Exception while login related to GetPersonalFolder

[danielam]

Hi,

My testing environment is Professional Trial version 6.4.22 (build 25661).

1. it is not able to use Active Directory authentication after update file /tomcat/OpenKM.xml, it is strange that I need to update in file /tomcat/webapps/OpenKM/WEB-INF/appContext.xml to successfully to use Active Directory authentication.

2. After import users and authentication from Active Directory, however, exception occurs while users login about GetPersonalFolder, GetMailFolder, GetTrashFolder that no personal folder, trash... created after login. Please kindly help.

Thanks,
daniel lam

[jllort]

Change the appContext.xml is only needed if you do not user ROLE_USER and ROLE_ADMIN ( what we suggest you create in your AD and use them, is the easiest way to get AD running ).

The error is caused because the users have not enought grants to these roles ( at least read ). If you have decided to used non default roles, take in mind there're two parameters default.admin.role and default.user.role ( table okm_config -> what are accessed from UI from Administration configuration parameters -> if you do not revert to database login you'll not be able to change ). My suggestion if you create ROLE_ADMIN and ROLE_USER ( non default configuration is possible, but must be done another changes like replace previous roles names into database etc... I think so much complex for a simple testing ). We have a lot of AD integrations done, get in mind can be done, but if you decide for non standard group names, then is quite complex, and quite difficult to explain all the changes must be done to get it.

[danielam]

Thanks jllort,

1. The same configuration for import users and authentication from Active Directory is working fine in community version 6.3.1. It is strange that Professional Trial version needs to update file "appContext.xml" and behavior is different in roles configuration and permission assigned during login.

2. We have "<beans property name="defaultRole" value="ROLE_USER" /> in both files OpenKM.xml and appContext.xml which should set role "ROLE_USER" to every user unless they are member of group "ROLE_ADMIN" in Active Directory. Right?

3. We have created groups "ROLE_USER" and "ROLE_ADMIN" in Active Directory, do these groups supports nested group? We don't want to put every staff as member of "ROLE_USER" manually. Instead we like to put existing groups as member of group "ROLE_USER".

Thanks,
daniel lam

[jllort]

1- About first point, configuration is similar and behavior is the same. Take in mind trial comes with some restrictions, anyway did you take a look at docs.openkm.com for specific ldap configuration in OpenKM 6.4.x ?

2,3- Heritage between groups will not going right ( the problem is on ldap search, for getting the roles based on heritage, if you suggest us some ldap query for it will be happy, because we had not success on it ). You can use a property in your OpenKM.xml into org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator section.

Code: Select all

<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
...
<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>