Page 1 of 1

Security for roles in LDAP

Posted: Wed May 05, 2021 9:10 am
by carlomor
Hello all,
i am new at OpenKM, i am trying to secure the taxonomy based on roles. The roles are defined as "ou=Groups" in LDAP and are correctly shown in the Roles List in administration Tab.
Users are defined in "ou=Users" and are correctly shown in administration tab, together with the correct roles assignment defined by "memberUid" attribute in the Role.
All users are in ROLE_USER LDAP group and works fine as ROLE_USER.
okmAdmin is in ROLE_ADMIN LDAP group and works fine.
There are no gid conflicts.
In the taxonomy there are folders assigned to different roles, let's say Org1, Org2 etc. BUT NOT to ROLE_USER.
Users can't see the folders, not even the ones that belong to their groups.
Users can see the folders belonging to ROLE_USER, but in this case the role-based separation is lost.

There is a way to define the active role of an user? Am i missing something?

OpenKM 6.3.10, OpenLDAP, Debian 10.
Best Regards

Re: Security for roles in LDAP

Posted: Sat May 08, 2021 5:40 pm
by jllort
First I suggest starting with OpenKM configuration parameters in the adminsitration and at the end work with login.

If you share your current configuration ( change you base by another if it is a problem in sharing real data ) we'll take a look on it. Also share distinguised named of some users ( samples ) and relevant attributes assigned to them.

Consider this configuration as a sample ... -name.html a more general one will be ( may be a better aproach ):

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans=""
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  <beans:bean id="contextSource" class="">
  	<beans:constructor-arg value="ldaps://"/>
        <beans:property name="userDn" value="cn=Manager,ou=users,dc=some,dc=com"/>
  	<beans:property name="password" value="***"/>
    <beans:bean id="ldapAuthProvider" class="">
            <beans:bean class="">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            <beans:bean class="">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="dc=some,dc=com"/>
                <beans:property name="groupSearchFilter" value="member={0}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
        <beans:property name="rolePrefix" value="" /> 
   <beans:bean id="userSearch" class="">
    <beans:constructor-arg index="0" value="dc=some,dc=com" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />