OPenKM 5.1.10 - LDAP Configuration

[Lorderich]

Hello,

i am trying to implement a ldap authentification against our Lotus Domino Server.

After searching around i found this wiki article from openkm: http://wiki.openkm.com/index.php/LDAP_a ... r_examples

With this information i have configured the login.xml and out in the necessary information into the administration area from OpenKM. In the userlist i can see the user, so the connection to the ldap server is established. I can also see the roles, which i have created in our ldap directory.

I didn´t have find any information, about the necessary configuration requirement for the openkm.cfg file.

No user is able to login with an account from the ldap directory. All ldap users get the error message: "Authentication Error". In the Userlist no user, which was imported from the ldap directory have in the column "Roles" a role included.

I have configured the login.xml with the following information:
-----------------

Code: Select all

<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://10.10.20.10:9091</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">CN=bind ldap,O=organization</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">ou=organizationunit,O=organization</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">""</module-option>
<module-option name="roleFilter">(member={0})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
    <!-- <module-option name="defaultRole">GroupName</module-option> -->
    </login-module>
    </authentication>
</application-policy>

--------------------------------------------------

The following information are included in the administration tab:
--------------------------------------------------

Code: Select all

principal.adapter String com.openkm.principal.LdapPrincipalAdapter       
principal.database.filter.inactive.users Boolean        
principal.ldap.mail.attribute String mail       
principal.ldap.mail.search.base String OU=organizationunit;O=organization       
principal.ldap.mail.search.filter String (&(objectClass=dominoperson)(cn={0}))       
principal.ldap.referral String follow       
principal.ldap.role.attribute String CN       
principal.ldap.role.search.base String       
principal.ldap.role.search.filter String (objectClass=dominogroup)       
principal.ldap.roles.by.user.attribute String CN       
principal.ldap.roles.by.user.search.base String       
principal.ldap.roles.by.user.search.filter String (member={0})       
principal.ldap.security.credentials String secret  
principal.ldap.security.principal String bindCN       
principal.ldap.server String ldap://server:9091 -> I am using another ldap port, so that is okay       
principal.ldap.user.attribute String CN       
principal.ldap.user.search.base String OU=organizationalunit;O=organization   
principal.ldap.user.search.filter String (objectclass=person)       
principal.ldap.username.attribute String CN       
principal.ldap.username.search.base String       
principal.ldap.username.search.filter String (&(objectclass=person)(CN={0}))       
principal.ldap.users.by.role.attribute String member       
principal.ldap.users.by.role.search.base String       
principal.ldap.users.by.role.search.filter String (&(objectClass=dominogroup)(CN={0}))

-----------------------------------------------------------

Could you please have a look on the configuration. I think i didn´t see the misconfiguration.

Kind regards

René alias Lorderich

[Lorderich]

Hello,

can it have something to do with the usernames that openkm imports from LDAP?

Because OpenKM get the username with the Format Firstname Surname. Is the space between Firstname und Surname the problem, so that nobody can login?

Kind regards

René alias Lorderich

[jllort]

Go by phases ldap integration is not trivial. Which openkm version do you have installed ?
This example you have seen in wiki is for openldap, with active directory should be made some changes
And finally first concentrate in login, meanwhile login is not correctly do not work in other parameters. If you get error 403 permission denied you're on right direction you login but users have not UserRole or AdminRole ( consider all users should have one of this ).

[Lorderich]

Hello,

after playing a while around i get it worked.

So the user is able to login, but only with the configuration <module-option name="defaultRole">UserRole</module-option>. Is there an option to change the default user Role to 1 one Role which are available in our ldap environment?

For example, all users which will be able to login to the OpenKM System get the Role "=KM_Role". All admins will be get the Role "=KM_Admin_Role".

My actual login-config logs like this:

Code: Select all

<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
         <module-option name="java.naming.provider.url">ldap://ldap.emphasys.corp:9091</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">CN=login ,O=Organization/module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">ou=emp,o=EMPHASYS.CORP</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="baseFilter">(CN={0})</module-option>
<module-option name="rolesCtxDN">O=EMPHASYS.CORP</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="defaultRole">UserRole</module-option>
    </login-module>
    </authentication>
</application-policy>

Thank for your help in advance.

René alias Lorderich

PS: Installed Version is 5.1.10.

[jllort]

Basically indicates you got problem getting roles with actual configuration and should continue working on it.

This is sure wrong ( seems in your ldap you do not need login credential otherside with this bind I do no know how you're login :

Code: Select all

<module-option name="bindDN">CN=login ,O=Organization/module-option>

This is very strange too:

Code: Select all

<module-option name="rolesCtxDN">O=EMPHASYS.CORP</module-option>

It's a microsoft active directory or other kind of ldap ?
You have not inspired in our wiki documentation for this configuration no ?