User & Role listing on OpenKM6.2_Community with openldap

[turtleizzy]

After quite a bit of struggling, I finally got my OpenKM system integrated with openldap authorization. Now members in ROLE_ADMIN and ROLE_USER can log into the website normally with correct user permission.

However, when I checked Users and Roles in OpenKM administration panel, the only user inside was okmAdmin, group 'abcd' didn't show up either. I think something must be wrong in my OpenKM configuration but I couldn't find anything.

Here is my configuration. Can someone please help me? Thank you in advance!

For those who are also struggling on openldap integration on OpenKM 6.2, this configuration profile can be a good start since it works fine for login at least .

OpenLDAP structure:

Code: Select all

dc=ldap
   dc=pumc
      ou=groups
         cn=ROLE_ADMIN, objectClass=posixGroup, memberUid = apple
         cn=ROLE_USER, objectClass=posixGroup, memberUid = boy, memberUid = cat
         cn=abcd, objectClass=posixGroup, memberUid = cat
      ou=moodleusers
         cn = apple, objectClass=inetOrgperson, uid = apple
         cn = boy, objectClass=inetOrgperson, uid = boy

OpenKM.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

  <!-- Tasks configuration -->
  <!--
  <task:scheduler id="taskScheduler" pool-size="1"/>
  <task:scheduled-tasks scheduler="taskScheduler">
    <task:scheduled ref="textExtractorWorker" method="work" fixed-delay="60000"/>
  </task:scheduled-tasks>
  <beans:bean id="textExtractorWorker" class="com.openkm.extractor.TextExtractorWorker" />
  -->
  
  <!-- Security configuration -->


<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>

<beans:bean id="contextSource" 
		class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://localhost:389/"/>
  <beans:property name="userDn" value="oops"/>
  <beans:property name="password" value="oops"/>
  <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
  </beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="ou=groups,dc=pumc,dc=ldap"/>
      <beans:property name="groupSearchFilter" value="memberUid={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false"/>
      <beans:property name="rolePrefix" value=""/> 
   </beans:bean>
  </beans:constructor-arg>
</beans:bean>
 
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="ou=moodleusers,dc=pumc,dc=ldap"/>
  <beans:constructor-arg index="1" value="cn={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
  </beans:bean>
</beans:beans>

OpenKM configuration

Code: Select all

principal.ldap.mail.attribute			String	 mail	    
principal.ldap.mail.search.base			String	 ou=moodleusers,dc=pumc,dc=ldap	    
principal.ldap.mail.search.filter			String	 (&(objectClass=inetOrgPerson)(cn={0}))	    
principal.ldap.referral				String	 follow	    
principal.ldap.role.attribute			String	 cn	    
principal.ldap.role.search.base			List		 ou=groups,dc=pumc,dc=ldap	    
principal.ldap.role.search.filter			String	 (objectClass=posixGroup)	    
principal.ldap.roles.by.user.attribute		String	 cn	    
principal.ldap.roles.by.user.search.base	String	 ou=groups,dc=pumc,dc=ldap	    
principal.ldap.roles.by.user.search.filter	String	 (memberUid={0})	    
principal.ldap.security.credentials		String	 oops 
principal.ldap.security.principal			String	 oops	    
principal.ldap.server					String	 ldap://localhost:389	    
principal.ldap.user.attribute			String	 cn	    
principal.ldap.user.search.base			List		 ou=moodleusers,dc=pumc,dc=ldap	    
principal.ldap.user.search.filter			String	 (objectClass=inetOrgPerson)	    
principal.ldap.username.attribute		String	 memberUid	    
principal.ldap.username.search.base		String	 ou=moodleusers,dc=pumc,dc=ldap	    
principal.ldap.username.search.filter		String	 (&(objectClass=inetOrgPerson)(cn={0}))	    
principal.ldap.users.by.role.attribute		String	 memberUid	    
principal.ldap.users.by.role.search.base	String	 ou=groups,dc=pumc,dc=ldap	    
principal.ldap.users.by.role.search.filter	String	 (&(objectClass=posixGroup)(cn={0}))	     
principal.ldap.users.from.roles			Boolean	False	    

[turtleizzy]

Okay, after changing principal.adapter into

Code: Select all

principal.adapter         String       com.openkm.principal.LdapPrincipalAdapter                 

Users and roles in the internal database disappeared, but those in LDAP server didn't come up. An error message keeps popping up in console.

Code: Select all

2012-11-17 10:53:38,051 [http-bio-8080-exec-3] ERROR com.openkm.principal.LdapPrincipalAdapter - NamingException: [LDAP: error code 34 - invalid DN] (Base: [ou=moodleusers,dc=pumc,dc=ldap] - Filter: (&(objectClass=inetOrgPerson)(cn=apple)) - Attribute: cn)

Commandline ldapsearch with filter and base given by exception message returns normal result.

[turtleizzy]

Problem solved.
Maybe OpenKM throws NamingException as long as system cannot obtain required information from LDAP server. Therefore not being able to connect server or wrong principal/credential will also raise NamingException. In my case, the credential was mistyped.

[jllort]

Yes. Errors some times is not clear. Is good idea use ldap studio to test connection, queries etc... then when you set data into OpenKM parameters you're sure all is right. This error as you indicate show us is needed some test utilities into openkm to know what fails ( at least have some ldap connection test ).

[turtleizzy]

We have been using the system for a whole month normally. It seems that this configuration works well.
It is appreciated if you can put my working LDAP configuration on wiki in case anyone need it.

[jllort]

Confirm to me that your first post contains correct data and I will add in wiki