OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS

[rasha123]

hey all,

i am new to OpenKM , IM USING OPENKM 5.1.9, tried for a while to configure Openkm With Active directory , at end it was successfully done but i am facing a problem , i dont know where i miss the configuration.
when i log in with any user , the user its not stored even the user group " role " that i created in the active directory is not retrieved. when i lig in as admin users i cant have a log file for the users logged to openkm.

this is my login-conf file

Code: Select all

<application-policy name="OpenKM">

     <authentication>
         <login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
             <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
             <module-option name="java.naming.provider.url">ldap://10.100.x.x:389/</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">xxxx\Administrator</module-option>
             <module-option name="bindCredential">password</module-option>
             <module-option name="baseCtxDN">ou=user,dc=xxx,dc=local</module-option>
             <module-option name="baseFilter">(sAMAccountName={0})</module-option>
             <module-option name="rolesCtxDN">ou=user,dc=xxxx,dc=local</module-option>
             <module-option name="roleFilter">(member={1})</module-option>
             <module-option name="roleAttributeIsDN">true</module-option>
             <module-option name="roleNameAttributeID">cn</module-option>
             <module-option name="java.naming.referral">follow</module-option>
          </login-module>
     </authentication>
</application-policy>

and this Openkm.cfg :

Code: Select all

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter 
principal.ldap.server=ldap://10.100.200.91:389/ 
principal.ldap.security.principal=CN=Administrator,ou=user,dc=xx,dc=local 
principal.ldap.security.credentials=password 
principal.ldap.user.search.base=ou=user,dc=xxx,dc=local 
principal.ldap.user.search.filter=(objectclass=person) 
principal.ldap.user.attribute=sAMAccountName 
principal.ldap.role.search.base=ou=xxx,dc=xxx,dc=local 
principal.ldap.role.search.filter=(jectcoblass=group) 
principal.ldap.role.attribute=cn 
principal.ldap.mail.search.base=cn={0},ou=xxx,dc=xxx,dc=local 
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0})) 
principal.ldap.mail.attribute=mail 
principal.ldap.users.by.role.search.base=ou=xxxx,dc=xxx,dc=local 
principal.ldap.users.by.role.search.filter=(objectclass=group) 
principal.ldap.users.by.role.attribute=member 
principal.ldap.roles.by.user.search.base=ou=xxxx,dc=xxx,dc=local 
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0})) 
principal.ldap.roles.by.user.attribute=memberOf 

i created users under UserRole and AdminRole. when i log in as admin user i cant see the users logged other Roles.

please if any one can help me with the configuration.

thanks.

[rasha123]

any help
why loged in users don't appear in the user list ?? also the roles not imported from active directory.

should i add any configuration any where else??

[pavila]

http://wiki.openkm.com/index.php/Applic ... figuration

[rasha123]

HI,

i read the article did every change to login-config.xml , Openkm.cfg , still users and roles are not imported from active directory to openkm. did i miss something ???? i also made changes to OKM_APP.

Code: Select all

    INSERT INTO OKM_CONFIG VALUES('principal.adapter','string','com.sun.jndi.ldap.LdapCtxFactory')
    INSERT INTO OKM_CONFIG VALUES('principal.database.filter.inactive.users','boolean','true')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.mail.attribute','string','mail')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.mail.search.base','string','ou=Rejectionfile,dc=xxx,dc=local')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.mail.search.filter','string','(objectclass=person)')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.role.attribute','string','name')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.role.search.base','string','ou=Rejectionfile,dc=xxx,dc=local')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.role.search.filter','string','(objectclass=group)')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.roles.by.user.attribute','string','memberOf')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.roles.by.user.search.base','string','ou=Rejectionfile,dc=xxxx,dc=local')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.roles.by.user.search.filter','string','(&(objectClass=person)(cn={0}))')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.security.credentials','string','Aministrator')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.security.principal','string','CN=Aministrator,ou=Rejectionfile,dc=xxxx,dc=local')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.server','string','ldap://10.xx.xx.xx:389/')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.user.attribute','string','sAMAccountName')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.user.search.base','string','ou=Rejectionfile,dc=xxxx,dc=local)
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.user.search.filter','string','(objectclass=person)')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.users.by.role.attribute','string','member')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.users.by.role.search.base','string','ou=Rejectionfile,dc=xxxx,dc=local')
    INSERT INTO OKM_CONFIG VALUES('principal.ldap.users.by.role.search.filter','string','(&(objectClass=group)(cn={0}))')

[jllort]

You have not changed Database class to ldapClass ( why are you using inserting and not using OpenKM administration view ? ). This configuration parameters need you reload application.

[rasha123]

hi,

i made the changes in OpenKM administration view but the problem that every time i reload and run the jboss again all the configuration i made is deleted!!

where can i change the database class to ldapclass exactly???

[jllort]

have you changed OpenKM.cfg parameter to do not reset configuration, read it with care http://wiki.openkm.com/index.php/Quick_ ... m2ddl=none

And the parameter in administration should be principal.adapter=com.openkm.principal.LdapPrincipalAdapter

[rasha123]

hi,

i changed
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
now i can make changes in the administration and its accepting it , but still users and rols are not imported from active directory.

this is the DN FROM ACTIVE DIRECTORY

"cn= user1, CN=group1,OU=xxx,DC=xxxx,DC=local"
"cn= user2,CN=group2,OU=xxx,DC=xxxx,DC=local"
"cn= user3,CN=group3,OU=xxx,DC=xxxx,DC=local"

where users and roles (groups) under OU

i m not sure if my mistake is in the configuring of roles ands users ?!

[jllort]

take a look at advanced configuration in our online wiki documentation because your users are in several active directory nodes and ensure principal.ldap.referral=follow

[rasha123]

HI ,

thanks for replying.

i did read the advanced conguration and apply it to mine but still did not work

i used ldap browser to figure out the structure of om active directory and the list of DNs

and this is the structure

dc=mydomain.local
.. ou=users (DN: OU=users,DC=mydomain,DC=local)
......cn=user1 (DN: CN=user1,OU=users,DC=mashfa,DC=local) CN=person
..... cn=user2
......cn=department1 <<<group (DN: CN=deparment1,OU=users,DC=mashfa,DC=local) CN=group
......cn=deprtment2<<<<< group

i am really confused i can log in and i can see in the trace the login user and the member of but still not imported to openkm

Code: Select all

	Principal: administrator
	Principal: Roles(members:AdminRole)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@1f5a0bbc{principal=administrator,subject=2103521203}
17:10:45,814 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
17:10:45,814 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
17:10:46,819 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
17:10:46,820 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
	Principal: administrator
	Principal: Roles(members:AdminRole)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@50b873b8{principal=administrator,subject=2103521203}
17:10:46,820 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
17:10:46,821

I would really appreciate if some one can tell me if i miss something here

[jllort]

Login is only one part of configuration and independant xml configuration file. You should configure correctly parameters from administration tab. You should revise it. Concentrate in get users parameters, ldap server configuration, copy here your configuration parameters

[rasha123]

this is my configuration parameters in administration

Code: Select all

#Lince OpenKM 5.1 this file is only used for Hibernate configuration. 

# To change configuration parameters, use Administration -> Configuration 

# 

hibernate.dialect=org.hibernate.dialect.HSQLDialect 

hibernate.hbm2ddl=create 

system.login.lowercase=on 
principal.adapter=com.openkm.principal.LdapPrincipalAdapter 
principal.ldap.server=ldap://10.100.XX.XX:389/ 
principal.ldap.security.principal=CN=Administrator,ou=users,dc=xxx,dc=local 
principal.ldap.security.credentials=PASSWORD 

principal.ldap.user.search.base=ou=users,dc=xxx,dc=local 
principal.ldap.user.search.filter=(objectclass=person) 
principal.ldap.user.attribute=sAMAccountName 


principal.ldap.role.search.base=ou=users,dc=xxx,dc=local 

principal.ldap.role.search.filter=(objectclass=group) 

principal.ldap.role.attribute=cn 



principal.ldap.mail.search.base=cn={0},ou=users,dc=xxx,dc=local 

principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0})) 

principal.ldap.mail.attribute=mail 
principal.ldap.users.by.role.search.base=cn={0},ou=users,dc=xxx,dc=local 

principal.ldap.users.by.role.search.filter=(objectclass=group) 

principal.ldap.users.by.role.attribute=member 



principal.ldap.roles.by.user.search.base=ou=users,dc=xxx,dc=local 

principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0})) 

principal.ldap.roles.by.user.attribute=memberOf 

                                                                                   

[jllort]

I can not see

Code: Select all

principal.ldap.referral=follow

Let's concentrate on it:

Code: Select all

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://10.100.XX.XX:389/
principal.ldap.security.principal=CN=Administrator,ou=users,dc=xxx,dc=local
principal.ldap.security.credentials=PASSWORD

principal.ldap.user.search.base=ou=users,dc=xxx,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName 

Seems correctly, ensure credentials are right, server and you have got principal.ldap.referral=follow. Remember when you make this change principal.adapter=com.openkm.principal.LdapPrincipalAdapter you should restart the server !!! if you have not done, do it.

Other observation, you have post OpenKM.cfg from version 5.1 the parameters after first time you run openkm must be set from administration OpenKM.cfg is only for initial charge parameters

[rasha123]

hi,

thanks again for replying and trying to solve my problem


as you mentioned i set principal.ldap.referral=follow
and i restarted the server after changing principal.adapter=com.openkm.principal.LdapPrincipalAdapter
the file OpenKM.cfg is empty i only changed
ibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
and all the other changes i made from administration, im not sure which credentials i have to make sure of :s please clarify

also i really dont understand what cn{0} means here?

[rasha123]

hi,


thanks again for helping me all the way.

finally , i solved my problem
and this is the correct configuration in the administration

Code: Select all

    system.login.lowercase=on
    principal.adapter=com.openkm.principal.LdapPrincipalAdapter
    principal.ldap.server=ldap://10.xxx.xx.xx:381/
    principal.ldap.security.principal=domain\Administrator
    principal.ldap.security.credentials=password
    principal.ldap.user.search.base=ou=user,dc=xxx,dc=local
    principal.ldap.user.search.filter=(objectclass=person)
    principal.ldap.user.attribute=sAMAccountName
    principal.ldap.role.search.base=ou=xxx,dc=xxx,dc=local
    principal.ldap.role.search.filter=(jectcoblass=group)
    principal.ldap.role.attribute=cn
    principal.ldap.mail.search.base=cn={0},ou=xxx,dc=xxx,dc=local
    principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
    principal.ldap.mail.attribute=mail
    principal.ldap.users.by.role.search.base=ou=xxxx,dc=xxx,dc=local
    principal.ldap.users.by.role.search.filter=(objectclass=group)
    principal.ldap.users.by.role.attribute=member
    principal.ldap.roles.by.user.search.base=ou=xxxx,dc=xxx,dc=local
    principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
    principal.ldap.roles.by.user.attribute=memberOf
    principal.ldap.referral=follow 

it appeared that there was a mistake in the credentials in may case it took the domain\administrator
it worked just fine users and roles where correctly imported just needed minor changes in some attribute names to get the correct value
in Openkm.cfg i added

Code: Select all

hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none

now all working fine