• Security for roles in LDAP

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #52358  by carlomor
 
Hello all,
i am new at OpenKM, i am trying to secure the taxonomy based on roles. The roles are defined as "ou=Groups" in LDAP and are correctly shown in the Roles List in administration Tab.
Users are defined in "ou=Users" and are correctly shown in administration tab, together with the correct roles assignment defined by "memberUid" attribute in the Role.
All users are in ROLE_USER LDAP group and works fine as ROLE_USER.
okmAdmin is in ROLE_ADMIN LDAP group and works fine.
There are no gid conflicts.
In the taxonomy there are folders assigned to different roles, let's say Org1, Org2 etc. BUT NOT to ROLE_USER.
Users can't see the folders, not even the ones that belong to their groups.
Users can see the folders belonging to ROLE_USER, but in this case the role-based separation is lost.

There is a way to define the active role of an user? Am i missing something?

OpenKM 6.3.10, OpenLDAP, Debian 10.
Best Regards
 #52370  by jllort
 
First I suggest starting with OpenKM configuration parameters in the adminsitration and at the end work with login.

If you share your current configuration ( change you base by another if it is a problem in sharing real data ) we'll take a look on it. Also share distinguised named of some users ( samples ) and relevant attributes assigned to them.

Consider this configuration as a sample https://docs.openkm.com/kcenter/view/ok ... -name.html a more general one will be ( may be a better aproach ):
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldaps://192.168.0.13:389"/>
        <beans:property name="userDn" value="cn=Manager,ou=users,dc=some,dc=com"/>
  	<beans:property name="password" value="***"/>
  </beans:bean>
 
    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="dc=some,dc=com"/>
                <beans:property name="groupSearchFilter" value="member={0}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
 
        <beans:property name="rolePrefix" value="" /> 
 
            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>
 
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="dc=some,dc=com" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
 
</beans:beans>

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.