Open KM not getting users or roles from AD

[balbaroy]

I have successfully configured my login-config.xml I currently have 2 groups in active directory, one is called AdminRole, the other is called UserRole. When I log into OpenKM, users that are MemberOf the AdminRole have admin access, and users that are MemberOf the UserRole have user access so everything is working there. Problem is when I get into openKM as an Admin and go to the Users tab, I get no users or roles shown. I'm running the latest version of OpenKM on Server 2008R2.

Here is my login-config.xml for reference:

Code: Select all

  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://myserver:636</module-option>
      <module-option name="java.naming.security.protocol">ssl</module-option>
      <module-option name="bindDN">CN=Administrator,ou=Processes,ou=Enterprise Resources,DC=my,DC=domain,DC=com</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">Password</module-option>
      <module-option name="baseCtxDN">ou=Accounts,DC=my,DC=domain,DC=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">ou=Accounts,DC=my,DC=domain,DC=com</module-option>
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleRecursion">0</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
      <module-option name="java.naming.referral">follow</module-option>
      </login-module> 
  </authentication>
</application-policy>

Here are the DNs to my roles:
CN=AdminRole,OU=OpenKM,OU=Groups,OU=UPG,OU=Departments,DC=my,DC=domain,DC=com
CN=UserRole,OU=OpenKM,OU=Groups,OU=UPG,OU=Departments,DC=my,DC=domain,DC=com

I have all of these settings in the openKM Administration, but they don't work and I'm sure I am misunderstanding how to implement my settings properly.

Code: Select all

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 
principal.ldap.server=ldap://192.168.0.6
principal.ldap.security.principal=CN=Administrator,ou=Processes,ou=Enterprise Resources,DC=my,DC=domain,DC=com
principal.ldap.security.credentials=password
 
principal.ldap.user.search.base=ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn
 
principal.ldap.role.search.base=ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
 
principal.ldap.mail.search.base=cn={0},ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail
 
principal.ldap.users.by.role.search.base=cn={0},ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
 
principal.ldap.roles.by.user.search.base=cn={0},ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.roles.by.user.search.filter=(objectClass=person) 
principal.ldap.roles.by.user.attribute=memberOf

Any help would be great!

[jllort]

Hope you know now configuration parameters are on DMBS, is there where must be changed.

I suggest you take advantage using ldap apache studio and execute there your queries ... you'll see if are right or not.

[balbaroy]

Yes, I have been making all of the changes through the OpenKM configuration page, not the cfg file. I am confused about the cn={0}, am I supposed to be changing something before or after this to match our AD setup?

[jllort]

That's not easy to configure and need you understand your ldap structure ( browser with ldap apache studio will help on it ).

I suggest concentrate only on getting users, if you go to administration you can see users lists or not ? Are your users only on one node or distributed in serveral places ? If are distributed in several places I suggest

Code: Select all

principal.ldap.user.search.base=dc=my,dc=domain,dc=com

Understand it's difficult helping you, because ldap structure that has decided administrator could have great diferences, and each one need different configuration parameters ( there's no magic on it ). As I said please use apache ldap studio, and you'll understand better your ldap structure and there're you can execute the queries that will be used by openkm.

[balbaroy]

Well I figured out my main problem, since my ldap server is running SSL I needed to have ldaps:// not ldap:// There is not much documentation on ldap servers in OpenKM with SSL. Once I did this change, most of the default settings shown in the OpenKM Wiki worked or only needed minor tweaking. Only issue I still have is that OpenKM imports every memberOf attribute into the system. I'm not sure if there is a way to turn this off or not but in the OpenKM system I am only concerned with UserRole or AdminRole memberOf attributes.

I also noticed that rather than the name of the user OpenKM displays this: com.openkm.principal.LdapPrincipalAdapter The users are being loaded correctly though, email addresses are loading, Roles are loading, and the Roles the user is a memberOf are loading. So I'm not sure what might be causing this error. I attached a screenshot for better explanation.

openkm-2.jpg (102.73 KiB) Viewed 7787 times

[jllort]

SSL is not documented in OpenKM because we suppose if you've got your ldap protected by SSL you must connect via that protocol. I don't know if any other change than URI is needed, in case afirmative comments are welcome and will upgrade this part of documentation.

About user problem.
Which openkm version are you using ? if you're not using 5.1.8 upgrade to latest integration.openkm.com ( here is what will be the 5.1.8 version )

Are you still using this ldap query ?

Code: Select all

principal.ldap.user.search.base=ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn

Have you tryed with apache ldap active directory ?

[balbaroy]

SSL is not documented in OpenKM because we suppose if you've got your ldap protected by SSL you must connect via that protocol. I don't know if any other change than URI is needed, in case afirmative comments are welcome and will upgrade this part of documentation.

About user problem.
Which openkm version are you using ? if you're not using 5.1.8 upgrade to latest integration.openkm.com ( here is what will be the 5.1.8 version )

Are you still using this ldap query ?

Code: Select all

principal.ldap.user.search.base=ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn

Have you tryed with apache ldap active directory ?

I am using version 5.1.7.

I am still using the same ldap query, except I changed the search filter to: (&(objectClass=person)(|(MemberOf=CN=UserRole,OU=OpenKM,OU=Groups,OU=UPG,OU=Departments,DC=univ,DC=pitt,DC=edu)(MemberOf=CN=AdminRole,OU=OpenKM,OU=Groups,OU=UPG,OU=Departments,DC=univ,DC=pitt,DC=edu)))

If I do just (objectClass=person) it loads our whole directory which takes almost 7 minutes so I only want it to load users who are memberOf UserRole and AdminRole. This works fine though as the problem with the name is there if I only do (objectClass=person) as well.

Also, is it correct that it is loading all of the memberOf attributes? If so, in future release it might be a nice feature to add the ability to only show memberOf attributes that are relative to OpenKM. Perhaps this could be done with a different search filter as well.

[balbaroy]

Using Apache Directory Studio I get a list of the users when I do a search using the parameters from above:

CN=Username,OU=Accounts,DC=my,DC=domain,DC=com
CN Username2,OU=Accounts,DC=my,DC=domain,DC=com
CN Username3,OU=Accounts,DC=my,DC=domain,DC=com

Where does OpenKM extract the name from?

To get the name using ldapsearch.exe I use the following:
ldapsearch.exe -h ldaps://myserver -p 9389 -b "ou=Accounts,DC=my,DC=domain,DC=com" -D "cn=openkmsys,ou=processes,ou=Container,DC=my,DC=domain,DC=com" -w SimplePassword -LLL -s sub "(&(objectClass=person)(|(MemberOf=CN=UserRole,OU=OpenKM,OU=Groups,OU=UPG,OU=Departments,DC=my,DC=domain,DC=com)(MemberOf=CN=AdminRole,OU=OpenKM,OU=Groups,OU=UPG,OU=Departments,DC=my,DC=domain,DC=com)))" cn givenname sn

This gives me the username, the first name and the last name. However in openKM it seems you can only specify 1 attribute to return. Is this correct or am I not understanding something?

[jllort]

Yes only one attribute is waiting after a query ( it's normal, if you're looking for users in your ldap, normally must be hold under the same attribute ).

The search base must be OU=Accounts,DC=my,DC=domain,DC=com
Filter should be (objectClass=person) to get all users, and then if you want to filter like do after.
Attribute could be cn or sAMAccountName ( in some cases cn user value is not like sAMAccountName, than I suggest you use sAMAccountName )

[balbaroy]

Yes only one attribute is waiting after a query ( it's normal, if you're looking for users in your ldap, normally must be hold under the same attribute ).

The search base must be OU=Accounts,DC=my,DC=domain,DC=com
Filter should be (objectClass=person) to get all users, and then if you want to filter like do after.
Attribute could be cn or sAMAccountName ( in some cases cn user value is not like sAMAccountName, than I suggest you use sAMAccountName )

Well I tried both cn and sAMMAccountName and both only return the username. I am still unable to get the Users actual name. It's almost like, with the way our LDAP server is deployed, we need a separate query to get the users actual name. or am I misunderstanding something here?

[jllort]

Really into OpenKM you should use username ( the login name ) not the full user name ( name and surfname ). If you're looking for the second, then here you've got the problem, should not use it, you should use login name ( username credentials )

[balbaroy]

We are using the username to log into the system. I am talking about when you go and view the user list, the name is com.openkm.princinpal.LdapPrincipalAdapter rather than the users actual name. You can see this in the picture I posted in the 5th post. OpenKM is getting the ID, Mail, and Roles correctly, but not the Name, and this is what I am trying to fix.

[jllort]

Try upgrading to version 5.1.8 because we've solved some bugs on ldap 5.1.7 implementation. If upgrading is not solved let me see only the properties

I've seen your properties are

Code: Select all

principal.ldap.user.search.base=ou=Accounts,dc=my,dc=domain,dc=com
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=cn

Try changing to ( but I think the problem it's in other place, before trying it upgrade to 5.1.8 )

Code: Select all

principal.ldap.user.attribute=sAMAccountName