Page 1 of 1
Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Fri Feb 09, 2018 2:44 am
by ulinuha
Hello...
I have successfully configured authentication through LDAP by setting OpenKM.xml and the settings in the admin page.
I have set DefaultRole parameter in OpenKM.xml to ROLE_USER because i have only "read only" mode access to LDAP server.
In this case, is there any easy way to enter the OpenKM with Admin Role beside switching from LDAP to database adapter or switching DefaultRole from ROLE_USER to ADMIN_USER?
Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Sun Feb 11, 2018 8:17 am
by jllort
When you use Default role, really you are setting this role to all the users. That means all your AD users will be assigned with this role and everybody will have accessing to the OpenKM. Is that what really do you want ?
Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Mon Feb 12, 2018 1:57 am
by ulinuha
Yes I wanna set all the users to be as ROLE_USER, and it works by setting the defaultrole parameter. However when i wanna configure something in admin page i have a difficulty to enter the admin page. It is because i have to switch the defaultrole parameter to ROLE_ADMIN again and then after finishing doing the admin stuff, i have to swtich back again the defaultrole to ROLE_USER again. In this case I'm not the admin of the LDAP server, so i can't modify it (make specific role: admin & user role in it).
Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Thu Feb 15, 2018 5:47 pm
by jllort
This is because your user have not assigned ROLE_ADMIN or if they have assigned the configuration in the OpenKM.xml is wrong.
Share here your OpenKM.xml without passwords and we will take a look on it.
Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Wed Feb 21, 2018 6:29 am
by ulinuha
Yes i can't set ROLE_ADMIN via LDAP (I'm not the administrator, so i only have "read onl"y access). Is there any way to set ROLE_ADMIN via OPENKM admin page instead?
Here's the code:
Code: Select all<?xml version="1.0" encoding="UTF-8"?> <beans:beans
xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:amq="http://activemq.apache.org/schema/core"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd">
<security:authentication-manager
alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider"
/> </security:authentication-manager>
<beans:bean id="contextSource"
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg
value="ldap://xxxx:389"/>
<beans:property name="userDn" value="xxxx"/>
<beans:property name="password" value="xxxx"/>
</beans:bean> <beans:bean id="ldapAuthProvider"
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value=""/>
<beans:property name="groupSearchFilter"
value="division=IT"/>
<beans:property name="groupRoleAttribute"
value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase"
value="false" />
<beans:property name="rolePrefix" value="" />
<beans:property name="defaultRole"
value="ROLE_USER" />
</beans:bean>
</beans:constructor-arg> </beans:bean> <beans:bean
id="userSearch"
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="O=MyOrg" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Thu Feb 22, 2018 7:44 pm
by jllort
In professional version we have mixed configuration where users comes from AD and roles are into OpenKM database, but in community this feature has not been released.
Watching your configuration seems you are using openldap, for each role you should create and attribute memberUid with the value of each user into.
The problem is in this section of the xml:
Code: Select all<beans:bean
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value=""/>
<beans:property name="groupSearchFilter"
value="division=IT"/>
<beans:property name="groupRoleAttribute"
value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase"
value="false" />
<beans:property name="rolePrefix" value="" />
<beans:property name="defaultRole"
value="ROLE_USER" />
</beans:bean>
Where you should have something like:
Code: Select all<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=roles"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
Take a look at this section of the documentation
https://docs.openkm.com/kcenter/view/ok ... login.html
The problem with openldap is for setting the relation between roles and user. You must declare attribute into roles and also attribute into user for bidirectional relation ( the second relation is not mandatory , will only take effect from UI when you are getting roles by user, but the first is mandatory you must add an attribute into each role to set the relation between users and roles ).
Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Fri Mar 09, 2018 12:57 pm
by afurtado
Hey I am having issues with LDAP integration, is there any chance you could help me out?
Re: Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries
PostPosted:Sat Mar 10, 2018 10:21 am
by jllort
As I indicated in previous post share with us the data and we'll try to help you. I suggest in you case might be good idea open a new post specific for your case.