LDAP groups (ROLES)

[averma]

Hi,

Can somebody please help me configure different user roles (as per my LDAP groups) instead of default ROLE_ADMIN and ROLE_USER.

I am running OPENKM 6.2.1 with tomcat7.
My LDAP groups are like TOOL_ADMIN and TOOL_USER.

Regards,
Aditya

[jllort]

ROLE_ADMIN and ROLE_USER are special roles I suppose you understood it. For what I understood you want to create OPENKM_ADMIN and OPENKM_USER roles in your ldap is that ?

[dejanfc]

You have to disable the "ROLE_" prefix in RoleVoter bean in spring config (applicationContext.xml) and then set the desired roles in the Administration tab. Tip - don't change the admin role until you confirm that custom user role is working correctly

[averma]

Precisely, I want to use OPENKM_ADMIN and OPENKM_USER (exists in our LDAP) instead of ROLE_ADMIN and ROLE_USER.
Due to some reasons it is not possible to create "ROLE_*" groups in LDAP.

dejanfc: I have already tried my hands in config without luck (there were errors on portal and catalina log). I have also found that these roles are hard coaded in core/Config.class
but I'll try your suggestion again.

I think its worth mentioning here that I am a Perl programmer and have very limited knowledge of Java

[dejanfc]

You can get around that with a role prefix parameter in your ldap authentication manger config (if the RoleVoter is being ignored), function is the same as for RoleVoter bean. Here's part of my bean config (I'm using kerberos sso so it's a bit different). If you're using namespace configuration then it's differfent (I saw the example in one of the other LDAP topics around here). We're using OpenLdap and I couldn't get the thing working with groupSearchFilter set or searchSubtree set to true, but that could be because users and groups are in the same base (cn=Users).

Code: Select all

<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
  <beans:constructor-arg ref="contextSource"/>
  <beans:constructor-arg value="cn=Users,dc=company,dc=name"/>
  <!-- <beans:property name="groupSearchFilter" value="objectClass=group"/>  For some unknown reason this filter doesn't work for me -->
  <beans:property name="groupRoleAttribute" value="cn"/>
  <beans:property name="searchSubtree" value="false" />
  <beans:property name="convertToUpperCase" value="false"/>
  <beans:property name="rolePrefix" value=""/>
</beans:bean>

[averma]

Hi dejanfc,

i tried your advice but i there is again same problem.
Here is excerpt from my applicationContext.xml file:

Code: Select all

<beans:bean class="org.springframework.security.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value=""/>
</beans:bean>

and here is the log after I tried to login using LDAP credentials:

Code: Select all

2013-01-10 23:21:21,755 [http-bio-0.0.0.0-8080-exec-3] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-01-10 23:21:22,016 [http-bio-0.0.0.0-8080-exec-7] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/ldapuserid
2013-01-10 23:21:22,026 [http-bio-0.0.0.0-8080-exec-7] ERROR com.openkm.module.db.DbAuthModule - b636b890-7836-434d-a9d2-c92b3411a9c5 : /okm:trash
com.openkm.core.PathNotFoundException: b636b890-7836-434d-a9d2-c92b3411a9c5 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:106)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:102)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:437)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:400)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:81)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1110)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:603)
	at java.lang.Thread.run(Thread.java:722)

any suggestion?

[averma]

and here is the screenshot:

Screenshot.png (52.21 KiB) Viewed 8475 times

[dejanfc]

Are you trying to log in as admin or user? The problem is that entire repository is by default set to be readable by ROLE_USER role, if you change it to something else (ie, okmusers) you have to set read permissions on every folder (okm:root, okm:personal, okm:categoris, etc) to that role (okmusers). Try to log in as admin (can view entire repository, even without specific read permissions), if you're still getting that error then it means that your ldap configuration isn't getting the roles correctly from the server. Try to turn on debugging for catalina and paste your ldap configuration (from OpenKM.xml) here.

[averma]

Hi dejanfc,

Thanks for all your help and advice.

I have finally managed to login using LDAP credentials.
As you have mentioned, the resolution was: I have replaced all instences "ROLE_USER" with "OPENKM_USER" in all the insert statments in repository/okmdb.script file.

Thanks again.

Now that I can login there is another problem. I cannot see the Administration tab.
To overcome this I have changed:
INSERT INTO OKM_CONFIG VALUES('default.admin.role','string','ROLE_ADMIN')
to
INSERT INTO OKM_CONFIG VALUES('default.admin.role','string','OPENKM_ADMIN')
in repository/okmdb.script file

after this change i can see the Administrator tab but when I click on it, it says: "Unauthorized access"

any suggestions?

[dejanfc]

First make sure that the user you're connecting as is in the OPENKM_ADMIN group in ldap . After that, go into your applicationContext.xml and check if the /admin/** protected url is set to "ROLE_ADMIN". If yes, try changing to 'IS_FULLY_AUTHENTICATED' (I don't remember the exact attribute value and I can't check at the moment unfortunately, but you can just copy it from one of the other protected urls).

[jllort]

Important if your changes with repository/okmdb.script file. has take some effect is because you're login with database not with your ldap.

Have you changed in administration ( this change can only be done when creating repository but not after ). You should re-create repository and place this configuration parameters at OpenKM.cfg

Code: Select all

default.admin.role=ROLE_ADMIN
default.user.role=ROLE_USER 

After it should change in database ( repository/okmdb.script file. ) the roles values because default OpenKM script comes with ROLE_USER.

This change is not a trivial operation.

[averma]

Thanks a lot jllort and dejanfc. Very much appriciate your help.
I have finally got it working.

* Created a fresh repo.
* Used database query wizard to update LDAP specific values in OKM_CONFIG table (i guess by updating values from admin panel will also have same iffect)
* Through admin panel changed the "default.user.role" to "OPENKM_USER"
* Througn admin panel changed the "default.admin.role" to "OPENKM_ADMIN". This must be the last change from admin panel because after that okmAdmin user can not access admin panel any more.
* Make changes in "OpenKM.xml" file to work with LDAP
* In "applicationContext.xml" file changed rolePrefix to empty string "" and replaced line:
<security:intercept-url pattern="/admin/**" access="ROLE_ADMIN" />
with
<security:intercept-url pattern="/admin/**" access="IS_AUTHENTICATED_FULLY" />


thanks for all all your help and advice.

[pavila]

But after this modification every authenticated user can access to Administration (/admin) and this may be dangerous.

[averma]

Hi jllort,

In that case could you please let me know step by step how I can implement LDAP integration with LDAP groups say: OPENKM_USER and OPENKM_ADMIN instead of ROLE_USER and ROLE_ADMIN.

It will be a big-big help

Regards,
Adi

[jllort]

in applicationContext.xml should change ROLE_ADMIN to your new role name