Integration of OpenKM with Active Directory

[bolasutra]

Hi Guys, I am very new to OpenKM. I have setup a Domain Controller (Win2012R2) called WSUSDX. My domain is googoo.local. All my users are in an OU called AllUsers. The OpenKM is installed in the WSUSDX. I have already created ROLE_ADMIN and my member is Administrator.

I just can't seem to login to OpenKM after I edited to OpenKM.xml. The error is authentication error. I just need a little guidance to get me going. Here is my contents:

Code: Select all

<security:ldap-server id="ldapServer"
    url="ldap://10.0.2.15:389/DC=ldap,dc=googoo,dc=local"
    manager-dn="CN=Administrator,cn=AllUsers,dc=googoo,dc=local"
    manager-password="Yaoxiong1976"/>
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="cn=Users"
      user-search-filter="(sAMAccountName={0})"
      group-search-base="cn=Users"
      group-search-filter="(member={0})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>
</beans:beans>

[bolasutra]

Isnt to do the AD integration first before editing the openkm.xml?

How do I backup the settings before I restart the Tomcat service?

So far, I tried it for the past 2 nights and failed. Uninstalled thrice times...

[bolasutra]

Still stuck for past 4 days... I am unable to login. I am running on Debian7 x64. My OpenKM.xml is shown below:

Anyone can help?

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
 
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://10.1.1.1:389/dc=googoo,dc=local"/>
  <beans:property name="userDn" value="CN=Administrator,cn=users,dc=googoo,dc=local"/>
  <beans:property name="password" value="Yaoxiong1976"/>
</beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" value="memberOf={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" /> 
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>
 
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="" />
  <beans:constructor-arg index="1" value="sAMAccountName={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

[jllort]

Take a look here http://wiki.openkm.com/index.php/Ldap-example3

You've started from OpenKM.xml, my suggestion is you start with Configuration / Parameters -> the goal is to get users and roles etc... and is more easy to get it configured and check / test for errors than OpenKM.xml ( what needs restarting tomcat for each change )

Sometimes the problem is on DNS resolutions, read here http://wiki.openkm.com/index.php/Troubl ... _with_LDAP that solves slow connections or sometimes error while trying to connect

My suggestion, start from the Administration -> using database connection and at the end go for the OpenKM.xml file

This is not a trivial task, I've got a lot of AD integration in my back, but first time I need more than 3 days to complete one.

[skemi90]

Hi,
My name is Milos and I am also trying to itegrate Active Directory with OpenKM (OpenKM Community 6.3.0). I have installed Windows Server 2008 R2 on VirtualBox where Active Directory is configured. I saw instructions for integration OpenKM 6.2 with Active Directory and I will apreciate some help.

OpenKM.cfg

Code: Select all

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 
principal.ldap.server=ldap://192.168.0.21
principal.ldap.security.principal=CN=Administrator,cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.security.credentials=Infomana321#
 
principal.ldap.user.search.base=cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
 
principal.ldap.role.search.base=cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
 
principal.ldap.mail.search.base=cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
 
principal.ldap.username.search.base=cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn
 
principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
 
principal.ldap.roles.by.user.search.base=cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf

OpenKM.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
  
  <!-- Security configuration -->
<!-- 
 <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
      <security:password-encoder hash="md5"/>
      <security:jdbc-user-service 
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>
-->  

<security:ldap-server id="ldapServer"
    url="ldap://192.168.0.37:389/DC=ldap,dc=test,dc=infoamanagement.co.rs"
    manager-dn="CN=Administrator,cn=users,dc=test,dc=infoamanagement.co.rs"
    manager-password="password"/>
 
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="cn=Users"
      user-search-filter="(sAMAccountName={0})"
      group-search-base="cn=Users"
      group-search-filter="(member={0})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>
  
</beans:beans>

I can't log on the openKM on localhost:8080/OpenKM/ error 'Authentication error'
Any help is appreciated.
Thanks in advance and sorry for my English.
Greetings from Serbia

[jllort]

First must start with Administration / Configuration parameters and at the end work with OpenKM.xml ( remove the changes and go back to the initial database version with the xml file ). When you got users, roles lists integration complete, then will be the time to working with xml file.

Is your Administration / configuration ldap parameters integration going right ?

[skemi90]

My administration/configuration parameters are correct as far as I know. I need to ask you next because I am not sure that this parameters are correct:

My domain on a virtual machine is test.infomanagement.co.rs
Administrator profile:username: Administrator password: Infomana321#

In code

Code: Select all

principal.ldap.server=ldap://192.168.x.xx
principal.ldap.security.principal=CN=Administrator, cn=users,dc=test,dc=infomanagement.co.rs
principal.ldap.security.credentials=Infomana321#

CN=Administrator - Administrator from Active Directory?
cn=users - Is this the parameter for Users in Active Directory?
dc=test from - test.infomanagement.co.rs?
dc=infomanagement.co.rs - also from test,infomanagement.co.rs?

Other code follows the logic from these parameters. If the slightest mistake is made here the integration will fail. I am new to Active Directory but I will try my best.
I have to congratulate you and your team for making OpenKM, for me one of the easiest DMS software to use.
Thanks in advance for your help.

[jllort]

Did you used http://technet.microsoft.com/en-us/sysi ... 63907.aspx to retrieve these data ? or similar tool ?

Also here http://wiki.openkm.com/index.php/Applic ... figuration you got some workaround about ldap, look into for ldap issue ( add into your host file ). The OpenKM server is a Windows OS ?