• [Resolved] Role does not work with (LDAP) Active directory

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #46033  by milenormand
 
Hi,

Sorry in advance for my english.

I have successfully install openkm community edition (Version 6.3.6, Tomcat-8.5.24) with MS AD using advanced configuration and best practices in docs : https://docs.openkm.com/kcenter/view/ok ... ation.html
https://docs.openkm.com/kcenter/view/ok ... roles.html

But with these docs, I had two problems the user ID was a trigram (sAMAccountName) and the user ID in Role was a First Name and Last Name (CN).
With the option Principal.ldap.users.from.roles on True, i could see openKm creates users with ID First Name and Last Name (CN).

For one user, i had two accounts : ID = MLE Name= Mi** Lenormand Mail= *** Roles = ROLE_USER ROLE_TEST
ID = Mi** Lenormand Name=Mi** Lenormand Mail = (empty) Roles = (empty)

The second account have Roles empty but present in the role (ex: ROLE_USER) when i filter.

I think the problem comes from :
principal.ldap.users.by.role.attribute member
principal.ldap.users.by.role.search.base OU=IT,OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter (&(objectClass=group)(cn={0}))

we can't filter by sAMAccountName because in member there is no sAMAccountName :

Image

The second problems is role does not work when i logging with MLE. ( in Log, i can't logging with ID = Mi** Lenormand)


After many manipulation i have solve the first problem, i am logging with CN and password. But the second problem is always present.

In administration TAB
Code: Select all
system.login.lowercase=true
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://sd01cdg***:389
principal.ldap.security.principal=CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***
principal.ldap.security.credentials=*******************

principal.ldap.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.user.search.filter=objectclass=person
principal.ldap.user.attribute=CN

principal.ldap.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=cn=OpenKM_ROLE,ou=cdg,ou=sda,dc=**,dc=**))
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.mail.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.username.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member

principal.ldap.users.from.roles=true 

principal.ldap.roles.by.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.roles.by.user.attribute=memberOf

principal.ldap.referral=follow

In [Tomcat-8.5.24]/OpenKM.xml
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">


<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://sd01cdgdc:389"/>
  <beans:property name="userDn" value="CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***"/>
  <beans:property name="password" value="******************"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="OU=IT,OU=CDG,OU=SDA,DC=*****,DC=***"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
     <!-- <beans:property name="rolePrefix" value="ROLE_" /> -->
      <beans:property name="rolePrefix" value="" />
      <beans:property name="defaultRole" value="ROLE_ADMIN" />
     <!-- <beans:property name="defaultRole" value="ROLE_USER" /> -->
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="OU=CDG,OU=SDA,DC=*****,DC=**" />
  <beans:constructor-arg index="2" ref="contextSource" />
<!--  <beans:constructor-arg index="1" value="sAMAccountName={0}" /> -->
  <beans:constructor-arg index="1" value="CN={0}" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

 </beans:beans>
If i don't use <beans:property name="defaultRole" value="ROLE_ADMIN" />, i can't logging in ROLE_ADMIN

Here are the results that make me think that I'm on the right track :

Image
Image
Image
Image

Do you have any idea for this problem ?

Best Regards,
Mi Lenormand
Last edited by milenormand on Thu Jun 28, 2018 8:25 am, edited 3 times in total.
 #46043  by milenormand
 
Hi i.m.ashish,

Sorry i am not a videomaker, but if you need help follow step-by-step this :

1 ) Go to Administration > Configuration parameters:

principal.adapter String com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users Boolean True
principal.hide.connection.roles Boolean False
principal.identifier.validation String ^[a-zA-Z0-9_]+$

principal.ldap.mail.attribute String mail
principal.ldap.mail.search.base String OU=**,OU=**,OU=**,DC=**,DC=***
principal.ldap.mail.search.filter String (&(objectClass=person)(sAMAccountName={0}))

principal.ldap.referral String follow

principal.ldap.role.attribute String cn
principal.ldap.role.search.base List OU=**,OU=**,OU=**,DC=**,DC=***
principal.ldap.role.search.filter String (objectclass=group)

principal.ldap.roles.by.user.attribute String memberOf
principal.ldap.roles.by.user.search.base String DC=sid,DC=afi
principal.ldap.roles.by.user.search.filter String (&(objectClass=person)(sAMAccountName={0}))

principal.ldap.security.credentials String Password of Mi** LENORMAND
principal.ldap.security.principal String CN=Mi** LENORMAND,OU=**,OU=**,OU=**,DC=**,DC=***

principal.ldap.server String ldap://NameServer:389

principal.ldap.user.attribute String sAMAccountName
principal.ldap.user.search.base List DC=**,DC=**
principal.ldap.user.search.filter String (objectclass=person)

principal.ldap.username.attribute String cn
principal.ldap.username.search.base String DC=**,DC=**
principal.ldap.username.search.filter String (&(objectClass=person)(sAMAccountName={0}))

principal.ldap.users.by.role.attribute String member
principal.ldap.users.by.role.search.base String CN={0},OU=**,OU=**,OU=**,DC=**,DC=***

Carefull to system.login.lowercase in beginning

After that you go to Administration > Utilities > Cache stats : clic to reset all

2) Restart Tomcat

Check you Users, after that go to OpenKM.XML for filter result.

https://docs.openkm.com/kcenter/view/ok ... ation.html
https://docs.openkm.com/kcenter/view/ok ... roles.html
https://docs.openkm.com/kcenter/view/ok ... oting.html


Best Regards,
Mi Lenormand
 #46055  by milenormand
 
Hi i.m.ashish,

i think this is a error sAMAccountName=okAdmin, follow previous message.
you have got users ?
and follow : https://docs.openkm.com/kcenter/view/ok ... ation.html



In the OpenKM.XML file don't forget "<beans:property name="defaultRole" value="ROLE_ADMIN" />" for troubleshooting.
can you logging with your account (AD) ?
After that i can't help you, i am blocked here.


Best regards,
Mi LENORMAND
 #46076  by jllort
 
If your users are not able to see TAB Administration is because they are not members of ROLE_ADMIN ( group what must be created into your AD an assign to the users ).

I suggest you concentrate first with integration without SSL and later when you have everything right, start a new topic with the issue for SSL authentication with complete file log stack trace for understanding the issue in deep.
 #46114  by jllort
 
Share with us the connection url or port changes you are using for SSL authentication.
Also we need to take a look at the catalina.log file for the error raised while trying to login ( only we need the stack trace error section, not all the catalina.log file ) -> you can upload the error section into a file in this post.
 #46139  by milenormand
 
Hi jlort,

Thank you for reply,
jllort wrote: Sun Jun 10, 2018 5:40 pm If your users are not able to see TAB Administration is because they are not members of ROLE_ADMIN ( group what must be created into your AD an assign to the users ).
My users not able to see the TAB Administration, but the users is in members of ROLE_ADMIN :
Image

I can see the users in the group ROLE_ADMIN :
Image

wihtout <beans:property name="defaultRole" value="ROLE_ADMIN" />, i can't logging whit Admin right (ROLE_ADMIN)

for more information i think wihtout <beans:property name="defaultRole" value="ROLE_ADMIN" />, all users are no authorization of any folders and files. (no right)

Best Regards,
Mi Lenormand
 #46156  by jllort
 
If you are not watching administration is because your logged users are not inherit ROLE_ADMIN ( I hope you have not changed the configuration parameter default.admin.role=ROLE_ADMIN you can check it from OKM_CONFIG database looking for CFG_KEY='default.admin.role').

I do not understanding how are you able for doing administration screenshots if you are not logging with ROLE_ADMIN users ?
 #46167  by milenormand
 
Hi jlort,
If you are not watching administration is because your logged users are not inherit ROLE_ADMIN ( I hope you have not changed the configuration parameter default.admin.role=ROLE_ADMIN you can check it from OKM_CONFIG database looking for CFG_KEY='default.admin.role').
Thank you for reply,

How check the inherit Roles ? (i thnk my problems is here)

i haven't changed the configuration of the default roles :
Image

In the table OKM_CONFIG :
Image

I do not understanding how are you able for doing administration screenshots if you are not logging with ROLE_ADMIN users ?
for troubleshooting i use the exemple "Force all users to be members of ROLE_USER" https://docs.openkm.com/kcenter/view/ok ... oting.html

but with the ROLE_ADMIN <beans:property name="defaultRole" value="ROLE_ADMIN" />.



thanks in advance,
Best Regards,
Mi Lenormand

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.