Online demo
Download
Contact

Because information matters

  • Ldap login

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Sun Apr 19, 2026 3:19 pm

Ldap login

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

Ldap login

 #29964  by kylep84
 
Hello, we have just started testing openkm 6.4.14 Pro trial to see if this is what we are looking for. So far everything is working good except I cannot get ldap logins to work. Openkm ldap integration is set up and working and I can see populated users and roles from active directory.

Seems like me problem is configuring OpenKM.xml, all documentation says this file should be in $TOMCAT_HOME. I did find the file under tomcat/webapps/OpenKM/WEB-INF/classes/OpenKM.xml.

Now my question is do I create a new OpenKM.xml in $TOMCAT_HOME or do I modify the one I found under the webapps folder? Doesn't seem to mater what I do its not even trying ldap login its always using the same old database method.

Any help or ideas would be great, this is the one little thing we need to get working. Thanks

Re: Ldap login

 #29984  by pldemon
 
Hi,

we saw the same behavior during our LDAP-tests so we have changed the webapps/OpenKM/WEB-INF/applicationContext.xml directly. Please find included a simple Perl script which we have used:
Code: Select all
        perl -ne '$t=1 if /security:authentication-manager/;print if !$t;if (/\/security:authentication-manager/) {$t=0; print "\%\%REPLACE\%\%"}' < $directory/webapps/OpenKM/WEB-INF/applicationContext.xml > /tmp/applicationContext.xml
        sed -i 's|%%REPLACE%%|   <!-- Changed by pldemon -->\
           <security:authentication-manager alias="authenticationManager">\
                  <security:authentication-provider ref="ldapAuthProvider" />\
           </security:authentication-manager>\
        \
           <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">\
                  <beans:constructor-arg value="ldap://localhost:389/"/>\
                  <beans:property name="userDn" value="cn=ldapadmin,ou=People,dc=XXcompanyXX,dc=XXourXX"/>\
                  <beans:property name="password" value="XXourpassXX"/>\
           </beans:bean>\
        \
           <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">\
                  <beans:constructor-arg>\
                         <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">\
                                <beans:constructor-arg ref="contextSource"/>\
                                <beans:property name="userSearch" ref="userSearch"></beans:property>\
                         </beans:bean>\
                  </beans:constructor-arg>\
                  <beans:constructor-arg>\
                         <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">\
                                <beans:constructor-arg ref="contextSource"/>\
                                <beans:constructor-arg value="ou=OKMRoles,dc=XXcompanyXX,dc=XXourXX"/>\
                                <beans:property name="groupSearchFilter" value="(memberUid={1})"/>\
                                <beans:property name="groupRoleAttribute" value="cn"/>\
                                <beans:property name="searchSubtree" value="true" />\
                                <beans:property name="convertToUpperCase" value="true" />\
                                <beans:property name="rolePrefix" value="" />\
                         </beans:bean>\
                  </beans:constructor-arg>\
           </beans:bean>\
        \
           <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">\
                  <beans:constructor-arg index="0" value="ou=People,dc=XXcompanyXX,dc=XXourXX" />\
                  <beans:constructor-arg index="1" value="(uid={0})" />\
                  <beans:constructor-arg index="2" ref="contextSource" />\
                  <beans:property name="searchSubtree" value="true" />\
          </beans:bean>|' /tmp/applicationContext.xml
Cheers!

Re: Ldap login

 #29988  by kylep84
 
Thank you very much, I had to use a different config but as soon as I added it into the applicationcontext file everything works great.

Kyle P

Re: Ldap login

 #30005  by jllort
 
Is not necessary change applicationContext.xml directly. Only in few cases ( when change main roles is necessary patch this internal file ). I suggest read with care this example http://wiki.openkm.com/index.php/Ldap-example3 take in mind integration with ldap is not an easy task, I've got more than 20 installations in my back integrated with ldap and I need about 1-2 hour for doing it. Ldap integration is part of services offered by us during installation I suggest to do not spend a lot of time on it because if you finally decide for us, this is done by us.

However, if you want to try, I suggest apply the changes in OpenKM.xml at the end. And start first with Administration integration ( configuration parameteres that allows to see users, and roles in openkm administration lists ).

Re: Ldap login

 #30007  by kylep84
 
I see, I did change the default roles so I guess that why I had to change that file. I have ldap working completely and everything is running smooth now.

It's not that hard to set up it, as you said it just takes a bit of time.

Re: Ldap login

 #30048  by jllort
 
First time I configured an LDAP integration, I needed about 2-3 days to understand it. Now, after more than 20 LDAP installations obviously it's faster, anyway it's needed about 1-2 hours. Is quite difficult try to explain in documentation how to integrate with LDAP, because each one can be quite different. In documentation we've tried to do clear explanation with 2-3 examples to inspire LDAP administrator. However is mandatory for them have some previous skills on LDAP. I'm opened to any suggestions about how to improve this documentation section.

Re: Ldap login

 #30834  by bonniebm
 
Im testing OpenKM Pro with the intention of buying the Software, but After following the Active Directory http://wiki.openkm.com/index.php/Active ... OpenKM_6.2 it seems like there is a missing step in the Documentation.

I have managed to follow step by step and all the users on my AD Server are now Visible in OpenKM, all the Groups are also visible, but they cannot authenticate, like what was hapening for the user in the first post.

Trying to use the perl script and editing directly the applicationContext.xml resulted in the application failing to start, so i had to revert back to the original applicationContext.xml. What can i do to solve the authentication issues.

What can i do to enable the users that i see in OpenKM to log in

regards

bonnie

Re: Ldap login

 #30844  by jllort
 
The applicationContext.xml has changed from 6.2 to 6.4 version. Did you got other roles than ROLE_ADMIN and ROLE_OPENKM in your AD ( you can not create it, otherwise is not necesary modify applicationContext.xml ?
About LDAP integration is part of openkm installation service, do not worry for it.
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -