE_USER because i have only "read only" mode access to LDAP server.

In this case, is there any easy way to enter the OpenKM with Admin Role beside switching from LDAP to database adapter or switching DefaultRole from ROLE_USER to ADMIN_USER?

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Sun Feb 11, 2018 8:17 am
by jllort
When you use Default role, really you are setting this role to all the users. That means all your AD users will be assigned with this role and everybody will have accessing to the OpenKM. Is that what really do you want ?

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Mon Feb 12, 2018 1:57 am
by ulinuha
Yes I wanna set all the users to be as ROLE_USER, and it works by setting the defaultrole parameter. However when i wanna configure something in admin page i have a difficulty to enter the admin page. It is because i have to switch the defaultrole parameter to ROLE_ADMIN again and then after finishing doing the admin stuff, i have to swtich back again the defaultrole to ROLE_USER again. In this case I'm not the admin of the LDAP server, so i can't modify it (make specific role: admin & user role in it).

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Thu Feb 15, 2018 5:47 pm
by jllort
This is because your user have not assigned ROLE_ADMIN or if they have assigned the configuration in the OpenKM.xml is wrong.

Share here your OpenKM.xml without passwords and we will take a look on it.

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Wed Feb 21, 2018 6:29 am
by ulinuha
Yes i can't set ROLE_ADMIN via LDAP (I'm not the administrator, so i only have "read onl"y access). Is there any way to set ROLE_ADMIN via OPENKM admin page instead?

Here's the code:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?> <beans:beans 
xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
  
<security:authentication-manager 
alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" 
/> </security:authentication-manager>
  
<beans:bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg 
value="ldap://xxxx:389"/>
  <beans:property name="userDn" value="xxxx"/>
  <beans:property name="password" value="xxxx"/> 
</beans:bean> <beans:bean id="ldapAuthProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean 
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" 
value="division=IT"/>
      <beans:property name="groupRoleAttribute" 
value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" 
value="false" />
      <beans:property name="rolePrefix" value="" />
	  <beans:property name="defaultRole" 
value="ROLE_USER" />
    </beans:bean>
  </beans:constructor-arg> </beans:bean> <beans:bean 
id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="O=MyOrg" />
  <beans:constructor-arg index="1" value="uid={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" /> 
</beans:bean>
</beans:beans>

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Thu Feb 22, 2018 7:44 pm
by jllort
In professional version we have mixed configuration where users comes from AD and roles are into OpenKM database, but in community this feature has not been released.

Watching your configuration seems you are using openldap, for each role you should create and attribute memberUid with the value of each user into.

The problem is in this section of the xml:
Code: Select all
<beans:bean 
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" 
value="division=IT"/>
      <beans:property name="groupRoleAttribute" 
value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" 
value="false" />
      <beans:property name="rolePrefix" value="" />
	  <beans:property name="defaultRole" 
value="ROLE_USER" />
    </beans:bean>
Where you should have something like:
Code: Select all
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=roles"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
 
        <beans:property name="rolePrefix" value="" /> 
 
            </beans:bean>
Take a look at this section of the documentation https://docs.openkm.com/kcenter/view/ok ... login.html

The problem with openldap is for setting the relation between roles and user. You must declare attribute into roles and also attribute into user for bidirectional relation ( the second relation is not mandatory , will only take effect from UI when you are getting roles by user, but the first is mandatory you must add an attribute into each role to set the relation between users and roles ).

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Fri Mar 09, 2018 12:57 pm
by afurtado
Hey I am having issues with LDAP integration, is there any chance you could help me out?

Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

PostPosted:Sat Mar 10, 2018 10:21 am
by jllort
As I indicated in previous post share with us the data and we'll try to help you. I suggest in you case might be good idea open a new post specific for your case.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited