Apply profile by Active Directory Integration

[jhades2014]

Hello,

I have successfuly installed and configured OpenKM to integrate with Active Directory.
For now, I have two groups in my AD : ROLE_USER and ROLE_ADMIN. If I add some users to one of these groups, they appear in the user list and they can connect to OpenKM.

I have also created 4 different profiles in OpenKM (let's say COMMON, A, B and C), and I wonder if I can link a user to a profile using the AD, instead of having to do it manually using the admin interface.
For instance I want users A1 and A2 to have profile A, users B1 and B2 to have profile B, and all of them to have also profile COMMON.

Is it possible to do it with OpenKM ?

I'm using version: 6.2.5 (build: 8109), and I used this website for the AD integration https://www.nosam.com/node/8


Thanks!

[jllort]

Actually is not possible set profiles from AD. The property and code for doing it has not been considered for integration, extending the actual code could be done, but I do not know if really is good idea ?

[jhades2014]

Hi jllort, thanks for your reply.

Too bad it's not possible, I think this feature may be extremly useful.

I have another question. I have plenty of users in my AD in different groups (A, B, C for instance). Do they need to be member of ROLE_USER group in my AD to connect to OpenKM?
Even if I add these groups to my ROLE_USER group, they cannot connect, but if I add all the users directly in the group, they can connect.



Thanks,

[jllort]

other solution is assigna automatically ROLE_USER to any connected user:
add

Code: Select all

<beans:property name="defaultRole" value="ROLE_USER" />

you'll get something like

Code: Select all

<beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=openkm,DC=local"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
	<beans:property name="defaultRole" value="ROLE_USER" />
      </beans:bean>
    </beans:constructor-arg>

About setting default profile we can continue talking about it. But the main reason why I continue thinking is not good idea setting profiles from AD is that this property is not defined by default in any AD. You got users, roles, mail attributes, but you should create a new attribute to save profile info. That from my point of view is not good idea for almost AD users, I can understand in your case is interesting but not 100% of AD integration would like to force it. Only I can think on it on something optional. Could be some way to doing it without modifying openkm source code, with minimal sincronization script ( daily executed from crontab for example ).

[kumar4004]

Hi

I have a question regarding Active Directory integration in OpenKM. I configured active directory in OpenKM as provided in the documentation. As per the documentation, I need to create two groups (ROLE_ADMIN, ROLE_USER) and add the users to either of these groups in active directory. But I can't create/modify any of the roles in the active directory. But I want to use active directory for login authentication instead of creating new users. Without creating the ROLES in active directory, users are unable to login to OpenKM, as OpenKM verifies the ROLE of the user as well. So Kindly request you to guide me the steps for configuring OpenKM for active directory authentication.

Below is the exception I am getting if I won't create the role groups in active directory.

Applicatin error

class: org.springframework.ldap.PartialResultException
Message: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(); remaining name "

Return



Thanks
Kumar

[jllort]

First step is getting lists in administration, the second is logging ( change OpenKM.xml ). Have you completed the first ?

I suggest do not try second if you have not completed the first. Take in consideration AD take the control of OpenKM what only acts as a AD reader , nothing else ( you can not add users from openkm, remove, change roles etc... OpenKM is only an AD reader ).

[kumar4004]

Hi Jllort,

This is the first time I am playing around configuring OpenKM with active Directory. So Can you explain in brief about the below steps.

1) First step is getting lists in administration, the second is logging ( change OpenKM.xml ). Have you completed the first ? ---> what do yo mean by this.?

2) I suggest do not try second if you have not completed the first. Take in consideration AD take the control of OpenKM what only acts as a AD reader , nothing else ( you can not add users from openkm, remove, change roles etc... OpenKM is only an AD reader ). --> Can I use active directory users to authenticate with OpenKM. How would you identify normal users with that administrators if we are not adding roles, users in OpenKM???


Thanks
Kumar

[jllort]

Here http://wiki.openkm.com/index.php/Ldap-example3 you'll see two sections -> OpenKM.xml ( what's openkm authentication ) and parameters. I suggest start from the second.

[rpachouli12]

Hello experts
i create two group ROLE_ADMIN and ROLE_USER and declare user inside that group .
i want to login that users who are registered in AD that use OPENKM DMS System.
But That user are not authenticate when user login
but when i login okmAdmin then it is authenticate then all users are avalible in USER tag.
then those users are not authenticate in OPENKM admin panel . plese reslove my problem

thanks
Rohit

[jllort]

hi rpachouli12, please do not merge different question is the same post, please add other post for your specific problem what has no relation with apply profile with AD