Hi,
I'm trying to configure LDAP authentication with custom roles.
I followed the documentation but I'm stucked.
For now, what I have done :
- Create the admin and user roles in my AD
- Configure OpenKM.xml to authenticate against AD.
- After this, I restarted the application, and cleaned the index.
If I try to connect with a user that is member of the new AD Admin role, I got an error saying that the trash cannot be created.
I'm a little bit stucked here so if anyone can help
Thanks.
I'm trying to configure LDAP authentication with custom roles.
I followed the documentation but I'm stucked.
For now, what I have done :
- Create the admin and user roles in my AD
- Configure OpenKM.xml to authenticate against AD.
Code: Select all
- Update the database with the new roles names.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:amq="http://activemq.apache.org/schema/core"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://master.lampiris.local"/>
<beans:property name="userDn" value="CN=bind_openkm_be,OU=xxx,OU=yyy,OU=zzzz,DC=domain,DC=local"/>
<beans:property name="password" value="***********"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="OU=Utilisateurs,OU=xxxxxx,DC=domain,DC=local"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="OU=Utilisateurs,OU=xxxxxx,DC=domain,DC=local" />
<beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=BE-OPENKM-ADMIN,OU=aa,OU=bbb,OU=Groups,OU=cccc,DC=domain,DC=local)(memberOf=CN=BE-OPENKM-USER,OU=aa,OU=bbb,OU=Groups,OU=cccc,DC=domain,DC=local)))" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Code: Select all
- Update appContext.xml in the WEB-INF directory and updated the WAR file with the patched xml file (by the way the documentation states that the file is applicationContext.xml, which is wrong).
UPDATE OKM_CONFIG SET CFG_VALUE='BE-OPENKM-USER' WHERE CFG_KEY='default.user.role';
UPDATE OKM_CONFIG SET CFG_VALUE='BE-OPENKM-ADMIN' WHERE CFG_KEY='default.admin.role';
-- Update security table
UPDATE OKM_NODE_ROLE_PERMISSION SET NRP_ROLE='BE-OPENKM-USER' WHERE NRP_ROLE='ROLE_USER';
UPDATE OKM_NODE_ROLE_PERMISSION SET NRP_ROLE='BE-OPENKM-ADMIN' WHERE NRP_ROLE='ROLE_ADMIN';
-- Insert new roles
INSERT INTO OKM_ROLE (ROL_ID, ROL_ACTIVE) VALUES ('BE-OPENKM-USER', 'T');
INSERT INTO OKM_ROLE (ROL_ID, ROL_ACTIVE) VALUES ('BE-OPENKM-ADMIN', 'T');
-- Update user roles
UPDATE OKM_USER_ROLE SET UR_ROLE='BE-OPENKM-USER' WHERE UR_ROLE='ROLE_USER';
UPDATE OKM_USER_ROLE SET UR_ROLE='BE-OPENKM-ADMIN' WHERE UR_ROLE='ROLE_ADMIN';
-- Remove older roles
DELETE FROM OKM_ROLE WHERE ROL_ID IN ('ROLE_USER', 'ROLE_ADMIN');
Code: Select all
- Change the configuration of the application to do the user,groups and roles search against AD. <?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:jee="http://www.springframework.org/schema/jee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security-3.2.xsd
http://www.springframework.org/schema/context
http://www.springframework.org/schema/context/spring-context-3.1.xsd
http://www.springframework.org/schema/jee
http://www.springframework.org/schema/jee/spring-jee-3.1.xsd">
<context:component-scan base-package="com.openkm"/>
<!-- OpenKM API -->
<beans:import resource="soap.xml"/>
<beans:import resource="rest.xml"/>
<beans:import resource="cmis.xml"/>
<!--
<beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
<beans:property name="targetMethod" value="setStrategyName" />
<beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
</beans:bean>
-->
<security:global-method-security secured-annotations="enabled"/>
<!-- Status -->
<security:http pattern="/Status" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- Download -->
<security:http pattern="/Download" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- Workflow deploy -->
<security:http pattern="/workflow-register" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- WebDAV using Basic authentication -->
<security:http pattern="/webdav/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- Syndication using Basic authentication -->
<security:http pattern="/feed/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- OpenCMIS (Browser) using Basic authentication -->
<security:http pattern="/cmis/browser/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- OpenCMIS (AtomPub) using Basic authentication -->
<security:http pattern="/cmis/atom/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- OpenCMIS (AtomPub) using Basic authentication -->
<security:http pattern="/cmis/atom11/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- REST -->
<security:http pattern="/services/rest/**" create-session="stateless">
<security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
<security:http-basic/>
</security:http>
<!-- Additional filter chain for normal users, matching all other requests -->
<!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
<security:http access-decision-manager-ref="accessDecisionManager" access-denied-page="/unauthorized.jsp">
<!-- GWT -->
<security:intercept-url pattern="/frontend/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- JSPs -->
<security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/admin/**" access="BE-OPENKM-ADMIN"/>
<security:intercept-url pattern="/mobile/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- Servlets -->
<security:intercept-url pattern="/RepositoryStartup" access="IS_AUTHENTICATED_FULLY"/>
<security:intercept-url pattern="/TextToSpeech" access="IS_AUTHENTICATED_FULLY"/>
<security:intercept-url pattern="/HtmlPreview" access="IS_AUTHENTICATED_FULLY"/>
<security:intercept-url pattern="/SyntaxHighlighter" access="IS_AUTHENTICATED_FULLY"/>
<security:intercept-url pattern="/Test" access="IS_AUTHENTICATED_FULLY"/>
<!-- Extensions -->
<security:intercept-url pattern="/extension/ZohoFileUpload" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
<security:intercept-url pattern="/extension/**" access="IS_AUTHENTICATED_FULLY"/>
<!-- Login page -->
<security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>
</security:http>
<!-- Remove prefix to be able of use custom roles -->
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
<beans:property name="rolePrefix" value="BE-OPENKM-"/>
</beans:bean>
<!-- Needed for changing default role prefix -->
<beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
<beans:property name="decisionVoters">
<beans:list>
<beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
<beans:ref bean="roleVoter"/>
<beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
</beans:list>
</beans:property>
</beans:bean>
<!-- Security access logger -->
<beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener"/>
<jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true"/>
<!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
<!-- WINFIX
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</security:authentication-provider>
</security:authentication-manager>
WINFIX -->
</beans:beans>
- After this, I restarted the application, and cleaned the index.
If I try to connect with a user that is member of the new AD Admin role, I got an error saying that the trash cannot be created.
Code: Select all
I created a user named "okmAdmin" in the AD. If I connect with this user, the connection works, but the user is not Admin in the application anymore.018-06-20 11:27:32,581 [http-nio-0.0.0.0-8080-exec-1] ERROR com.openkm.module.db.DbAuthModule - f099a0fb-f326-4343-b3e1-61bc07d47005 : /okm:trash
com.openkm.core.PathNotFoundException: f099a0fb-f326-4343-b3e1-61bc07d47005 : /okm:trash
at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:100) ~[classes/:6.3.6]
at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:96) ~[classes/:6.3.6]
at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:668) ~[classes/:6.3.6]
at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:627) ~[classes/:6.3.6]
at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:75) ~[classes/:6.3.6]
at com.openkm.api.OKMAuth.login(OKMAuth.java:52) [classes/:6.3.6]
at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:119) [OpenKM/:na]
at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jasper.jar:8.5.24]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:na]
at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443) [jasper.jar:8.5.24]
at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) [jasper.jar:8.5.24]
at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) [jasper.jar:8.5.24]
at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:na]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.24]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.24]
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.24]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.24]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.24]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.8.RELEASE.jar:3.2.8.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) [spring-web-3.2.8.RELEASE.jar:3.2.8.RELEASE]
at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) [spring-web-3.2.8.RELEASE.jar:3.2.8.RELEASE]
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.24]
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.24]
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [catalina.jar:8.5.24]
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.24]
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) [catalina.jar:8.5.24]
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.24]
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.24]
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.24]
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.24]
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.24]
at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-coyote.jar:8.5.24]
at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.24]
at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-coyote.jar:8.5.24]
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) [tomcat-coyote.jar:8.5.24]
at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.24]
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_121]
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_121]
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.24]
at java.lang.Thread.run(Thread.java:745) [na:1.8.0_121]
I'm a little bit stucked here so if anyone can help
Thanks.