[Solved] OpenLDAP problem

[lineac]

Hi,

We are currently installing OpenKM as a DMS for our society but we are encountering a problem configuring it for LDAP authentification.

Here is our LDAP entries:

Code: Select all

-fr
--soc
---groups
--------AdminRole (memberUid = user1, memberUid = user2)
--------UserRole (memberUid = user2)
---users
----intern
--------user1 
--------user2

However, we don't have any memberOf attribute in our user entries, so here is how we worked around it:

OpenKM.cfg:

Code: Select all

principal.adapter					 com.openkm.principal.LdapPrincipalAdapter	    		    
principal.ldap.mail.attribute			 mail	    
principal.ldap.mail.search.base			 ou=intern,ou=users,dc=soc,dc=fr	    
principal.ldap.mail.search.filter			 (&(objectClass=inetOrgPerson)(cn={0}))	    
principal.ldap.referral				 	    
principal.ldap.role.attribute			 cn	    
principal.ldap.role.search.base			 ou=groups,dc=soc,dc=fr	    
principal.ldap.role.search.filter			 (objectClass=posixGroup)	    
principal.ldap.roles.by.user.attribute		 cn	    
principal.ldap.roles.by.user.search.base		 ou=groups,dc=soc,dc=fr	    
principal.ldap.roles.by.user.search.filter		(memberUid={0})	    
principal.ldap.security.credentials		****
principal.ldap.security.principal			cn=admin,dc=soc,dc=fr	    
principal.ldap.server	String			 ldap://192.168.0.xxx:389	    
principal.ldap.user.attribute			cn	    
principal.ldap.user.search.base			ou=intern,ou=users,dc=soc,dc=fr	    
principal.ldap.user.search.filter			(objectClass=inetOrgPerson)	    
principal.ldap.users.by.role.attribute		memberUid	    
principal.ldap.users.by.role.search.base		ou=groups,dc=soc,dc=fr	    
principal.ldap.users.by.role.search.filter		(&(objectClass=posixGroup)(memberUid={0}))

login-config.xml:

Code: Select all

        <application-policy name="OpenKM">
          <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://192.168.0.xxx:389</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=admin,dc=soc,dc=fr</module-option>
             <module-option name="bindCredential">****</module-option>
             <module-option name="baseCtxDN">ou=intern,ou=users,dc=soc,dc=fr</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">dc=soc,dc=fr</module-option>
             <module-option name="roleFilter">(memberUid={0})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
             <module-option name="defaultRole">UserRole</module-option>
           </login-module>
          </authentication>
        </application-policy>

We can log in using LDAP, and when we see the users, everything is correctly imported: roles, mails, etc. However, when we log in with a user who has AdminRole like user2, we don't have access to the Administration Panel. Actually we discovered that the defaultRole is applied. Our guess is that the problem comes from login-config.xml, but we couldn't fix it and we're running out of ideas.

Any help will be appreciated

[jllort]

Remove it <module-option name="defaultRole">UserRole</module-option> this line force all users will have UserRole

[lineac]

After deleting that line, when we try to login with one ldap account :

HTTP Status 403 - Access to the requested resource has been denied

It looks like OpenKM can't find any roles from LDAP for a given user, yet it's still able to correctly import them (we checked in the admin panel, roles/user section).

Any other idea?

[jllort]

concentrate first in your login-config.xml after with administration configuration.

1- Ensure any user has UserRole
2- I think your roleFilter is incorrect. With active directory should be <module-option name="roleFilter">(member={1})</module-option> I don know which is your ldap I supposed active directory.

i suggest you browser across your repository to understanding better the ldap properties try http://directory.apache.org/studio/ or http://technet.microsoft.com/en-us/sysi ... 63907.aspx

[lineac]

Okay, I think I'm getting close to fully understand the authentication process, but I need to know one thing: in

Code: Select all

principal.ldap.users.by.role.search.filter

, what does the {0} stands for? will it be replaced by the user's login name (uid of user) or the role's name (role's cn)?

[jllort]

Code: Select all

principal.ldap.users.by.role.search.filter      (&(objectClass=posixGroup)(memberUid={0}))  

I do not know if the parameter is correct but in active directoy is posixGroup=group, the idea is getting all group and filter to some one {0} = the name usergroup ( in active directory cn=groupname, etc... then cn={0}=some group name )

[lineac]

Okay we solved our problem. We are using OpenLDAP and not Active Directory btw ;P (look at the thread title)

The problem was case: login must be in lowercase... In all case, we modified our login-config.xml and Openkm.cfg to be more accurate. Here is our config, to help any future user encountering same problems:

LDAP Structure:

Code: Select all

dc=fr
	dc=soc
		ou=groups
			cn=UserRole, objectClass=posixGroup, memberUid = jack, memberUid = joe
			cn=AdminRole, objectClass=posixGroup, memberUid = jack
		ou=people
			ou=intern
				cn = jack, objectClass=inetOrgperson, uid = jack
				cn = joe, objectClass=inetOrgperson, uid = joe

Our OpenKM.cfg:

Code: Select all

principal.adapter				com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users	Active
principal.ldap.mail.attribute			mail
principal.ldap.mail.search.base			ou=intern,ou=users,dc=soc,dc=fr
principal.ldap.mail.search.filter		(&(objectClass=inetOrgPerson)(cn={0}))
principal.ldap.referral				follow
principal.ldap.role.attribute			cn
principal.ldap.role.search.base			ou=groups,dc=soc,dc=fr
principal.ldap.role.search.filter		(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute		cn
principal.ldap.roles.by.user.search.base	ou=groups,dc=soc,dc=fr
principal.ldap.roles.by.user.search.filter	(memberUid={0})
principal.ldap.security.credentials		xxxxxx
principal.ldap.security.principal		cn=admin,dc=soc,dc=fr
principal.ldap.server				ldap://192.168.xxx.xxx:389
principal.ldap.user.attribute			cn
principal.ldap.user.search.base			ou=intern,ou=users,dc=soc,dc=fr
principal.ldap.user.search.filter		(objectClass=inetOrgPerson)
principal.ldap.users.by.role.attribute		memberUid
principal.ldap.users.by.role.search.base	ou=groups,dc=soc,dc=fr
principal.ldap.users.by.role.search.filter	(&(objectClass=posixGroup)(cn={0}))

system.login.lowercase				Active

That last line is waht we were looking for: it makes the login in lowercase (though it's possible to cheat and post uppercase username), but for user's use, it's sufficient.

login-config.xml:

Code: Select all

<application-policy name="OpenKM">
          <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://192.168.xxx.xxx:389</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=admin,dc=soc,dc=fr</module-option>
             <module-option name="bindCredential">******</module-option>
             <module-option name="baseCtxDN">ou=intern,ou=users,dc=soc,dc=fr</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">ou=groups,dc=soc,dc=fr</module-option>
             <module-option name="roleFilter">(memberUid={0})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
     <!--        <module-option name="defaultRole">UserRole</module-option> -->
           </login-module>
          </authentication>
        </application-policy>

Thanks for having answered our questions, it is greatly appreciated =)

[pavila]

You are welcome

[jllort]

I will create a ldap configuration example section with your configuration in online documentation.

[jllort]

I have added here http://wiki.openkm.com/index.php/LDAP_a ... r_examples