• OpenKM + Zimbra LDAP

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #10456  by jean
 
Hi!
I am trying to set up three days openkm with zimbra but still have not found the correct filters, has anyone come across this problem?
I am forwarding my settings:

OpenKM.cgf
Code: Select all
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://XXX.XXX.XXX.XXX:389
principal.ldap.security.principal=uid=wiki,ou=people,dc=domain,dc=com,dc=br
principal.ldap.security.credentials=PaSSWoRD
principal.ldap.user.search.base=ou=people,dc=domain,dc=com,dc=br
principal.ldap.user.search.filter=(objectClass=zimbraAccount)
principal.ldap.user.attribute=uid
#principal.ldap.role.search.base=ou=groups,dc=domain,dc=com,dc=br     -----------> "groups" does not exist in ldap at this time
#principal.ldap.role.search.filter=(objectClass=posixGroup)    -----------> "posixGroup" does not exist in ldap at this time      
#principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.mail.search.filter=(objectClass=organizationalPerson)
principal.ldap.mail.atribute=zimbraMailDeliveryAddress
system.login.lowercase=on
default/conf/login.xml
Code: Select all
<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
       <authentication>
        <login-module code= "org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name= "java.naming.provider.url">ldap://XXX.XXX.XXX.XXX:389</module-option>
        <module-option name= "bindDN">uid=wiki,ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name= "bindCredential">PaSSwORD</module-option>
        <module-option name= "baseCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        </login-module>
       </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
       <authentication>
...
Got this in server/default/logs:
Code: Select all
2011-04-14 12:10:29,655 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added OpenKM, org.jboss.security.plugins.SecurityDomainContext@1e3f171 to map
2011-04-14 12:10:29,664 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=jean
In LDAP (From Zimbra):
Code: Select all
zimbra@cerberus:~$ ldapsearch -h XXX.XXX.XXX.XXX -W -x -LL -D uid=wiki,ou=people,dc=domain,dc=com,dc=br uid=jean    
Enter LDAP Password: 
version: 1

dn: uid=jean,ou=people,dc=domain,dc=com,dc=br
mail: jean@domain.com.br
mail: sioux@domain.com.br
uid: jean
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
objectClass: posixAccount
objectClass: sambaSamAccount
sn: Carlos Coelho
givenName: Jean
cn: Jean Carlos Coelho
displayName: Jean Carlos Coelho

zimbra@cerberus:~$


Any sugestions ?

Thank You! :)
 #10480  by jllort
 
Ldap integration has two parts login and after if some OpenKM.cfg parameters that are used to getting some lists on UI, or mail when core sends mails to users.

Have you integrated successfully authentication login-config.xml ?
 #10596  by jean
 
Well after some days working on it... i found my partial solution... and there is:

Zimbra Version:
Release 6.0.7_GA_2473.DEBIAN5 DEBIAN5 FOSS edition.

OpenKM Version:
OpenKM-5.0.4_JBoss-4.2.3.GA

------------------------

OpenKM.cfg
Code: Select all
system.ghostscript.ps2pdf=/usr/bin/ps2pdf
system.openoffice.path=/usr/lib/openoffice
system.ocr=/usr/bin/tesseract
system.img2pdf=/usr/bin/convert
system.pdf2swf=/usr/bin/pdf2swf
system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
application.url=http://docs.domain.com.br/OpenKM/com.openkm.frontend.Main/index.jsp

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://XXX.XXX.XXX.XXX:389
principal.ldap.security.principal=uid=wiki,ou=people,dc=domain,dc=com,dc=br
principal.ldap.security.credentials=PaSSwoRD

principal.ldap.user.search.base=ou=people,dc=domain,dc=com,dc=br
principal.ldap.user.search.filter=(objectclass=organizationalPerson)
principal.ldap.user.attribute=uid

principal.ldap.mail.search.base=uid={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.mail.search.filter=(objectClass=organizationalPerson)
principal.ldap.mail.attribute=mail

principal.ldap.roles.by.user.search.base=uid={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.roles.by.user.search.filter=(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute=uid
login-config.xml
Code: Select all
  <!-- OpenKM -->
    <application-policy name = "OpenKM">
       <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
        <module-option name="java.naming.provider.url">ldap://XXX.XXX.XXX.XXX:389</module-option>
        <module-option name="bindDN">uid=wiki,ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">PaSSwORD</module-option>
        <module-option name="roleAttributeIsDN">false</module-option>
        <module-option name="roleRecursion">1</module-option>
        <module-option name="roleFilter">(memberUid={1})</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="rolesCtxDN">ou=groups,dc=domain,dc=com,dc=br</module-option>
        <module-option name="defaultRole">UserRole</module-option>
        <module-option name="baseCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="baseFilter">(uid={0})</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
        <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        </login-module>
      </authentication>
    </application-policy>
Well.. i can now login into the OpenKM, but get no UserRoles, and login with admin user.. has no admin functions (tab), if set defaultRole in login-config.xml to AdminRole, all my users are now Admin Users, in this scenario i can review all the configuration in web interface (all my users are admin users), and the configuration shows me username and emails.. OK with LDAP, but no ROLES, any clue? :)

The Error in Console when i'm logging in with some user is:
Code: Select all
2011-04-19 18:40:40,257 ERROR [STDERR] javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name ''
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:56)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:538)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1975)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:265)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.principal.LdapPrincipalAdapter.ldapSearch(LdapPrincipalAdapter.java:201)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.principal.LdapPrincipalAdapter.getRoles(LdapPrincipalAdapter.java:85)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.module.direct.DirectAuthModule.getRoles(DirectAuthModule.java:802)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.api.OKMAuth.getRoles(OKMAuth.java:143)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.frontend.server.OKMAuthServlet.getAllRoles(OKMAuthServlet.java:551)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at java.lang.reflect.Method.invoke(Method.java:616)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:188)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:224)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

Thanks!
 #10934  by jean
 
Hello, after some time kicking the machine and trying a several configurations, i got it working.. but with some options disabled, here's my scenario:

1) got all ldap users able to login at the openkm webui, but no admin roles is set do the admin ldap user
2) then i set up login-config.xml to AdminRole and all users from ldap now have admin powers (ALL USERS)
3) then i created all my folders and subfolders and added all my users with theirs permissions (recursive or not to these folders)
4) i set some users to have a "fake admin power" in the configuration of level access in the folders (rwx)
5) reconfigure login-config.xml to UserRole and all users now are ordinary users
6) access and privileges is OK and only some users have powers to edit or delete folders

.. ok, now i got it working, and i'm testing again..

Here's the final configuration files ;)

== OpenKM.cfg ==
Code: Select all
postscript.ps2pdf=/usr/bin/ps2pdf
system.openoffice.path=/usr/lib/openoffice
system.ocr=/usr/bin/tesseract
system.img2pdf=/usr/bin/convert
system.pdf2swf=/usr/bin/pdf2swf
system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
application.url=http://docs.domain.com.br/OpenKM/com.openkm.frontend.Main/index.jsp

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://XXX.XXX.XXX.XXX:389
principal.ldap.security.principal=cn=config
principal.ldap.security.credentials=YOUR_LDAP_USER_PASSWORD

principal.ldap.user.search.base=ou=people,dc=domain,dc=com,dc=br
principal.ldap.user.search.filter=(objectclass=organizationalPerson)
principal.ldap.user.attribute=uid

principal.ldap.roles.by.user.search.base=ou=groups,dc=domain,dc=com,dc=br
principal.ldap.roles.by.user.search.filter=(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute=cn

principal.ldap.mail.search.base=uid={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.mail.search.filter=(objectClass=organizationalPerson)
principal.ldap.mail.attribute=mail

chat.enabled=on
chat.autologin=on

default.user.role=UserRole
default.admin.role=AdminRole
== login-config.xml ==
Code: Select all
    <!-- OpenKM -->
    <application-policy name = "OpenKM">
       <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
        <module-option name="java.naming.provider.url">ldap://XXX.XXX.XXX.XXX:389</module-option>
        <module-option name="bindDN">cn=config</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">YOUR_LDAP_USER_PASSWORD</module-option>
        <module-option name="roleAttributeIsDN">false</module-option>
        <module-option name="roleRecursion">1</module-option>
        <module-option name="roleFilter">(memberUid={1})</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="rolesCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="defaultRole">UserRole</module-option>
        <module-option name="baseCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="baseFilter">(uid={0})</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
        <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        </login-module>
       </authentication>
    </application-policy>
== Login Logs ==
with debug activated: server.log

Users:
Code: Select all
2011-05-06 18:56:32,967 DEBUG [com.openkm.principal.LdapPrincipalAdapter] getUsers()
2011-05-06 18:56:32,990 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch(ldap://XXX.XXX.XXX.XXX:389, cn=config, LDAP_PASSWORD, ou=people,dc=domain,dc=com,dc=br, (objectclass=organizationalPerson), uid)
2011-05-06 18:56:33,028 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch: [admin, user1,user2,user3,user4]
Groups:
Code: Select all
2011-05-06 18:56:33,060 DEBUG [com.openkm.principal.LdapPrincipalAdapter] getRolesByUser()
2011-05-06 18:56:33,089 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch(ldap://XXX.XXX.XXX.XXX:389, cn=config, LDAP_PASSWORD, ou=groups,dc=domain,dc=com,dc=br, (objectClass=posixGroup), cn)
2011-05-06 18:56:33,093 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch: [group1, group2, group3, group4]
2011-05-06 18:56:33,093 DEBUG [com.openkm.principal.LdapPrincipalAdapter] getRolesByUser: [group1,group2,group3,group4]

And here it is... not 100% but a working Integration of OpenKM and Zimbra Collaboration Suite. :)
 #10946  by jllort
 
I suggest remove <module-option name="defaultRole">UserRole</module-option> from your login-config.xml configuration because it forces every user have it roles and really if login-config.xml is well done configured roles are getting there without needed to force at least all users have it. If you've have this line any user in ldap althought has not UserRole on your ldap will be able to connect OpenKM.

For starting if good having it <module-option name="defaultRole">UserRole</module-option> in order first step configuring, but then might be removed and dedicate effors in the rest of ldap configuration in login-config.xml extract roles correctly too.

Tell me if this change of configuration is right.

When all be fine, I'll like to put configuration parameter in wiki. Tell me your zimbra version where you've tested it. That could be useful to other users

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.