[Solved] OpenLDAP problem

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
Post Reply
lineac
Fresh Boarder
Fresh Boarder
Posts: 9
Joined: Fri Mar 16, 2012 4:09 pm

[Solved] OpenLDAP problem

Post by lineac » Fri Mar 16, 2012 4:32 pm

Hi,

We are currently installing OpenKM as a DMS for our society but we are encountering a problem configuring it for LDAP authentification.

Here is our LDAP entries:

Code: Select all

-fr
--soc
---groups
--------AdminRole (memberUid = user1, memberUid = user2)
--------UserRole (memberUid = user2)
---users
----intern
--------user1 
--------user2
However, we don't have any memberOf attribute in our user entries, so here is how we worked around it:

OpenKM.cfg:

Code: Select all

principal.adapter					 com.openkm.principal.LdapPrincipalAdapter	    		    
principal.ldap.mail.attribute			 mail	    
principal.ldap.mail.search.base			 ou=intern,ou=users,dc=soc,dc=fr	    
principal.ldap.mail.search.filter			 (&(objectClass=inetOrgPerson)(cn={0}))	    
principal.ldap.referral				 	    
principal.ldap.role.attribute			 cn	    
principal.ldap.role.search.base			 ou=groups,dc=soc,dc=fr	    
principal.ldap.role.search.filter			 (objectClass=posixGroup)	    
principal.ldap.roles.by.user.attribute		 cn	    
principal.ldap.roles.by.user.search.base		 ou=groups,dc=soc,dc=fr	    
principal.ldap.roles.by.user.search.filter		(memberUid={0})	    
principal.ldap.security.credentials		****
principal.ldap.security.principal			cn=admin,dc=soc,dc=fr	    
principal.ldap.server	String			 ldap://192.168.0.xxx:389	    
principal.ldap.user.attribute			cn	    
principal.ldap.user.search.base			ou=intern,ou=users,dc=soc,dc=fr	    
principal.ldap.user.search.filter			(objectClass=inetOrgPerson)	    
principal.ldap.users.by.role.attribute		memberUid	    
principal.ldap.users.by.role.search.base		ou=groups,dc=soc,dc=fr	    
principal.ldap.users.by.role.search.filter		(&(objectClass=posixGroup)(memberUid={0}))
login-config.xml:

Code: Select all

        <application-policy name="OpenKM">
          <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://192.168.0.xxx:389</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=admin,dc=soc,dc=fr</module-option>
             <module-option name="bindCredential">****</module-option>
             <module-option name="baseCtxDN">ou=intern,ou=users,dc=soc,dc=fr</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">dc=soc,dc=fr</module-option>
             <module-option name="roleFilter">(memberUid={0})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
             <module-option name="defaultRole">UserRole</module-option>
           </login-module>
          </authentication>
        </application-policy>

We can log in using LDAP, and when we see the users, everything is correctly imported: roles, mails, etc. However, when we log in with a user who has AdminRole like user2, we don't have access to the Administration Panel. Actually we discovered that the defaultRole is applied. Our guess is that the problem comes from login-config.xml, but we couldn't fix it and we're running out of ideas.

Any help will be appreciated
Last edited by lineac on Fri Mar 30, 2012 11:02 am, edited 1 time in total.

jllort
Moderator
Moderator
Posts: 10994
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: OpenLDAP problem

Post by jllort » Mon Mar 19, 2012 12:44 pm

Remove it <module-option name="defaultRole">UserRole</module-option> this line force all users will have UserRole

lineac
Fresh Boarder
Fresh Boarder
Posts: 9
Joined: Fri Mar 16, 2012 4:09 pm

Re: OpenLDAP problem

Post by lineac » Thu Mar 22, 2012 9:49 am

After deleting that line, when we try to login with one ldap account :

HTTP Status 403 - Access to the requested resource has been denied

It looks like OpenKM can't find any roles from LDAP for a given user, yet it's still able to correctly import them (we checked in the admin panel, roles/user section).

Any other idea?

jllort
Moderator
Moderator
Posts: 10994
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: OpenLDAP problem

Post by jllort » Fri Mar 23, 2012 6:35 pm

concentrate first in your login-config.xml after with administration configuration.

1- Ensure any user has UserRole
2- I think your roleFilter is incorrect. With active directory should be <module-option name="roleFilter">(member={1})</module-option> I don know which is your ldap I supposed active directory.

i suggest you browser across your repository to understanding better the ldap properties try http://directory.apache.org/studio/ or http://technet.microsoft.com/en-us/sysi ... 63907.aspx

lineac
Fresh Boarder
Fresh Boarder
Posts: 9
Joined: Fri Mar 16, 2012 4:09 pm

Re: OpenLDAP problem

Post by lineac » Wed Mar 28, 2012 10:40 pm

Okay, I think I'm getting close to fully understand the authentication process, but I need to know one thing: in

Code: Select all

principal.ldap.users.by.role.search.filter
, what does the {0} stands for? will it be replaced by the user's login name (uid of user) or the role's name (role's cn)?

jllort
Moderator
Moderator
Posts: 10994
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: OpenLDAP problem

Post by jllort » Fri Mar 30, 2012 10:05 am

Code: Select all

principal.ldap.users.by.role.search.filter      (&(objectClass=posixGroup)(memberUid={0}))  
I do not know if the parameter is correct but in active directoy is posixGroup=group, the idea is getting all group and filter to some one {0} = the name usergroup ( in active directory cn=groupname, etc... then cn={0}=some group name )

lineac
Fresh Boarder
Fresh Boarder
Posts: 9
Joined: Fri Mar 16, 2012 4:09 pm

Re: OpenLDAP problem

Post by lineac » Fri Mar 30, 2012 11:01 am

Okay we solved our problem. We are using OpenLDAP and not Active Directory btw ;P (look at the thread title)

The problem was case: login must be in lowercase... In all case, we modified our login-config.xml and Openkm.cfg to be more accurate. Here is our config, to help any future user encountering same problems:

LDAP Structure:

Code: Select all

dc=fr
	dc=soc
		ou=groups
			cn=UserRole, objectClass=posixGroup, memberUid = jack, memberUid = joe
			cn=AdminRole, objectClass=posixGroup, memberUid = jack
		ou=people
			ou=intern
				cn = jack, objectClass=inetOrgperson, uid = jack
				cn = joe, objectClass=inetOrgperson, uid = joe
Our OpenKM.cfg:

Code: Select all

principal.adapter				com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users	Active
principal.ldap.mail.attribute			mail
principal.ldap.mail.search.base			ou=intern,ou=users,dc=soc,dc=fr
principal.ldap.mail.search.filter		(&(objectClass=inetOrgPerson)(cn={0}))
principal.ldap.referral				follow
principal.ldap.role.attribute			cn
principal.ldap.role.search.base			ou=groups,dc=soc,dc=fr
principal.ldap.role.search.filter		(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute		cn
principal.ldap.roles.by.user.search.base	ou=groups,dc=soc,dc=fr
principal.ldap.roles.by.user.search.filter	(memberUid={0})
principal.ldap.security.credentials		xxxxxx
principal.ldap.security.principal		cn=admin,dc=soc,dc=fr
principal.ldap.server				ldap://192.168.xxx.xxx:389
principal.ldap.user.attribute			cn
principal.ldap.user.search.base			ou=intern,ou=users,dc=soc,dc=fr
principal.ldap.user.search.filter		(objectClass=inetOrgPerson)
principal.ldap.users.by.role.attribute		memberUid
principal.ldap.users.by.role.search.base	ou=groups,dc=soc,dc=fr
principal.ldap.users.by.role.search.filter	(&(objectClass=posixGroup)(cn={0}))

system.login.lowercase				Active
That last line is waht we were looking for: it makes the login in lowercase (though it's possible to cheat and post uppercase username), but for user's use, it's sufficient.

login-config.xml:

Code: Select all

<application-policy name="OpenKM">
          <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://192.168.xxx.xxx:389</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=admin,dc=soc,dc=fr</module-option>
             <module-option name="bindCredential">******</module-option>
             <module-option name="baseCtxDN">ou=intern,ou=users,dc=soc,dc=fr</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">ou=groups,dc=soc,dc=fr</module-option>
             <module-option name="roleFilter">(memberUid={0})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
     <!--        <module-option name="defaultRole">UserRole</module-option> -->
           </login-module>
          </authentication>
        </application-policy>
Thanks for having answered our questions, it is greatly appreciated =)

pavila
Moderator
Moderator
Posts: 3091
Joined: Tue Dec 11, 2007 6:02 pm
Location: Alicante, Spain
Contact:

Re: [Solved] OpenLDAP problem

Post by pavila » Sat Mar 31, 2012 7:15 am

You are welcome :)

jllort
Moderator
Moderator
Posts: 10994
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: [Solved] OpenLDAP problem

Post by jllort » Sun Apr 01, 2012 8:58 pm

I will create a ldap configuration example section with your configuration in online documentation.

jllort
Moderator
Moderator
Posts: 10994
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: [Solved] OpenLDAP problem

Post by jllort » Mon Apr 02, 2012 3:05 pm


Post Reply