• Configuration of Active Directory from OpenKM

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #42353  by vinodhsatyam
 
Hi,

I am pretty new to OpenKM. I downloaded OpenKM Portable Development Environment 6.3. I am trying to configure Active Directory from this environment by following the documentation but unable to do so. I tried modifying the OpenKM.xml file as well as the suggested configuration parameters.Could anyone help me out in successfully configuring active directory so that I can fetch the users into OpenKM. Please explain what are all the things to be done from AD as well as from OpenKM. Please share the step by step process or your contact so that we can have a chat and implement this successfully.



Satyam V Vinodh
Email: mail removed
 #42356  by vinodhsatyam
 
Hi jllort,

Thank you very much for the reply.

I have gone through the link you have provided. Please let me know from where we need to import the users from OpenKM. I don't see any button to import the users from OpenKM after modifying the configuration parameters. Also most of the buttons including LDAP Search are missing from the Utilities section under Administration. I only see the following.
1)Check Email
2)Rebuild indexes
3)Repository checker
4)Repository view
5)List indexes
6)Check text extraction
7)System properties
8)LogCat
9)CSS
Also we don't want the roles ROLE_USER and ROLE_ADMIN to be created in AD.



Thanks,
Satyam V Vinodh
 #42361  by jllort
 
There's no button for importing, first must configure "configuration parameters" ( and restart openkm ). When you will see users and roles in Administration ( after configuring correctly configuration parameters ), then can work with OpenKM.xml

Read with pacience the link I provided, this is not a trivial task, specially if you never had seen AD at low level. Also I suggest install Active directoy explorer ( take a look for the link here https://wiki.openkm.com/index.php/Active_Directory ) )
 #42376  by vinodhsatyam
 
Hi jllort,

Thank you very much for the reply.
I configured the configuration parameters and restarted OpenKM but no luck. As suggested, I installed Active directory explorer also to see the AD structure. All the configuration parameters are correct to my knowledge. I tried in all the ways but the users are not getting fetched. Could you please provide me your contact and let me know the convenient time so that I can have a discussion with you and implement this successfully.


Thanks,
Satyam V Vinodh
 #42378  by jllort
 
You have missed some parameter or written something wrong. If you share the OpenKM internal configuration here I will take a look on it. Hide parameters in your configuration you consider must not be shown in the public forum.
 #42379  by vinodhsatyam
 
Hi jllort,

Thank you for the quick response. I am replacing the company name, ip address, username and password with the respective values.
Could you please look into the attached file and help me out. Also please be informed that none of the roles ROLE_USER and ROLE_ADMIN have been created in AD as we dont want them to be created in AD.


Thanks,
Satyam V Vinodh
Attachments
parameters.jpg
parameters.jpg (155.66 KiB) Viewed 7717 times
 #42383  by jllort
 
Did you changed ldap.principal.adapter and then restarted the application ?
Take in mind if you do not want to use ROLE_USER and ROLE_ADMIN should be used other roles in this place and also modify the applicationContext.xml file into OpenKM folder ( the moment will arrive when you configure login at OpenKM.xml, I suggest create ROLE_ADMIN adn ROLE_USER all will be more easy for you ).
 #42385  by vinodhsatyam
 
Hi,

I have changed principal.adapter to com.openkm.principal.LdapPrincipalAdapter and restarted the application but still no luck.
For the first step of configuring parameters, do the roles need to be created for getting the users? Once the users are there in the application then only the roles come into picture for login right? Correct me if I am wrong. Also in OpenKM.xml do the default security configuration needs to be commented or not. If commented how will the okmAdmin user will login into the application?
Please provide me your contact so that I can sort it out this configuration. Its been more than a week I got struck up with this without any progress.
I need to finish this as early as possible as I need to do a POC by this weekend.

Thanks,
Satyam V Vinodh
 #42394  by jllort
 
As a community user the only support we can provide is just in this forum, there are some rules can not be break down ( as customer there's a direct support in a specific website for supported users ). First time we made the first AD integration we need about 1 week for successing on it, now we need 1-2 hours for it ( after making a lot of them, basically is not trivial task ).

I recommend forget OpenKM.xml and concentrate in configuration parameters, specially these
Code: Select all
principal.adapter=com.openkm.principal.LdapPrincipalAdapter ( need restarting once )
principal.ldap.server=ldap://192.168.xxx.xxx:389
principal.ldap.security.principal=CN=Administrator,OU=OPENKM,DC=company,DC=com
principal.ldap.username.attribute=cn
principal.ldap.username.search.base=DC=company,DC=com
principal.ldap.username.search.filter=(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.search.base=DC=company,DC=com
principal.ldap.user.search.filter=(objectclass=user)
Obviously the parameter value like DC=company.com,DC=com etc... depends on your AD configuration.
Take a look at your $TOMCAT_HOME/logs/catalina.log file for errors.

If you are not retrieving user list, then sure you have some mistake in parameters or access denied by the user you are trying to connect or firewall is locking the AD connection or similar problem.
 #42399  by vinodhsatyam
 
Hi,

Thank you for the reply.
I am seeing the below error in catalina.log. Could you please let me know if this is causing any issue?
Code: Select all
DEBUG org.springframework.security.web.access.ExceptionTranslationFilter- Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:501)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:408)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1040)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:607)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:315)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:745)

Thanks.
Satyam V Vinodh
 #42407  by jllort
 
Did you changed OpenKM.xml or only working with internal configuration parameters ? OpenKM.xml is still using database auth ? take in mind any changes is this file need restarting application.
 #42419  by vinodhsatyam
 
Hi,

I am working only with internal configuration parameters. I haven't changed anything in OpenKM.xml file. Using the default one only.
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
  
  <!-- Security configuration -->
 <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
      <security:password-encoder hash="md5"/>
      <security:jdbc-user-service 
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>

</beans:beans>
Thanks,
Satyam V Vinodh
 #42426  by jllort
 
Seems security goes across database, restart tomcat to ensure really you are loggin from database. About the previous error I do not understanding the reason ( seems there's some problem accessing to translation ) the errors is shown from login screen ?
Anyway I think has no relation with AD integration.
 #42527  by vinodhsatyam
 
Hi,

I restarted the Tomcat but still no luck.
Could you please let me know whether I can make use of SQL Server database from Portable Development Environment instead of default database and if so how I need to configure.


Thanks & Regards,
Vinodh Satyam

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.