Security for roles in LDAP

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
Post Reply
carlomor
Fresh Boarder
Fresh Boarder
Posts: 1
Joined: Wed May 05, 2021 9:00 am

Security for roles in LDAP

Post by carlomor »

Hello all,
i am new at OpenKM, i am trying to secure the taxonomy based on roles. The roles are defined as "ou=Groups" in LDAP and are correctly shown in the Roles List in administration Tab.
Users are defined in "ou=Users" and are correctly shown in administration tab, together with the correct roles assignment defined by "memberUid" attribute in the Role.
All users are in ROLE_USER LDAP group and works fine as ROLE_USER.
okmAdmin is in ROLE_ADMIN LDAP group and works fine.
There are no gid conflicts.
In the taxonomy there are folders assigned to different roles, let's say Org1, Org2 etc. BUT NOT to ROLE_USER.
Users can't see the folders, not even the ones that belong to their groups.
Users can see the folders belonging to ROLE_USER, but in this case the role-based separation is lost.

There is a way to define the active role of an user? Am i missing something?

OpenKM 6.3.10, OpenLDAP, Debian 10.
Best Regards
jllort
Moderator
Moderator
Posts: 11518
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: Security for roles in LDAP

Post by jllort »

First I suggest starting with OpenKM configuration parameters in the adminsitration and at the end work with login.

If you share your current configuration ( change you base by another if it is a problem in sharing real data ) we'll take a look on it. Also share distinguised named of some users ( samples ) and relevant attributes assigned to them.

Consider this configuration as a sample https://docs.openkm.com/kcenter/view/ok ... -name.html a more general one will be ( may be a better aproach ):

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldaps://192.168.0.13:389"/>
        <beans:property name="userDn" value="cn=Manager,ou=users,dc=some,dc=com"/>
  	<beans:property name="password" value="***"/>
  </beans:bean>
 
    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="dc=some,dc=com"/>
                <beans:property name="groupSearchFilter" value="member={0}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
 
        <beans:property name="rolePrefix" value="" /> 
 
            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>
 
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="dc=some,dc=com" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
 
</beans:beans>
Post Reply