Online demo
Download
Contact

Because information matters

  • Groups/Roles Disappeared after configuring for LDAP

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Sun Apr 19, 2026 3:07 pm

Groups/Roles Disappeared after configuring for LDAP

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

Groups/Roles Disappeared after configuring for LDAP

 #17184  by ChrisHobbs
 
I'm looking at using OpenKM as a replacement for an ancient DMS we have in our organization, and it looks like a great fit so far. I installed a fresh system this morning to put into practice what I've been learning, and started on the fresh build by adding LDAP access per the wiki. Authentication works great, and users that are in the AdminRole LDAP group get admin access, and users in the UserRole LDAP group get non-admin access. So far so good!

However, I can no longer manage Roles or assign Groups for security. If, for example, I delete the UserRole permissions for an item, when I go back into security for that item I see no Groups listed on the right side as available. Likewise, in the administration panels, I see no roles listed to filter my user list, and no roles listed when I go into the Roles link. I'm attaching screenshots that should make it clear what I'm describing. However, they clearly work as designed as I can log in with LDAP credentials and get the proper permissions based on my LDAP group membership.

I'm guessing I missed something in my LDAP settings, so here they are (munged slightly):
Code: Select all
principal.ldap.mail.attribute	String 	mail 
principal.ldap.mail.search.base	String 	ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.mail.search.filter	String 	(&(objectClass=InetOrgPerson)(cn={0}))
principal.ldap.referral	String 	follow
principal.ldap.role.attribute	String 	cn
principal.ldap.role.search.base	String 	ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.role.search.filter	String 	(objectClass=posixGroup) 
principal.ldap.roles.by.user.attribute	String 	cn 
principal.ldap.roles.by.user.search.base	String 	ou=Roles,ou=OpenKM,ou=ApplicationSupport,dc=nhusd,dc=k12,dc=ca,dc=us 
principal.ldap.roles.by.user.search.filter	String 	(memberID={0}) 
principal.ldap.security.credentials	String 	********
principal.ldap.security.principal	String 	cn=admin***** 
principal.ldap.server	String 	ldap://host.domain.com:389/ 
principal.ldap.user.attribute	String 	cn 
principal.ldap.user.search.base	String 	ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us 
principal.ldap.user.search.filter	String 	(objectClass=inetOrgPerson) 
principal.ldap.username.attribute	String 		Edit   Delete
principal.ldap.username.search.base	String 		Edit   Delete
principal.ldap.username.search.filter	String 		Edit   Delete
principal.ldap.users.by.role.attribute	String 	memberUid 
principal.ldap.users.by.role.search.base	String 	ou=Roles,ou=OpenKM,ou=ApplicationSupport,dc=nhusd,dc=k12,dc=ca,dc=us 
principal.ldap.users.by.role.search.filter	String 	(&(objectClass=posixGroup)(cn={0}))
Thanks in advance!

Chris
Attachments
Screen Shot 2012-07-12 at 2.27.08 PM.png
Screen Shot 2012-07-12 at 2.27.08 PM.png (10.66 KiB) Viewed 4881 times
Screen Shot 2012-07-12 at 2.27.01 PM.png
Screen Shot 2012-07-12 at 2.27.01 PM.png (11.58 KiB) Viewed 4881 times
Screen Shot 2012-07-12 at 2.26.29 PM.png
Screen Shot 2012-07-12 at 2.26.29 PM.png (17.95 KiB) Viewed 4881 times

Re: Groups/Roles Disappeared after configuring for LDAP

 #17185  by ChrisHobbs
 
principal.ldap.roles.by.user.search.filter String (memberID={0})
And of course, this should actually be:

principal.ldap.roles.by.user.search.filter String (memberUid={0})

That improved my User list, in that it now shows what role each user has. But the dropdown filter is still blank, and I can't assign security groups as described above.
Attachments
Screen Shot 2012-07-12 at 4.08.57 PM.png
Screen Shot 2012-07-12 at 4.08.57 PM.png (16.26 KiB) Viewed 4879 times

Re: Groups/Roles Disappeared after configuring for LDAP

 #17195  by jllort
 
have you changed principalAdaptor to ldapPrincipalAdapter and then have restarted application ( restarting in this case is mandatory ).

After it you should concentrate in Administration view and step by step, first should be getting user list
Code: Select all
principal.ldap.user.attribute String cn
principal.ldap.user.search.base String ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.user.search.filter String (objectClass=inetOrgPerson)

Re: Groups/Roles Disappeared after configuring for LDAP

 #17206  by ChrisHobbs
 
jllort wrote:have you changed principalAdaptor to ldapPrincipalAdapter and then have restarted application ( restarting in this case is mandatory ).

After it you should concentrate in Administration view and step by step, first should be getting user list
Thanks for replying jilort!

The adapter had been changed to com.openkm.principal.LdapPrincipalAdapter, and ldap users can log in. I also see all of them listed in the User list. I also see the Roles to which they are assigned in the list. However, the dropdown Role filter list is empty.

Re: Groups/Roles Disappeared after configuring for LDAP

 #17217  by jllort
 
Now you should concentrate in
Code: Select all
principal.ldap.role.attribute= cn
principal.ldap.role.search.base= ou=staff,dc=nhusd,dc=k12,dc=ca,dc=us
principal.ldap.role.search.filter=(objectClass=posixGroup)
All roles are in this node or in several subnodes, if are in subnodes you should enable follow parameter.
Code: Select all
principal.ldap.referral=follow

Re: Groups/Roles Disappeared after configuring for LDAP

 #17238  by ChrisHobbs
 
Many thanks for the hand-holding. I had pointed principal.ldap.role.search.base at my user container, not my role container. Changing it to the right spot has got me squared away!

Onward to configuration of a taxonomy for my users now :)
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -