• Administration tab is not showing (AD)

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #45471  by saleem55
 
I have successfully install openkm-dev integrated with MS AD using example3 ,

but I have a problem when I am login with okmadmin I can not see administration TAB

I have create two roles in AD , ROLE_ADMIN and ROLE_USER and I put okmAdmin as a member of ROLE_ADMIN but still the administration tab is not working
I don't whan to assign admins to all users:
<beans:property name="defaultRole" value="ROLE_ADMIN" />
I want only okmAdmin to be administrator

- I Am using default profile and administration is enabled

I am hiding the ip and domain (XXXX)

please help me to trace out the issue
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

  <!-- Security configuration -->
  <security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
  
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om"/>
  <beans:property name="userDn" value="CN=XXXXXX,OU=Users,OU=IT,OU=Departments,DC=XXXXXX,DC=com,DC=om"/>
  <beans:property name="password" value="XXXXXXX"/>
  
   <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" value="memberOf={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" /> 
	  <!--<beans:property name="defaultRole" value="ROLE_ADMIN" />-->
	  
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=XXXX,DC=com,dc=om)(memberOf=CN=ROLE_USER,OU=OPENKM,DC=XXXX,DC=com,dc=om)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Thanks
Saleem
 #45478  by jllort
 
I think the issue comes because you have used memberOf={1} while you should use
Code: Select all
<beans:property name="groupSearchFilter" value="member={0}"/>
Also I suggest to remove "dc=XXXX,dc=com,dc=om" from the end of ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om and set into each bean definition, you can take a look at https://docs.openkm.com/kcenter/view/ok ... roles.html where is shown ( basically is the same, you can filter base from ldap connection or from each bean ).
 #45480  by saleem55
 
jllort wrote: Sun Mar 18, 2018 7:08 pm I think the issue comes because you have used memberOf={1} while you should use
Code: Select all
<beans:property name="groupSearchFilter" value="member={0}"/>
Also I suggest to remove "dc=XXXX,dc=com,dc=om" from the end of ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om and set into each bean definition, you can take a look at https://docs.openkm.com/kcenter/view/ok ... roles.html where is shown ( basically is the same, you can filter base from ldap connection or from each bean ).

Thanks jllort ,
Your are right, it is working now and I am able to get the administration tab


but when I remove "dc=XXXX,dc=com,dc=om" from the end of ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om and I set it into each bean definition
I am not able to login
Thanks
Saleem
 #45491  by jllort
 
you must set in the two bean, take a look at the sample, might be you have missed one. Look for DC=company,DC=com into the xml sample.

Check your "dc=XXXX,dc=com,dc=om , sure it ends with dc=om, might be you have added something extra ?
 #45498  by saleem55
 
jllort wrote: Mon Mar 19, 2018 7:22 pm you must set in the two bean, take a look at the sample, might be you have missed one. Look for DC=company,DC=com into the xml sample.

Check your "dc=XXXX,dc=com,dc=om , sure it ends with dc=om, might be you have added something extra ?
Yes our domain ends with om
I will re-try and i will let you know

Thanks
 #45520  by jllort
 
if ends with dc=om then is right. Here the issue in deep is that from the user logged is not been able to get the roles, otherwise will going right, or you missed assigning the role to the user.

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.