• Custom roles and LDAP authentication

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #46154  by takezo_be
 
Hi,

I'm trying to configure LDAP authentication with custom roles.
I followed the documentation but I'm stucked.

For now, what I have done :

- Create the admin and user roles in my AD

- Configure OpenKM.xml to authenticate against AD.
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://master.lampiris.local"/>
  <beans:property name="userDn" value="CN=bind_openkm_be,OU=xxx,OU=yyy,OU=zzzz,DC=domain,DC=local"/>
  <beans:property name="password" value="***********"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="OU=Utilisateurs,OU=xxxxxx,DC=domain,DC=local"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="OU=Utilisateurs,OU=xxxxxx,DC=domain,DC=local" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=BE-OPENKM-ADMIN,OU=aa,OU=bbb,OU=Groups,OU=cccc,DC=domain,DC=local)(memberOf=CN=BE-OPENKM-USER,OU=aa,OU=bbb,OU=Groups,OU=cccc,DC=domain,DC=local)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
- Update the database with the new roles names.
Code: Select all
UPDATE OKM_CONFIG SET CFG_VALUE='BE-OPENKM-USER' WHERE CFG_KEY='default.user.role';
UPDATE OKM_CONFIG SET CFG_VALUE='BE-OPENKM-ADMIN' WHERE CFG_KEY='default.admin.role';
-- Update security table
UPDATE OKM_NODE_ROLE_PERMISSION SET NRP_ROLE='BE-OPENKM-USER' WHERE NRP_ROLE='ROLE_USER';
UPDATE OKM_NODE_ROLE_PERMISSION SET NRP_ROLE='BE-OPENKM-ADMIN' WHERE NRP_ROLE='ROLE_ADMIN';
-- Insert new roles
INSERT INTO OKM_ROLE (ROL_ID, ROL_ACTIVE) VALUES ('BE-OPENKM-USER', 'T');
INSERT INTO OKM_ROLE (ROL_ID, ROL_ACTIVE) VALUES ('BE-OPENKM-ADMIN', 'T');
-- Update user roles
UPDATE OKM_USER_ROLE SET UR_ROLE='BE-OPENKM-USER' WHERE UR_ROLE='ROLE_USER';
UPDATE OKM_USER_ROLE SET UR_ROLE='BE-OPENKM-ADMIN' WHERE UR_ROLE='ROLE_ADMIN';
-- Remove older roles
DELETE FROM OKM_ROLE WHERE ROL_ID IN ('ROLE_USER', 'ROLE_ADMIN');
- Update appContext.xml in the WEB-INF directory and updated the WAR file with the patched xml file (by the way the documentation states that the file is applicationContext.xml, which is wrong).
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:context="http://www.springframework.org/schema/context"
             xmlns:jee="http://www.springframework.org/schema/jee"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.2.xsd
                                 http://www.springframework.org/schema/context
                                 http://www.springframework.org/schema/context/spring-context-3.1.xsd
                                 http://www.springframework.org/schema/jee
                                 http://www.springframework.org/schema/jee/spring-jee-3.1.xsd">

  <context:component-scan base-package="com.openkm"/>

  <!-- OpenKM API -->
  <beans:import resource="soap.xml"/>
  <beans:import resource="rest.xml"/>
  <beans:import resource="cmis.xml"/>

  <!--
  <beans:bean class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
      <beans:property name="targetClass" value="org.springframework.security.core.context.SecurityContextHolder" />
      <beans:property name="targetMethod" value="setStrategyName" />
      <beans:property name="arguments" value="_INHERITABLETHREADLOCAL" />
  </beans:bean>
  -->

  <security:global-method-security secured-annotations="enabled"/>

  <!-- Status -->
  <security:http pattern="/Status" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- Download -->
  <security:http pattern="/Download" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- Workflow deploy -->
  <security:http pattern="/workflow-register" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- WebDAV using Basic authentication -->
  <security:http pattern="/webdav/**" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- Syndication using Basic authentication -->
  <security:http pattern="/feed/**" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- OpenCMIS (Browser) using Basic authentication -->
  <security:http pattern="/cmis/browser/**" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- OpenCMIS (AtomPub) using Basic authentication -->
  <security:http pattern="/cmis/atom/**" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- OpenCMIS (AtomPub) using Basic authentication -->
  <security:http pattern="/cmis/atom11/**" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- REST -->
  <security:http pattern="/services/rest/**" create-session="stateless">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_FULLY"/>
    <security:http-basic/>
  </security:http>

  <!-- Additional filter chain for normal users, matching all other requests -->
  <!-- http://info.michael-simons.eu/2011/01/28/disable-jsessionid-path-parameter-in-java-web-applications/ -->
  <security:http access-decision-manager-ref="accessDecisionManager" access-denied-page="/unauthorized.jsp">

    <!-- GWT -->
    <security:intercept-url pattern="/frontend/**" access="IS_AUTHENTICATED_FULLY"/>

    <!-- JSPs -->
    <security:intercept-url pattern="/login.jsp" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/admin/**" access="BE-OPENKM-ADMIN"/>
    <security:intercept-url pattern="/mobile/**" access="IS_AUTHENTICATED_FULLY"/>

    <!-- Servlets -->
    <security:intercept-url pattern="/RepositoryStartup" access="IS_AUTHENTICATED_FULLY"/>
    <security:intercept-url pattern="/TextToSpeech" access="IS_AUTHENTICATED_FULLY"/>
    <security:intercept-url pattern="/HtmlPreview" access="IS_AUTHENTICATED_FULLY"/>
    <security:intercept-url pattern="/SyntaxHighlighter" access="IS_AUTHENTICATED_FULLY"/>
    <security:intercept-url pattern="/Test" access="IS_AUTHENTICATED_FULLY"/>

    <!-- Extensions -->
    <security:intercept-url pattern="/extension/ZohoFileUpload" access="IS_AUTHENTICATED_ANONYMOUSLY"/>
    <security:intercept-url pattern="/extension/**" access="IS_AUTHENTICATED_FULLY"/>

    <!-- Login page -->
    <security:form-login login-page="/login.jsp" authentication-failure-url="/login.jsp?error=1"/>

  </security:http>
<!-- Remove prefix to be able of use custom roles -->
<beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value="BE-OPENKM-"/>
</beans:bean>
  <!-- Needed for changing default role prefix -->
  <beans:bean id="accessDecisionManager" class="org.springframework.security.access.vote.AffirmativeBased">
    <beans:property name="decisionVoters">
      <beans:list>
        <beans:bean class="org.springframework.security.web.access.expression.WebExpressionVoter"/>
        <beans:ref bean="roleVoter"/>
        <beans:bean class="org.springframework.security.access.vote.AuthenticatedVoter"/>
      </beans:list>
    </beans:property>
  </beans:bean>

  <!-- Security access logger -->
  <beans:bean id="loggerListener" class="com.openkm.spring.LoggerListener"/>

  <jee:jndi-lookup id="dataSource" jndi-name="jdbc/OpenKMDS" resource-ref="true"/>

  <!-- Security configuration moved to $CATALINA_HOME/OpenKM.xml -->
  <!-- WINFIX
  <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider>
          <security:password-encoder hash="md5"/>
          <security:jdbc-user-service
              data-source-ref="dataSource"
              users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
              authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
      </security:authentication-provider>
  </security:authentication-manager>
  WINFIX -->
</beans:beans>

- Change the configuration of the application to do the user,groups and roles search against AD.
- After this, I restarted the application, and cleaned the index.

If I try to connect with a user that is member of the new AD Admin role, I got an error saying that the trash cannot be created.
Code: Select all
018-06-20 11:27:32,581 [http-nio-0.0.0.0-8080-exec-1] ERROR com.openkm.module.db.DbAuthModule - f099a0fb-f326-4343-b3e1-61bc07d47005 : /okm:trash
com.openkm.core.PathNotFoundException: f099a0fb-f326-4343-b3e1-61bc07d47005 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:100) ~[classes/:6.3.6]
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:96) ~[classes/:6.3.6]
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:668) ~[classes/:6.3.6]
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:627) ~[classes/:6.3.6]
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:75) ~[classes/:6.3.6]
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52) [classes/:6.3.6]
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:119) [OpenKM/:na]
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jasper.jar:8.5.24]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:na]
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:443) [jasper.jar:8.5.24]
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:386) [jasper.jar:8.5.24]
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:330) [jasper.jar:8.5.24]
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:742) [servlet-api.jar:na]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:231) [catalina.jar:8.5.24]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.24]
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) [tomcat-websocket.jar:8.5.24]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.24]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.24]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:118) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:84) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:103) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:154) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:199) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:50) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107) [spring-web-3.2.8.RELEASE.jar:3.2.8.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:342) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:192) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:160) [spring-security-web-3.2.3.RELEASE.jar:3.2.3.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:343) [spring-web-3.2.8.RELEASE.jar:3.2.8.RELEASE]
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:260) [spring-web-3.2.8.RELEASE.jar:3.2.8.RELEASE]
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:193) [catalina.jar:8.5.24]
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:166) [catalina.jar:8.5.24]
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198) [catalina.jar:8.5.24]
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96) [catalina.jar:8.5.24]
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) [catalina.jar:8.5.24]
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140) [catalina.jar:8.5.24]
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:81) [catalina.jar:8.5.24]
	at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:650) [catalina.jar:8.5.24]
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87) [catalina.jar:8.5.24]
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:342) [catalina.jar:8.5.24]
	at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:803) [tomcat-coyote.jar:8.5.24]
	at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66) [tomcat-coyote.jar:8.5.24]
	at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:790) [tomcat-coyote.jar:8.5.24]
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1459) [tomcat-coyote.jar:8.5.24]
	at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49) [tomcat-coyote.jar:8.5.24]
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142) [na:1.8.0_121]
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617) [na:1.8.0_121]
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) [tomcat-util.jar:8.5.24]
	at java.lang.Thread.run(Thread.java:745) [na:1.8.0_121]
I created a user named "okmAdmin" in the AD. If I connect with this user, the connection works, but the user is not Admin in the application anymore.

I'm a little bit stucked here so if anyone can help
Thanks.
 #46174  by jllort
 
I suggest revert the login configuration at start with database login configuration. In this scenario change the application.adapter to user ldap , restart the application, login ( still database login ) and start working with Administation > Configuration parameters ( when you success on it will be easily modify OpenKM.xml and login ). With configuration parameters should be able to retrieve users and roles list from administration. Until you success on it you should not start working with OpenKM.xml for login.

The problem with missing /okm:trash usually is caused because user does not have ROLE_USER or ROLE_ADMIN and at the first login the application is not able to create missing nodes, because the user has not enought grants.
 #46191  by takezo_be
 
Hi,

thanks for your reply.
In the meantime I was able to achieve the login through AD with correct role assignation.
The problem was with the search base in the XML configuration. I was restricting too much the OU tree.

Now my only issue is that the roles are assigned correctly at login, but in the administration pane, the users are not listed with correct role.
Actually, if I select the role in the drop down, users in the AD group are listed correctly, but the role is not assigned. And the email address is not retrieved correctly.

https://ibb.co/b5cVH8

I think the problem is that the CN is not the same as the sAMAccountName, but I cannot get to a working ldap filter in the administration pane to correct this.
In the example below you will see that the sAMAccountName is with a dot between first and lastname and CN is with a space.

https://ibb.co/kq5Hx8
https://ibb.co/m6DLH8

I also did a tcpdump to confirm this and I effectively see that the request is done on the cn not the samaccountname.


If I change in the AD to get sAMAccountName the same as CN, this is working, but this solution is probably not possible for my environment (it would require to change hundred of users, and analyze impact on other applications .... ).
 #46233  by jllort
 
sAMAccountName is unique for your AD and is what must be used with Active Directory, you should not use cn in this scenario. I do not suggest. If you decide going with cn, must use cn into OpenKM.xml an also into the OpenKM configuration properties. But as I said sAMAccountName should be right for AD integration and is our suggestion.

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.