system user

[samkaya]

I\'m logged in as with the admin account, but i can\'t see the administration menu item like this image .

Is there another admin then the admin acccount, like the system user account. If so, what are the credentials of the system account? This system user has been stated in the administration guide

[jllort]

It has been changed on OpenKM 3.0. System user now is called okmAdmin and we\'ve replaced the admin menu options to new tab on (desktop | search | dashboard | administration ). But you only see this new tab if you\'re loged as administrator.

[pito]

Hello,

according to this I changed my system user to okmAdmin user but I still cannot see Administration tab. I use LDAP. okmAdmin is in group AdminRole. I have set up storage to be in database (postgresql). Apart from not displaying administration tab everything works fine. What could be wrong?

Thank you for any help and have a nice day.

[jllort]

Really the problem is not on user is on role sure. Since openkm 4.0 can be more than one user as administrators, now we control by role not by name. You might ensure AdminRole is assigned to this user, and is well typewriten ( case sensitive ).

[pito]

Just to make it clear: you are saying that in case the user is in group/role AdminRole than what concerns version 4.0 he is admin with access to all admin tools just like user "system" in previous versions. Is that right or do you have to explicitly mention list of admin users somewhere?

Thank you.

[jllort]

Is right, since version 4.0 any user with AdminRole have full privileges, in older version there was only one user who had this grants.

[pito]

Thank you.

There is maybe some bug or confusion in this mechanism. AdminRole is not visible along other groups in "update Security" interface. When I change name of the group to something different it appears there instantly (after reopening "update Security"). When I change it back to "AdminRole" it disapears (neither previous name nor AdminRole is shown in Groups view). This I believe is correct since you probably redesigned it the way that AdminRole has rights for everything by default and cannot be changed, which is great. But Administration tab is still not appearing for users in AdminRole group. Not even after logout/login or restarting the server. Any Ideas what to check next?

Thanks a lot

(Just a reminder: I am using LDAP for users and groups)

[jllort]

If you're integrated with ldap, really users in administration tab has no effect. Anything you see, or put there has no effect with OpenKM Authentication.

Try accessing directly to OpenKM/es.git.openkm.backend.Main/ if it's showed a js popup alert it means user has no AdminRole, sure, the estrange is that you can accessing, that means has UserRole ( if you've got it, means ldap assignation is right ). It's really strange.

Other question, you're integrating active directory or other ldap ?

If nothing runs we could try to compile some LDapPrincipalAdapter with logs to see what's happening.

[pito]

If you're integrated with ldap, really users in administration tab has no effect. Anything you see, or put there has no effect with OpenKM Authentication.

Yes I am aware of that. Thank you. I want admin tab for other things.

Try accessing directly to OpenKM/es.git.openkm.backend.Main/ if it's showed a js popup alert it means user has no AdminRole, sure, the estrange is that you can accessing, that means has UserRole ( if you've got it, means ldap assignation is right ). It's really strange.

Yes I got popup that only administrator user can log in to administration.

Other question, you're integrating active directory or other ldap ?

We are using OpenLDAP (v. 2.4.11 Debian Lenny).

If nothing runs we could try to compile some LDapPrincipalAdapter with logs to see what's happening.

Maybe we could try this because I am out of ideas what else to try.

[jllort]

Try replacing in OpenKM.war the

classes.zip

(5.12 KiB) Downloaded 395 times

ldapPrincipalAdapter class it has some log info ( Please make a backup of OpenKM.war file before doing anything, and make changes with jboss stopped ).

But I think your problems are on OpenKM.cfg and login-config.xml

Try in some jsp to put this code ( for example into OpenKM.war place test.jsp ) and try this jsp page after you have loged with the user.

Code: Select all

System.out.println("has roles" + request.isUserInRole("AdminRole"));

With it you'll be sure that authenticated user has this role.

[pito]

Thank you very much. I tested it and found out that no other than UserRole is being assigned. The issue is probably (as you foretold) in login-config.xml. I had:
<module-option name="defaultRole">UserRole</module-option>
so UserRole was asigned by default (forced - thus the confusion)
I commented it out and I am no longer able to log in so the role assignment does not work correctly.

Could you help me with what could be wrong here?

from login-config.xml

Code: Select all

   <application-policy name="OpenKM">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
        <module-option name="java.naming.provider.url">ldap://ldap.example.org</module-option>
        <module-option name="bindDN">cn=admin,dc=example,dc=org</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">password</module-option>
        <module-option name="baseCtxDN">ou=example,ou=People,dc=example,dc=org</module-option>
        <module-option name="baseFilter">(uid={0})</module-option>
        <module-option name="rolesCtxDN">ou=example,ou=Groups,dc=example,dc=org</module-option>
        <module-option name="roleFilter">(member={1})</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleRecursion">1</module-option>
        <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        <!--module-option name="defaultRole">UserRole</module-option-->
      </login-module>
     </authentication>
   </application-policy>

I tryied to change scope to subtree (even it should not matter because there is no deeper level) and I also tried to change roleRecursion to 0,1,2 (not sure what does this one do) and no effect so far.

[jllort]

That is ok sure, but tested on windows:

192.168.0.6, Administrador, password and weyler values must be changed

Code: Select all

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="defaultRole">UserRole</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>
</application-policy>

You might search in jboss forum if in your ldap must be applied other configuration

[pito]

The config you posted did not work either. I searched jboss formu as you suggested and found a configuration with a little bit different approach and it worked out:

code directly from http://community.jboss.org/thread/124487:

Code: Select all

<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
 <module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
 <module-option name="java.naming.provider.url">ldap://localhost:10389/</module-option>
 <module-option name="java.naming.security.authentication">simple</module-option>
 <module-option name="principalDNPrefix">uid=</module-option>
 <module-option name="principalDNSuffix">,ou=People,o=test,dc=portal,dc=example,dc=com</module-option>
 <module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=example,dc=com</module-option>
 <module-option name="uidAttributeID">member</module-option>
 <module-option name="matchOnUserDN">true</module-option>
 <module-option name="roleAttributeID">cn</module-option>
 <module-option name="roleAttributeIsDN">false</module-option>
 <module-option name="searchTimeLimit">5000</module-option>
 <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
 </login-module>

I still do not understand where the big difference is.

Thank you for your help.

Have a nice day,

Pito

[jllort]

The configuration you posted run in your system. As I written in last post, last configuration is for active directory ( that's a ldap structure too ), but I can not sure that same configuration is running on windows be the same that your ldap is in linux ( openldap or similar ), probably some parameters are the same but others not.

If you finally can connect, it'll be interesting to see the diferences. Try looking in google for "ldap jboss and your os or your ldap version" probably you'll find better information.