LDAP Integration

[averma]

Hi,
I am trying to configure OpenKM (6.2.1) with our LDAP server but no luck yet.
our directory structure is as follows:

Code: Select all

dc=aaa,dc=bbb
|
|___
|     |
|     ou=svcs
|           |
|           ou=cto
|                |
|               ou=Tools
|                    |
|                    ou=egbp
|                         |
|                        cn=OPENKM_USER
|                        cn=OPENKM_ADMIN
|
|___
      |
     ou=people
           |
          uid=xxx
          uid=yyy

Here are the entries in my OpenKM.xml:

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldaps://XXXXXXX:636/"/>
  <beans:property name="userDn" value="uid=OPENKM-Tool,ou=zzzz,dc=aaa,dc=bbb"/>
  <beans:property name="password" value="XXXXXXX"/>
  <beans:property name="baseEnvironmentProperties">
    <beans:map>
      <beans:entry>
        <beans:key>
          <beans:value>java.naming.referral</beans:value>
        </beans:key>
        <beans:value>follow</beans:value>
      </beans:entry>
    </beans:map>
  </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="ou=egbp,ou=Tools,ou=cto,ou=svcs,dc=aaa,dc=bbb"/>
      <beans:property name="groupSearchFilter" value="(member={1})"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="ou=people,dc=aaa,dc=bbb" />
  <beans:constructor-arg index="1" value="(uid={0})" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>

but when I try to login with my username (for example: averma) and my ldap password it says "Authentication error".
Could you please help me figure where I am going wrong?

Regards,
Adi

[averma]

some more information:
here is the configuration inside in OpenKM:

Code: Select all

principal.adapter	                                   com.openkm.principal.DatabasePrincipalAdapter
principal.database.filter.inactive.users	   Active
principal.ldap.mail.attribute                     mail
principal.ldap.mail.search.base               ou=people,dc=aaa,dc=bbb
principal.ldap.mail.search.filter                (&(objectClass=person)(uid={0}))
principal.ldap.referral                              follow
principal.ldap.role.attribute                      cn
principal.ldap.role.search.base                ou=egbp,ou=Tools,ou=cto,ou=svcs,dc=aaa,dc=bbb
principal.ldap.role.search.filter                 (objectClass=posixGroup)
principal.ldap.roles.by.user.attribute         cn
principal.ldap.roles.by.user.search.base   ou=egbp,ou=Tools,ou=cto,ou=svcs,dc=aaa,dc=bbb
principal.ldap.roles.by.user.search.filter    (member=uid={0},ou=people,dc=aaa,dc=bbb)
principal.ldap.security.credentials             XXXXXXXX
principal.ldap.security.principal                 uid=OPENKM-Tool,ou=zzzz,dc=aaa,dc=bbb
principal.ldap.server                                ldaps://XXXXXXXX:636
principal.ldap.user.attribute                      uid
principal.ldap.user.search.base                ou=people,dc=aaa,dc=bbb
principal.ldap.user.search.filter                (&(objectClass=person)(uid={0}))
principal.ldap.username.attribute              cn
principal.ldap.username.search.base        ou=people,dc=aaa,dc=bbb
principal.ldap.username.search.filter         (&(objectClass=person)(uid={0}))
principal.ldap.users.by.role.attribute         cn
principal.ldap.users.by.role.search.base    ou=egbp,ou=Tools,ou=cto,ou=svcs,dc=aaa,dc=bbb
principal.ldap.users.by.role.search.filter    (objectClass=posixGroup)

[jllort]

First Concentrate in login ( OpenKM.xml )
Do you have and openldap ? ( for your configuration I see is not microsoft active directory )

[dejanfc]

If you login with default okmAdmin account (use normal auth manager, not ldap), can you list your LDAP users and roles on the Users tab?

edit: Just saw that you're using

principal.adapter com.openkm.principal.DatabasePrincipalAdapter

Change to:

principal.adapter com.openkm.principal.LdapPrincipalAdapter

[averma]

I was able to configure LDAP but after login I got this error:

INFO com.openkm.module.db.DbAuthModule - Create okm:trash/averma
ERROR com.openkm.module.db.DbAuthModule - b636b890-7836-434d-a9d2-c92b3411a9c5 : /okm:trash

If I understand correctly, it could not create user specific folders because the group name in LDAP is different then ROLE_USER or ROLE_ADMIN.

[dejanfc]

What are your OpenKM roles (in the config tab)? If ROLE_USER and ROLE_ADMIN, create these two groups in your ldap, otherwise disable "ROLE_" prefix in RoleVoter bean in applicationContext.xml to use custom roles.

[jllort]

Yes the error is caused because when you login the user credentials has not ROLE_USER or ROLE_ADMIN. OpenKM try to create okm:trash node if not exist, but for doing it you need to get ROLE_USER grant.