Page 1 of 1

Security for roles in LDAP

Posted: Wed May 05, 2021 9:10 am
by carlomor
Hello all,
i am new at OpenKM, i am trying to secure the taxonomy based on roles. The roles are defined as "ou=Groups" in LDAP and are correctly shown in the Roles List in administration Tab.
Users are defined in "ou=Users" and are correctly shown in administration tab, together with the correct roles assignment defined by "memberUid" attribute in the Role.
All users are in ROLE_USER LDAP group and works fine as ROLE_USER.
okmAdmin is in ROLE_ADMIN LDAP group and works fine.
There are no gid conflicts.
In the taxonomy there are folders assigned to different roles, let's say Org1, Org2 etc. BUT NOT to ROLE_USER.
Users can't see the folders, not even the ones that belong to their groups.
Users can see the folders belonging to ROLE_USER, but in this case the role-based separation is lost.

There is a way to define the active role of an user? Am i missing something?

OpenKM 6.3.10, OpenLDAP, Debian 10.
Best Regards

Re: Security for roles in LDAP

Posted: Sat May 08, 2021 5:40 pm
by jllort
First I suggest starting with OpenKM configuration parameters in the adminsitration and at the end work with login.

If you share your current configuration ( change you base by another if it is a problem in sharing real data ) we'll take a look on it. Also share distinguised named of some users ( samples ) and relevant attributes assigned to them.

Consider this configuration as a sample https://docs.openkm.com/kcenter/view/ok ... -name.html a more general one will be ( may be a better aproach ):

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldaps://192.168.0.13:389"/>
        <beans:property name="userDn" value="cn=Manager,ou=users,dc=some,dc=com"/>
  	<beans:property name="password" value="***"/>
  </beans:bean>
 
    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:property name="userSearch" ref="userSearch"></beans:property>
            </beans:bean>
        </beans:constructor-arg>
        <beans:constructor-arg>
            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="dc=some,dc=com"/>
                <beans:property name="groupSearchFilter" value="member={0}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
 
        <beans:property name="rolePrefix" value="" /> 
 
            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>
 
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="dc=some,dc=com" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
 
</beans:beans>