Issue with AD global groups

[sagar]

Hi,


I am facing this issue: when giving access to a group (from AD) if the group scope (in AD) is "universal" it will work ok but if the group scope is "global" it will be added but members of the group won't
take the access as it should.


Regards,
Sagar

[jllort]

Could you expose a more clear example about what happens ? the problem is with users ? Also some screenshot will be wellcome to understand what's happening.

[sagar]

Hi,

I have configured a new installation (6.3) with AD for authentication and it is working fine. After I exported the repository from the old (5.1.11) installation and imported it to the new installation.

I am facing the below issue:
When granting access (read for example) to group x then:
1. if the group scope in AD is universal then the members of this group will able to see the file.
2. if the group scope in AD is global then the member won't be able to see the file.

I hope this clears it.

Thanks and Regards,
Sagar

[jllort]

At one of the user who has these problems add ROLE_ADMIN.

Then go to Administration -> Scripting and execute

Code: Select all

import com.openkm.spring.*;

print(PrincipalUtils.getRoles());

Are you seeing the global AD roles assigned to that user ?

[sagar]

Hi,
I don't have access right now as we are in holidays next week I will try it.


Regards,
Sagar

[sagar]

Hi,

I have execute the script and it is showing the global groups for the user.

Regards,
Sagar

[sagar]

Hello,

Even if the user go to Tools->Preferences->User Configuration; the global groups will show there.

This issue is stopping the upgrade the other issues all solved.


Appreciate your help.

Regards,
Sagar

[jllort]

The script will show you the real roles inherits from autentification. The roles from user popup view are based on ldap configuration parameters from Administration, but see there not means are using, because all depends on what you get on authentication. Administration configuration is only to fill users and roles list and get some info like mail from user id.

[sagar]

Do you meant it might be a problem with OpenKM.xml authentication configuration? I have double checked and enabled debugging the authentication; from the logs I can see all the groups is showing in "Granted Authorities: "

Is there somewhere else to check in the logs?


Regards,
Sagar

[jllort]

The minimum script I provided here, simply show the roles assigned to logged user. These are what really for application take effect. Problem in AD could be in serveral ways ( typical mistake is thinking groups inherits from other groups, this kind of configuration will not going right ). I can not image what you're doing, is quite complex by forum post or in documentation try to explain all checkpoints you should consider to get AD well done configured. There're a lot of cases and is not possible covers everything. What I can confirm to you is from OpenKM there's no problem sure, if you got some problem authenticating users etc... problem comes from the way you're trying to do it.

If you post here more complete example, ldap structure of the user who has the problem and some configuration parameters we can try to find out some clue.

[sagar]

I have done more investigation and tests and I can see the issue is with the role (group) name in case.

I have created one test group with mixed case "Test" and assign it to a user but the same issue happened (the user can't access the files or folders)
Then I have renamed the group to "TEST", the user were able to see the files.
Then I have tried to use lower case name "test" same issue happened like mixed case.
When I changed it back to "TEST" the user able to see the files again with no issue.


"system.login.lowercase" is already enabled; is there other configuration property that may cause this issue?

[jllort]

system.login.lowercase property is only for userid has not effect with roles. Must enable with AD, because AD is not case sensitive and you could login with user called "user" or "User" or "uSer". But for openkm this userId are not the same. To prevent this problem we force all users to be logged in lowercase.

[sagar]

What about roles? Can i force the case for them?

[jllort]

Roles should not be a problem, because are got directly from AD, not written by user, who can write upper & lower case characters.

[sagar]

But in may case I am facing an issue with the roles' names it won't work if the role name contains any small letter.

Regards,
Sagar