• LDAP account integration

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #51976  by jerry_tseng
 
Hi OpenKM Team:

I wish you a happy New Year !:D

I am testing the 6.3.10 Community Edition LDAP integration account.

LDAP test structure.
LDAP test structure.jpg
LDAP test structure.jpg (24.49 KiB) Viewed 5532 times
I changed the OpenKM.xml file
File path:
Code: Select all
/opt/tomcat/OpenKM.xml.bak
/opt/tomcat/webapps/OpenKM/WEB-INF/classes/OpenKM.xml
OpenKM.xml contents:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

  <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://192.168.1.55:389/dc=test,dc=com"/>
        <beans:property name="userDn" value="cn=IT,dc=test,dc=com"/>
        <beans:property name="password" value="mypassword"/>
  </beans:bean>

    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=OpenKM"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />

        <beans:property name="rolePrefix" value="" />

            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>

   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=Corp" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  
</beans:beans>
Then in the administrator web interface Configuration parameters:
Code: Select all
principal.adapter = com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server = ldap://192.168.1.55:389
principal.ldap.security.principal = cn=IT,dc=test,dc=com
principal.ldap.security.credentials = myPassword
principal.ldap.user.attribute = uid
principal.ldap.user.search.base = ou=Corp,dc=test,dc=com
principal.ldap.user.search.filter = (objectClass=inetOrgPerson)
principal.ldap.username.attribute = cn
principal.ldap.username.search.base = ou=Corp,dc=test,dc=com
principal.ldap.username.search.filter = (uid={0})
principal.ldap.mail.attribute = mail
principal.ldap.mail.search.base = ou=Corp,dc=test,dc=com
principal.ldap.mail.search.filter = (uid={0})
principal.ldap.role.attribute = cn
principal.ldap.role.search.base = ou=OpenKM,dc=test,dc=com
principal.ldap.role.search.filter = (objectClass=posixGroup)
principal.ldap.roles.by.user.attribute = cn
principal.ldap.roles.by.user.search.base = ou=OpenKM,dc=test,dc=com
principal.ldap.roles.by.user.search.filter = (memberUid={0})
principal.ldap.users.by.role.attribute = memberUid
principal.ldap.users.by.role.search.base	=	ou=OpenKM,dc=test,dc=com
principal.ldap.users.by.role.search.filter = (&(objectClass=posixGroup)(cn={0}))
Restart the tomcat and refresh the Web to see the user account, but cannot log-in user account(authentication failed).
ldap.jpg
ldap.jpg (131.36 KiB) Viewed 5533 times
The tomcat log also did not see the error message.


I check my LDAP server log.
Code: Select all
Dec 29 16:49:24 ldap slapd[11379]: conn=4669 op=3 SRCH base="ou=Corp,dc=test,dc=com" scope=2 deref=3 filter="(uid=tzuy_yang)"
Dec 29 16:49:24 ldap slapd[11379]: <= bdb_equality_candidates: (uid) not indexed
Dec 29 16:49:24 ldap slapd[11379]: conn=4669 op=3 SEARCH RESULT tag=101 err=0 nentries=1 text=
Dec 29 16:49:24 ldap slapd[11379]: conn=4674 fd=11 ACCEPT from IP=192.168.1.46:60900 (IP=0.0.0.0:389)
Dec 29 16:49:24 ldap slapd[11379]: conn=4674 op=0 BIND dn="cn=tzuy_yang,cn=J0400,ou=Corp,dc=test,dc=com" method=128
Dec 29 16:49:24 ldap slapd[11379]: conn=4674 op=0 BIND dn="cn=tzuy_yang,cn=J0400,ou=Corp,dc=test,dc=com" mech=SIMPLE ssf=0
Dec 29 16:49:24 ldap slapd[11379]: conn=4674 op=0 RESULT tag=97 err=0 text=
Dec 29 16:49:24 ldap slapd[11379]: conn=4674 op=1 SRCH base="cn=tzuy_yang,cn=J0400,ou=Corp,dc=test,dc=com" scope=0 deref=3 filter="(objectClass=*)"
Dec 29 16:49:24 ldap slapd[11379]: conn=4674 op=1 SEARCH RESULT [b]tag=101 err=32[/b] nentries=0 text=
But I found the object in the search condition under the local LDAP server.
Code: Select all
root#ldapsearch -x -H ldap://192.168.1.55:389 -b cn=tzuy_yang,cn=J0400,ou=Corp,dc=test,dc=com -W -D "cn=IT,dc=test,dc=com"
Enter LDAP Password:
Code: Select all
# extended LDIF
#
# LDAPv3
# base <cn=tzuy_yang,cn=J0400,ou=Corp,dc=test,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# tzuy_yang, J0400, Corp, test.com
dn: cn=tzuy_yang,cn=J0400,ou=Corp,dc=test,dc=com
sn: tzuy_yang
cn: tzuy_yang
uidNumber: 1001
gidNumber: 502
homeDirectory: /home/users/tzuy_yang
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
mail: tzuy_yang@test.com
uid: tzuy_yang
uid: J0400
userPassword:: e1NTSEF9TzArMnNnUU81WW9sdsdwyemVDODgvWDlJZjdrNzFhRFkvcWk=

# search result
search: 2
result: 0 Success
Excuse me, where is the setting wrong? Thank you.
 #51989  by jllort
 
I suggest this configuration:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

  <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://192.168.1.55:389"/>
        <beans:property name="userDn" value="cn=IT,dc=test,dc=com"/>
        <beans:property name="password" value="mypassword"/>
  </beans:bean>

    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="dc=test,dc=com"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />

        <beans:property name="rolePrefix" value="" />

            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>

   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="dc=test,dc=com" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  
</beans:beans>
I see you changed the order uuid=user_a ( what contains attribute cn ) by cn=user_a ( what contains attribute uuid=user_a ) -> check your diagram and ours https://docs.openkm.com/kcenter/view/ok ... login.html

If you want to continue with your current AD configuration I think should change uid={0} to cn={0}
 #52005  by jerry_tseng
 
Hi OpenKM Team:

I tried to change uid={0} to cn={0}, but still cannot log in.

I changed the way and set it according to the example
https://docs.openkm.com/kcenter/view/ok ... login.html

LDAP Structure
123.jpg
123.jpg (67.71 KiB) Viewed 4562 times

OpenKM.xml contents:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

  <security:authentication-manager alias="authenticationManager">
        <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
        <beans:constructor-arg value="ldap://192.168.1.55:389/dc=test,dc=com"/>
        <beans:property name="userDn" value="cn=IT,dc=test,dc=com"/>
        <beans:property name="password" value="mypassword"/>
  </beans:bean>

    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=OpenKM"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />

        <beans:property name="rolePrefix" value="" />

            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=People"/>
    <beans:constructor-arg index="1" value="uid={0}"/>
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
</beans:beans>
Then in the administrator web interface Configuration parameters:
Code: Select all
principal.adapter = com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server = ldap://192.168.1.55:389
principal.ldap.security.principal = cn=IT,dc=test,dc=com
principal.ldap.security.credentials = myPassword
principal.ldap.user.attribute = uid
principal.ldap.user.search.base =	ou=People,dc=test,dc=com
principal.ldap.user.search.filter = (objectClass=inetOrgPerson)
principal.ldap.username.attribute = cn
principal.ldap.username.search.base = ou=People,dc=test,dc=com
principal.ldap.username.search.filter = (uid={0})
principal.ldap.mail.attribute = mail
principal.ldap.mail.search.base = dc=test,dc=com
principal.ldap.mail.search.filter = (uid={0})
principal.ldap.role.attribute = cn
principal.ldap.role.search.base = ou=OpenKM,dc=test,dc=com	
principal.ldap.role.search.filter = (objectClass=posixGroup)
principal.ldap.roles.by.user.attribute = cn
principal.ldap.roles.by.user.search.base = ou=OpenKM,dc=test,dc=com
principal.ldap.roles.by.user.search.filter = (memberUid={0})
principal.ldap.users.by.role.attribute = memberUid
principal.ldap.users.by.role.search.base	=	ou=OpenKM,dc=test,dc=com
principal.ldap.users.by.role.search.filter = (&(objectClass=posixGroup)(cn={0}))
Restart Tomcat, Web to see the user account, but cannot log-in user account(authentication failed).

LDAP server log:
Code: Select all
Jan  4 15:57:36 ldap slapd[11379]: conn=5732 op=2 SRCH base="ou=People,dc=test,dc=com" scope=2 deref=3 filter="(uid=j0888)"
Jan  4 15:57:36 ldap slapd[11379]: <= bdb_equality_candidates: (uid) not indexed
Jan  4 15:57:36 ldap slapd[11379]: conn=5732 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan  4 15:57:36 ldap slapd[11379]: conn=5761 fd=26 ACCEPT from IP=192.168.1.46:45870 (IP=0.0.0.0:389)
Jan  4 15:57:36 ldap slapd[11379]: conn=5761 op=0 BIND dn="uid=J0888,ou=People,dc=test,dc=com" method=128
Jan  4 15:57:36 ldap slapd[11379]: conn=5761 op=0 BIND dn="uid=J0888,ou=People,dc=test,dc=com" mech=SIMPLE ssf=0
Jan  4 15:57:36 ldap slapd[11379]: conn=5761 op=0 RESULT tag=97 err=0 text=
Jan  4 15:57:36 ldap slapd[11379]: conn=5761 op=1 SRCH base="uid=J0888,ou=People,dc=test,dc=com" scope=0 deref=3 filter="(objectClass=*)"
Jan  4 15:57:36 ldap slapd[11379]: conn=5761 op=1 SEARCH RESULT [b]tag=101 err=32[/b] nentries=0 text=
After trying for a long time, I still cannot log in.
Could you help me?

My test Mail Server using LDAP verification is successful.

LDAP server log:
Code: Select all
Jan  5 17:02:32 ldap slapd[11379]: conn=6265 op=8 SRCH base="dc=test,dc=com" scope=2 deref=3 filter="(uid=j0888)"
Jan  5 17:02:32 ldap slapd[11379]: <= bdb_equality_candidates: (uid) not indexed
Jan  5 17:02:32 ldap slapd[11379]: conn=6265 op=8 SEARCH RESULT tag=101 err=0 nentries=1 text=
Jan  5 17:02:32 ldap slapd[11379]: conn=6268 fd=27 ACCEPT from IP=192.168.1.56:54322 (IP=0.0.0.0:389)
Jan  5 17:02:32 ldap slapd[11379]: conn=6268 op=0 BIND dn="uid=J0888,ou=People,dc=test,dc=com" method=128
Jan  5 17:02:32 ldap slapd[11379]: conn=6268 op=0 BIND dn="uid=J0888,ou=People,dc=test,dc=com" mech=SIMPLE ssf=0
Jan  5 17:02:32 ldap slapd[11379]: conn=6268 op=0 RESULT tag=97 err=0 text=
Jan  5 17:02:32 ldap slapd[11379]: conn=6268 op=1 UNBIND
Jan  5 17:02:32 ldap slapd[11379]: conn=6268 fd=27 closed
 #52008  by bgone
 
Hi jllort,

I can see AD's users and groups as roles with your instruction, but in the email address and role showing blank in user list.
How can I fix it?
Desktop_Snap_2020.12.31_17h20m35s_009_.png
Desktop_Snap_2020.12.31_17h20m35s_009_.png (32.33 KiB) Viewed 4539 times
 #52021  by jllort
 
About email address maybe in your AD have not set the email to the users. If you download the windows tool AD Explorer https://docs.microsoft.com/en-us/sysint ... adexplorer -> will see at low level your AD structure and nodes -> search for a well known user if it has the email or similar attribute what constains email. I suggested "mail" attribute but maybe in your AD the email address is in another field or simply you have not set in the user ( then go to User accounts management and set the email -> then should be shown in the AD attributes of the user ).

This lines are wrong:
Code: Select all
<beans:constructor-arg value="ldap://192.168.1.55:389/dc=test,dc=com"/>
<beans:property name="userDn" value="cn=IT,dc=test,dc=com"/>
<beans:constructor-arg index="0" value="ou=People"/>
<beans:constructor-arg value="ou=OpenKM"/>
Should be:
Code: Select all
<beans:constructor-arg value="ldap://192.168.1.55:389"/>
<beans:property name="userDn" value="uid=IT,dc=test,dc=com"/>
<beans:constructor-arg index="0" value="dc=test,dc=com"/>
<beans:constructor-arg value="dc=test,dc=com"/>
 #52032  by bgone
 
bgone wrote: Tue Jan 05, 2021 10:16 am Hi jllort,

I can see AD's users and groups as roles with your instruction, but in the email address and role showing blank in user list.
How can I fix it?Desktop_Snap_2020.12.31_17h20m35s_009_.png
Got email and roles now :D
 #52052  by jllort
 
All is working or there's some malfunctioning?
 #52064  by bgone
 
jllort wrote: Sat Jan 16, 2021 7:02 pm All is working or there's some malfunctioning?
Hi Jllort,

now email address and all roles showing with users, but I cannot assign any AD role to file/folder as it only keeping the existing roles created with database
 #52081  by jllort
 
Role list is empty?

Based on this query you should list all the nodes in the organization unit ou=OpenKM,dc=test,dc=com with (objectClass=posixGroup), do you have something created there?
Code: Select all
principal.ldap.role.attribute = cn
principal.ldap.role.search.base = ou=OpenKM,dc=test,dc=com	
principal.ldap.role.search.filter = (objectClass=posixGroup)
 #52099  by bgone
 
jllort wrote: Fri Jan 22, 2021 7:07 pm Role list is empty?

Based on this query you should list all the nodes in the organization unit ou=OpenKM,dc=test,dc=com with (objectClass=posixGroup), do you have something created there?
Code: Select all
principal.ldap.role.attribute = cn
principal.ldap.role.search.base = ou=OpenKM,dc=test,dc=com	
principal.ldap.role.search.filter = (objectClass=posixGroup)
Hi Jllort,

see all roles now, and able to assign roles to new Repository under Root.
now my current problem is role showing all roles
- in tab of role list: I can filter for openKM roles only
- in tab of user list: all roles showing <-- I just want to showing only openKM roles only, how can I do that?
 #52119  by jllort
 
Create a role named OPENKM_ROLE_FILTER, make the other roles member of this one ... and then filter in the same manner you are filtering users by ROLE_ADMIN and ROLE_USER
 #52211  by bgone
 
Hi Jllort,

Now I having other issue with permission:
- All users login with full permission
- I set permission to user or role on file/folder, but users still able delete file/folder with ReadOnly permission.

Any suggestion?
Regards,
Bgone
 #52212  by jllort
 
Share two screenshots:
1- document showing security grants applied in the desktop what a user should not be able to delete
2- administration where is shown user grants
 #52213  by bgone
 
Hi jllort,

Please see my screenshots attached
Attachments
Laptop_Snap_2021.03.22_01h00m03s_004_.png
Laptop_Snap_2021.03.22_01h00m03s_004_.png (88.81 KiB) Viewed 3404 times
Laptop_Snap_2021.03.22_00h58m19s_003_.png
Laptop_Snap_2021.03.22_00h58m19s_003_.png (79.28 KiB) Viewed 3404 times

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.