How can I login KM with windows AD?

[Charles.Hung]

Open.xml

Code: Select all

        <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	  <beans:constructor-arg ref="ldapBindAuthenticator"/>
	  <beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
	</beans:bean>
	
	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
	  <!-- MS Active Directory -->
	  <beans:constructor-arg value="ldap://AD IP:389"/>
	  <beans:property name="userDn" value="cn=AD account,cn=Users,dc=domain"/>
	  <beans:property name="password" value="AD PWD"/>
	  <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
	</beans:bean>
	
	<beans:bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
	  <beans:constructor-arg ref="contextSource"/>
	  <beans:property name="userSearch" ref="userSearch"/>
	</beans:bean>
	
	<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
	  <!-- MS Active Directory -->
	  <!-- user-search-base; relative to base of configured context source -->
	  <beans:constructor-arg index="0" value="dc=domain"/>
	  <!-- user-search-filter -->
	  <beans:constructor-arg index="1" value="(sAMAccountName={0})"/>
	  <beans:constructor-arg index="2" ref="contextSource"/>
	</beans:bean>
	
	<beans:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
	  <beans:constructor-arg ref="contextSource" />
	  <beans:constructor-arg value="dc=domain" />
	  <beans:property name="groupSearchFilter" value="(member={0})"/>
	  <beans:property name="groupRoleAttribute" value="CN" />
	  <beans:property name="rolePrefix" value=""/>
	  <beans:property name="searchSubtree" value="true"/>
	  <beans:property name="convertToUpperCase" value="false"/>
	  <beans:property name="ignorePartialResultException" value="true"/>
	</beans:bean>

Configuration

Code: Select all

system.login.lowercase=true
principal.adapter=com.openkm.principal.LdapPrincipalAdapter	
principal.database.filter.inactive.users=true
principal.hide.connection.roles=false
principal.ldap.mail.attribute=mail	
principal.ldap.mail.search.base=dc=domain
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))	
principal.ldap.referral=follow	
principal.ldap.role.attribute=cn	
principal.ldap.role.search.base=dc=domain
principal.ldap.role.search.filter=(cn=*)	
principal.ldap.roles.by.user.attribute=memberOf	
principal.ldap.roles.by.user.search.base=dc=domain
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))	
principal.ldap.security.credentials=AD PWD
principal.ldap.security.principal=CN=AD account,cn=Users,dc=domain
principal.ldap.server=ldap://192.168.99.11:389	
principal.ldap.user.attribute=sAMAccountName	
principal.ldap.user.search.base=dc=domain
principal.ldap.user.search.filter=(&(objectClass=user)(objectCategory=person))	
principal.ldap.username.attribute=cn	
principal.ldap.username.search.base=dc=domain
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))	
principal.ldap.users.by.role.attribute=member	
principal.ldap.users.by.role.search.base=dc=domain
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))	
principal.ldap.users.from.roles=false

An other qns:In KM, should I have to create an account which is used in AD?

Pls help, thanks.

[dejanfc]

OpenKM will automatically generate a user if the AD authentication is sucessful.

[Charles.Hung]

OpenKM will automatically generate a user if the AD authentication is sucessful.

Tks!

I think my code is error, so I can not login KM with AD...

I do not know how to solve this problem...

[dejanfc]

Try using the AD auth provider that's built into spring security:

http://docs.spring.io/spring-security/s ... /ldap.html

I also wrote a small tutorial on how to get Kerberos working for SSO - http://wiki.openkm.com/index.php/Kerberos

Since it's an integral part of AD you could also use this method (although, if you don't require single sign on I'd personally go with AD auth provider since it's easier to configure).

And please paste any errors you get, it's possible that it's something trivial like wrong role retrieval.

[Charles.Hung]

Try using the AD auth provider that's built into spring security:

http://docs.spring.io/spring-security/s ... /ldap.html

I also wrote a small tutorial on how to get Kerberos working for SSO - http://wiki.openkm.com/index.php/Kerberos

Since it's an integral part of AD you could also use this method (although, if you don't require single sign on I'd personally go with AD auth provider since it's easier to configure).

And please paste any errors you get, it's possible that it's something trivial like wrong role retrieval.

After I use your method, I can login.

But...

[dejanfc]

That means that you're not getting the correct roles. OpenKM uses ROLE_USER and ROLE_ADMIN by default, if you have the option simply create these two groups in your AD, add a test user to each and then try again. Otherwise you'll have to change the default roles in OpenKM configuration and remove the role_prefix bean from applicationContext.xml.

[Charles.Hung]

That means that you're not getting the correct roles. OpenKM uses ROLE_USER and ROLE_ADMIN by default, if you have the option simply create these two groups in your AD, add a test user to each and then try again. Otherwise you'll have to change the default roles in OpenKM configuration and remove the role_prefix bean from applicationContext.xml.

Ok.....I think I should give you my AD.....

KM is 6.2.4

In the attachment, you will see OUs. I want to see all user by using OU=HQ_IFT,DC=infortrend

My admin role is "MIS", other people's role are "Domain Users"

Pls see the attachment

[jllort]

Is Mandatory all users should have ROLE_USER ( like I've written with uppercase etc... ), that's needed to pass login page. After it you should have enought roles ( by user ) to read main nodes okm:root , okm:categories and okm:templates

here you can see complete examples with full description http://wiki.openkm.com/index.php/LDAP_examples

[chasedream285]

It's easy.
Just modify following source code 'openkm\src\main\java\com\openkm\module\db\stuff\DbSimpleAccessManager.java' and add some code lines:

Code: Select all

                    java.util.Iterator it = roles.iterator();
                    int count=0;
                    while( it.hasNext()){
                        count++;
                    }
                    if( count == 0){
                        log.info("*****AAAAABBBBB************role is null,add it manually !");
                        String  roleUSer= new String("ROLE_USER");
                        roles.add(roleUSer);
                    }else
                        log.info("*****AAAAABBBBB*******************null=***");
				    

after below codes:

Code: Select all

				if (roles.contains(Config.DEFAULT_ADMIN_ROLE)) {
					// An user with AdminRole has total access
					access = true;
				} else {

It will grant 'ROLE_USER' to AD user manually whatever you get ROLE or not with your origianal AD configuration
Also I thinks it's reality way to define your own KM group organizations exclude AD group organization.

[jllort]

There's other way in ldap configuration to set a role by default without modify source code, add <beans:property name="defaultRole" value="ROLE_USER" />

<

Code: Select all

beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=localhost,DC=local"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
	<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>

[chasedream285]

There's other way in ldap configuration to set a role by default without modify source code, add <beans:property name="defaultRole" value="ROLE_USER" />

<

Code: Select all

beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=localhost,DC=local"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
	<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>

Hi , jllort,
I adopted your way to add 'defaultRole' in'OpenKM.xml',
1)if I set 'defaultRole' = 'ROLE_ADMIN', everything is OK.
2)if I set 'defaultRole' = 'ROLE_USER', I found I can login into OpenKM ,but the screen is halted somehow, seems the ldap user is lack of priviledge to read 'okm_root' ...., I don't know how to resolve this, please help.

[jllort]

Your users should have enouht privileges to see okm:root okm:categories and okm:templates based in roles they have and roles assigned to these nodes. There's no other mistery on it.