LDAP roles by user

[Lorderich]

I am trying OpenKM 6.2.2 and astruggeling with the ldap configuration.

Some main things are done:
1. All users can login via there ldap credentials on OpenKM.
2. All available roles are listed in the "RoleSearch" list.

But i have the problem, that the roles per user are not listed in the users area. Could you please review my configuration. I have migrated this configuration 1:1 from an existing OpenKM 5.1 Installation. And in the old system it has worked.
[img]Bild2.png[/img]

Administration -> Config:

Code: Select all

principal.adapter	                                String 	com.openkm.principal.LdapPrincipalAdapter 	
principal.database.filter.inactive.users	Boolean 	Active 	
principal.ldap.mail.attribute	                String 	mail 	
principal.ldap.mail.search.base	                String 	OU=BU;O=Company.CORP 	
principal.ldap.mail.search.filter	                String 	(&(objectclass=dominoperson)(cn={0})) 	
principal.ldap.referral	                        String 	follow 	Edit   Delete
principal.ldap.role.attribute	                String 	CN
principal.ldap.role.search.base	                List 	        C=DE 	
principal.ldap.role.search.filter	                String 	(objectClass=dominogroup) 	
principal.ldap.roles.by.user.attribute	        String 	CN
principal.ldap.roles.by.user.search.base	String 	C=DE 	
principal.ldap.roles.by.user.search.filter	String 	(member={0}) 	
principal.ldap.security.credentials	        String 	secretpassword 	
principal.ldap.security.principal	                String 	CN=Account,OU=Test,O=Company.CORP 	
principal.ldap.server	                                String 	ldap://ldap.company.corp:389 	
principal.ldap.user.attribute	                String 	CN
principal.ldap.user.search.base	                List 	        OU=Test;O=Company.CORP 	
principal.ldap.user.search.filter	                String 	(objectclass=person) 	
principal.ldap.username.attribute	        String 	CN 	
principal.ldap.username.search.base	        String 		
principal.ldap.username.search.filter	        String 	(&(objectclass=person)(CN={0})) 	
principal.ldap.users.by.role.attribute	        String 	member 	
principal.ldap.users.by.role.search.base	String 	C=DE
principal.ldap.users.by.role.search.filter	String 	(&(objectClass=dominogroup)(CN={0}))

I think there is a little failure in my configuration, but i did not see it.

Kind regards

Lorderich

[jllort]

Consider use http://directory.apache.org/studio/ and execute the queries there to ensure are right.
I'm not sure but I think parameter could be wrong

Code: Select all

principal.ldap.roles.by.user.search.filter String (member={0}) 

could be

Code: Select all

memberOf={0}

[dejanfc]

Try (member=cn={0},cn=yourgroup,dc=your,dc=company)

Part of my ldapsearch result for 'dejanfc' user, for reference

memberOf: CN=ROLE_USER,CN=Users,DC=my,DC=company

And for 'ROLE_USER' role:

member: CN=dejanfc,CN=Users,DC=my,DC=company

Code: Select all

principal.ldap.roles.by.user.attribute	 	        cn 
principal.ldap.roles.by.user.search.base		cn=Users,dc=my,dc=company
principal.ldap.roles.by.user.search.filter	 	(&(objectClass=group)(member=cn={0},cn=Users,dc=my,dc=company)) 

principal.ldap.users.by.role.attribute		        member 
principal.ldap.users.by.role.search.base               cn=Users,dc=my,dc=company
principal.ldap.users.by.role.search.filter                (&(objectClass=posixGroup)(cn={0})) 

[Lorderich]

Hello,

i have checked the search filter.

In our ldap server with this filter we getting the correct values for the groups per user. But there are not displayed in OpenKM.

Is it possible to debug the "com.openkm.principal.LdapPrincipalAdapter" to see a full log of the ldap handling?

In the logging.properties i have included com.openkm.principal.LdapPrincipalAdapter = FINE but this doesnt log any information about the ldap connection and filtering.

Kind regards

Lorderich

[jllort]

For debug take a look at conf/log4j.properties file and place there the package