Adding a Role (LDAP)

[ColH]

I have OpenKM 6.3.6 working with users authenticated with LDAP (through our AD server).
I'd like to add a new AD group and OpenKM role in between User and Admin, for 'bosses' - simply to prevent basic users from being able to see certain folders in the taxonomy.
Is it possible to get OpenKM to also use this extra group? Can you tell me what steps are needed? (I guess it needs, at least, some changes to OpenKM.cfg)

A related problem I now have: I removed ROLE_USER from the security permissions on a folder. Now, even logged in as [LDAP] admin, when I click on Security->Update for the folder, I no longer have ROLE_USER listed in the Roles so I can't re-enable the folder for users!
[edit: I've also recently changed ROLE_ADMIN and ROLE_USER to OPENKM_ROLE_ADMIN and OPENKM_ROLE_USER - it's possible that this in fact caused this problem?]
Thanks.

[jllort]

You do not need any change into OpenKM.xml you need to apply changes into ldap configuration parameters to shown these roles from OpenKM roles list. Basically, you need to concentrate in :

Code: Select all

principal.ldap.role.attribute
principal.ldap.role.search.base
principal.ldap.role.search.filter

In the property principal.ldap.role.search.filter you can set something like

Code: Select all

(&(objectclass=group)(memberOf=CN=ROLE_OPENKM,OU=OpenKM,DC=company,DC=com))

Make ROLE_ADMIN, ROLE_USER and other roles members of ROLE_OPENKM

When you see other roles into the repository, then you only need to apply them and remove the ROLE_USER from taxonomy nodes

[ColH]

Thanks for the advice. I've managed to get further now (a big problem, as per my other post, was missing "ldap://" from the server setting!)
I also followed https://docs.openkm.com/kcenter/view/ok ... fROLE_USER , and all now seems to be working as I wanted for the internal permissions.
Is there a similar trick for the actual authentication [OpenKM.xml]?
Login with

Code: Select all

  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=OPENKM_ROLE_ADMIN,cn=Users,DC=myad,DC=my-company,DC=com)(memberOf=CN=OPENKM_ROLE_USER,cn=Users,DC=myad,DC=my-company,DC=com)(memberOf=CN=OPENKM_ROLE_DIRECTOR,cn=Users,DC=myad,DC=my-company,DC=com)))" />

is ok,
but I was trying to simplify to something like

Code: Select all

  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(memberOf=CN=OPENKM_ROLE_*,cn=Users,DC=myad,DC=my-company,DC=com)))" />

That doesn't let users (even the ldap admin user) log in though.?

[ColH]

An additional problem now: before I got these roles added, subscription notifications were reaching my user(s). However whilst all the other permissions etc seem to be working ok after the above, the notifications have stopped.
I'm trying to set up so that the user permissions are instead inherited through the OPENKM_ROLE and OPENKM_ROLE_OTHER groups: the user is a member of OPENKM_ROLE_OTHER; and OPENKM_ROLE_OTHER is a member of OPENKM_ROLE and OPENKM_ROLE_USER.
The other permissions seem ok with this, but the notifications only work if the user is also a member of the OPENKM_ROLE_USER group. It looks like maybe the email lookup isn't traversing properly? Or my config isn't right:

Code: Select all

principal.ldap.mail.attribute	mail	
principal.ldap.mail.search.base	      CN=Users,DC=myad,DC=my-company,DC=com
principal.ldap.mail.search.filter	(&(objectClass=person)(sAMAccountName={0}))

(principal.ldap.users.from.roles is set to False)

[ColH]

I was hoping to be able to track the problem down using some debug settings. I tried adding to conf/logging.properties :

Code: Select all

log4j.logger.com.openkm.servlet.frontend.FileUploadServlet=DEBUG
log4j.logger.com.openkm.OKMAuth=DEBUG

The second of these doesn't add anything to the logs (it was a guess!), but the first does add something on Upload when the notification works:

Code: Select all

2018-09-28 10:17:27,507 [http-nio-0.0.0.0-8080-exec-2] INFO  c.o.vernum.VersionNumerationFactory - VersionNumerationAdapter: com.openkm.vernum.MajorMinorVersionNumerationAdapter
DEBUG: getProvider() returning javax.mail.Provider[TRANSPORT,smtp,com.sun.mail.smtp.SMTPTransport,Oracle]
DEBUG SMTP: useEhlo true, useAuth false
DEBUG SMTP: trying to connect to host "localhost", port 25, isSSL false
...

This doesn't appear in the non-working situation.
I've tried to find some clues in the source (though Java isn't one of my languages), and I wonder if the problem lies around https://github.com/openkm/document-mana ... .java#L329

Are there any other debug settings which might allow this area to be traced more?

[jllort]

In the log is shown an error sending mails what has not relation with LDAP https://docs.openkm.com/kcenter/view/ok ... -mail.html

[ColH]

Changing the AD membership definitely stops it working! (Must have tried/re-confirmed more than a dozen times now)
I haven't changed the source lol.
Are there any other debug settings I could switch on to help trace how far it is getting through the notification lookup/send? (e.g. that section I found above).
(To improve the experiment, I'm going to get a colleague to subscribe to the doc also, so that I can compare better between the two users' AD memberships).

[ColH]

Ok, I've improved the experiment. AD hierearchy is

• OPENKM_ROLE has member groups: OPENKM_ROLE_ADMIN, OPENKM_ROLE_USER and OPENKM_ROLE_OTHER

• Charlie is a member of OPENKM_ROLE_OTHER

• Mike is a member of OPENKM_ROLE_OTHER and OPENKM_ROLE_USER

Both can log in ok and subscribe to a doc, but when Admin modifies it only Mike gets the notification. In the log I can see the SMTP debug - only Mike is sent an email.

[jllort]

All users might be members of ROLE_USER and ROLE_ADMIN. Users who are members of ROLE_USER should also have other roles.