• LDAP Integration with custom AD Groups

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #48746  by tvsuhail
 
Appreciate if someone can provide a solution for the below as I am not able to reach on my goal even after going through all the documents available for OpenKM.

I have three AD groups as IT Admins, HR, Accounts.

1. I need to allow only these group members to logon on OpenKM.
2. Restrict the access on folders created under okm:root for each department based on the groups.

Apart from above, few other clarifications.

1. LDAP configuration under Administration-Configuration is purely to list AD users and roles under Administration-Users screen? And, OpenKM.xml is for authentication?
2. Why I am not able to get other attributes in the screen such as Mail, Roles? whereas i am able to see Name and ID (ID is also not as expected).

I am attaching screenshot of my user screen and configuration under Administration as below.
Code: Select all
principal.ldap.mail.attribute	:	userPrincipalName
principal.ldap.mail.search.base	:	DC=mydom,DC=ae
principal.ldap.mail.search.filter	:	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.referral	:	
principal.ldap.role.attribute	:	cn
principal.ldap.role.search.base	List	DC=mydom,DC=ae
principal.ldap.role.search.filter	:	(&(objectclass=group)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
principal.ldap.roles.by.user.attribute	:	memberOf
principal.ldap.roles.by.user.search.base	:	DC=mydom,DC=ae
principal.ldap.roles.by.user.search.filter	:	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.security.credentials	:	*********
principal.ldap.security.principal	:	CN=ad admin,OU=IT,OU=Infra-team,DC=mydom,DC=ae
principal.ldap.server	:	ldap://10.20.20.1:389
principal.ldap.user.attribute	:	sAMAccountName
principal.ldap.user.search.base	List	DC=mydom,DC=ae
principal.ldap.user.search.filter	:	(&(objectclass=person)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
principal.ldap.username.attribute	:	displayName
principal.ldap.username.search.base	:	DC=mydom,DC=ae
principal.ldap.username.search.filter	:	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	:	member
principal.ldap.users.by.role.search.base	:	DC=mydom,DC=ae
principal.ldap.users.by.role.search.filter	:	(&(objectClass=group)(cn={0}))
Attachments
OpenKM_User.png
OpenKM_User.png (95.76 KiB) Viewed 1284 times
 #48757  by jllort
 
About users:
Code: Select all
principal.ldap.user.search.filter	:	(&(objectclass=person)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
Should correct it, should be members or ROLE_USER and ROLE_OPENKM
Code: Select all
principal.ldap.user.search.filter	:	(&(objectclass=person)(|(memberOf=CN=ROLE_USER,OU=Groups,OU=Infra-team,DC=mydom,DC=ae)(memberOf=CN=ROLE_ADMIN,OU=Groups,OU=Infra-team,DC=mydom,DC=ae)))
About role list:
Code: Select all
principal.ldap.role.search.filter	:	(&(objectclass=group)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
It means ROLE_USER and ROLE_ADMIN are members or ROLE_OPENKM

About email:
Code: Select all
principal.ldap.mail.attribute	:	userPrincipalName
Usually, the attribute in AD what contains the email is named mail ( I suggest navigate in low level with Microsoft Active Directory Explorer https://docs.openkm.com/kcenter/view/ok ... ation.html )

Finally, remember the inheritance between roles is not allowed. That means the user okmAdmin is a member of ROLE_ADMIN ( ROLE_ADMIN is a member of ROLE_OPENKM but do not expect when user okmAdmin be a member of ROLE_OPENKM also will inherit ROLE_ADMIN, that will not happens ). The relation between users and roles must be a direct relation ( not inherit ).

ROLE_OPENKM is used to filtering roles among all the groups you have in your AD ( you might not be interested in showing all groups like Administrators etc... then this is used for filtering purposes, only showing groups what are a member of ROLE_OPENKM )

In general I see a good configuration I do not appreciate mistakes or observations in other sections. Remember after applying any change go to administration > tools > cache stats and reset all ( the AD list is cached and that might be laying you after a change ).

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.