Security for roles in LDAP
PostPosted:Wed May 05, 2021 9:10 am
by carlomor
Hello all,
i am new at OpenKM, i am trying to secure the taxonomy based on roles. The roles are defined as "ou=Groups" in LDAP and are correctly shown in the Roles List in administration Tab.
Users are defined in "ou=Users" and are correctly shown in administration tab, together with the correct roles assignment defined by "memberUid" attribute in the Role.
All users are in ROLE_USER LDAP group and works fine as ROLE_USER.
okmAdmin is in ROLE_ADMIN LDAP group and works fine.
There are no gid conflicts.
In the taxonomy there are folders assigned to different roles, let's say Org1, Org2 etc. BUT NOT to ROLE_USER.
Users can't see the folders, not even the ones that belong to their groups.
Users can see the folders belonging to ROLE_USER, but in this case the role-based separation is lost.
There is a way to define the active role of an user? Am i missing something?
OpenKM 6.3.10, OpenLDAP, Debian 10.
Best Regards
Re: Security for roles in LDAP
PostPosted:Sat May 08, 2021 5:40 pm
by jllort
First I suggest starting with OpenKM configuration parameters in the adminsitration and at the end work with login.
If you share your current configuration ( change you base by another if it is a problem in sharing real data ) we'll take a look on it. Also share distinguised named of some users ( samples ) and relevant attributes assigned to them.
Consider this configuration as a sample
https://docs.openkm.com/kcenter/view/ok ... -name.html a more general one will be ( may be a better aproach ):
Code: Select all<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldaps://192.168.0.13:389"/>
<beans:property name="userDn" value="cn=Manager,ou=users,dc=some,dc=com"/>
<beans:property name="password" value="***"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="dc=some,dc=com"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="dc=some,dc=com" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>