LDAP authentication

[jjirik]

Hi all -- I have Samba4 running as AD, joined 2 Samba3 servers as my file servers that successfully authenticate against the AD and now I am trying to do the same (authentication) for the openKM that I just installed. I followed http://wiki.openkm.com/index.php/LDAP_a ... r_examples, but when I restart my openKM, it automatically logs in (doesn't ask me for authentication) and in Administration I cannot see any users(except okmAdmin in logged user).

Here is my openKM.xml

Code: Select all

<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
         <module-option name="java.naming.provider.url">ldap://name.company.com:389</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="bindDN">cn=admin,dc=company,dc=com</module-option>
         <module-option name="bindCredential">******</module-option>
         <module-option name="baseCtxDN">ou==users,dc=company,dc=com</module-option>
         <module-option name="baseFilter">(uid={0})</module-option>
         <module-option name="rolesCtxDN">ou=groups,dc=company,dc=com</module-option>
         <module-option name="roleFilter">(memberUid={0})</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false</module-option>
         <module-option name="roleRecursion">-1</module-option>
         <module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
    <!-- <module-option name="defaultRole">UserRole</module-option> -->
    </login-module>
    </authentication>
</application-policy>

and here is the Administration settings from openKM:

Code: Select all

principal.adapter	                        String 	                    com.openkm.principal.LdapPrincipalAdapter 	
principal.database.filter.inactive.users	Boolean 	                    Active 	
principal.hide.connection.roles	Boolean 	Inactive 	
principal.ldap.mail.attribute	                String 	                    mail 	
principal.ldap.mail.search.base	                String 	                    OU=Users,DC=company,DC=com 	
principal.ldap.mail.search.filter	                String 	                    (&(objectClass=inetOrgPerson)(cn={0})) 	
principal.ldap.referral	                        String 	                    follow 	
principal.ldap.role.attribute	                String 	                    CN 	
principal.ldap.role.search.base	                List 	                           OU=Users,DC=company,DC=com 	
principal.ldap.role.search.filter	                String 	                   (objectClass=posixGroup) 	
principal.ldap.roles.by.user.attribute	        String 	                   CN 	
principal.ldap.roles.by.user.search.base	String 	                   OU=Users,DC=company,DC=com 	
principal.ldap.roles.by.user.search.filter	String 	                   (memberUid={0}) 	
principal.ldap.security.credentials	        String 	                   xxxxxx
principal.ldap.security.principal	                String 	                   CN=admin,DC=company,DC=com 	
principal.ldap.server	                                String 	                   ldap://name.company.com:389 	
principal.ldap.user.attribute	                String 	                   CN 	
principal.ldap.user.search.base	                List 	                          OU=Safety,OU=Users,DC=company,DC=com 	
principal.ldap.user.search.filter	                String 	                  (&(objectClass=inetOrgPerson)(cn={0})) 	
principal.ldap.username.attribute	        String 	                  CN 	
principal.ldap.username.search.base	        String 	                  DC=company,DC=com 	
principal.ldap.username.search.filter	        String 	                 (&(objectClass=person)(userPrincipalName={0})) 	
principal.ldap.users.by.role.attribute	        String 	                 memberUid 	
principal.ldap.users.by.role.search.base	String 	                 OU=Users,DC=company,DC=com 	
principal.ldap.users.by.role.search.filter	String 	                 (&(objectClass=posixGroup)(cn={0})) 

I have read lot of posts and they are somewhat confusing so I would appreciate any help

[jllort]

What openkm version are talking about ? seems 5.x ?

[jjirik]

I am fairly new to Linux systems, but in last 2 months I setup small network running the Ubuntu 12.04 and Samba - the file server (Samba3) authenticate against the AD as expected and I have Kerberos working on both Samba3 and Samba4 so I can kinit username from both and I get the ticket without a problem. Now I would like to setup OpenKM (and eventually zimbra email service) to authenticate against my AD for simple Single Sign On.

So far I have installed 6.2.5-community version via ./openkm-6.2.5-community-linux-x64-installer.run command. I can access the OpenKM as admininstrator using my IP so I know the server is up and running. Where I am confused is the authentication of the web service. I was following http://wiki.openkm.com/index.php/Kerberos but I am lost on step step 2 and 3. How do you compile your spring security and create the keytab that will be readable by tomcat? I did some research about both, but frankly it confused me.

Any pointer in the right direction will be greatly appreciated .

[jllort]

This information has been provided by forum users at http://forum.openkm.com/viewtopic.php?f=6&t=9371 I suggest query there if you want to use this kind of configuration.