• Configuration of Active Directory from OpenKM

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #42533  by jllort
 
Please do not merge distinct topics on the same post, otherwise the lost the focus ( https://wiki.openkm.com/index.php/SQL_S ... OpenKM_6.2 )

About the error ( if you really are using database authentication which seems is set in the OpenKM.xml file ) I do not know the reason why you are getting it. Did you login succesfuly ? with okmAdmin users happens it or only with another ones ?
 #43039  by vinodhsatyam
 
Hi jllort,

We are trying to implement this LDAP integration from the last two months but unsuccessful. Could you please help us inorder to integrate this successfully at the earliest. We followed all the steps suggested by you but still no luck. Please find the attached files for the configuration parameters and AD structure. Also we have created ROLE_ADMIN and ROLE_USER roles in our Active Directory. Please suggest us how to achieve this successfully at the earliest.
Attachments
(63.91 KiB) Downloaded 218 times
(99.05 KiB) Downloaded 225 times
 #43056  by jllort
 
Where in your configuration appear DC=company,DC=com I suppose you are using your own values ? otherwise it's wrong.

Ensure your connection parameters are right ( ip, credentials ). You can check the same queries with this tool https://technet.microsoft.com/en-us/sys ... lorer.aspx

Did you restarted the OpenKM application after changing principal.adapter value ? is mandatory restarting to take effect.

From my inicial check, your configuration seems fine ( except the DC=company,DC=com ). Start with the three attributes what starting with principal.ldap.user.* ( this is what retrieves the user list, usually I start with it, and when you get this three parameter running can continue with the others ).

Take a look at catalina.log if appears some error ?

Sometimes I needed to apply some host resolution in the hosts file. Take a look here: https://wiki.openkm.com/index.php/Troub ... _with_LDAP ( only if you see some errors like is not able to resolve DC=company,DC=com etc... or similar )
 #43067  by vinodhsatyam
 
Hi jllort,

Thank you for the response.

I am using my own values at DC=company,DC=com. I am able to successfully fetch the users from Active Directory now.
I am unable to see the list of users under Administration users list tab but able to login into OpenKM with the users after modifying the OpenKM.xml file. I am having two groups of users Mumbai and Bangalore. In OpenKM.xml, I mentioned user-search-base="ou=Mumbai" and was able to successfully login with all the Mumbai users. Could you please let me know how to add the Bangalore group also in user-search-base so that I can login with both Mumbai and Bangalore users. Also let me know whether I can see the entire list of users in OpenKM or not.
The users are able to just login but unable to do any of the operations except the user with ROLE_ADMIN.The user with ROLE_ADMIN is able to do all the operations. Please let me know if anything else need to be configured. Please be informed that I changed the default role "ROLE_USER" to my custom role name "Domain Users" by modifying default.user.role configuration parameter. I haven't modified default ROLE_ADMIN role. Please find the attached for the sample AD structure.
Attachments
AD Structure.jpg
AD Structure.jpg (22.86 KiB) Viewed 5541 times
 #43078  by jllort
 
You must set your main base DC=company,DC=com rather than OU unit.
Then you can add filter based in users are member of some role, something like:
Code: Select all
(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
The same can be added in OpenKM.xml
Code: Select all
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=company,DC=com" />
  <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>
 #43089  by vinodhsatyam
 
Hi jllort,

Thank you for the reply.
I am able to successfully login into OpenKM with the users from all the groups now. But I am unable to see the list of users under Administration Users tab. So I am unable to assign my custom roles to the users. Could you please let me know how to get the list of users in the Users tab under Administration.
 #43102  by jllort
 
The user list, like the other integration features are based in quering AD server. For listing users must concentrate in these parameters:
https://wiki.openkm.com/index.php/LDAP_examples
Code: Select all
 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))
Ensure your connection to ldap is correctly configured in your configuration parameters.
Ensure you have changed the principal.adapter and you have restarted the application principal.adapter=com.openkm.principal.LdapPrincipalAdapter

At the begining can start with a less restrictive query:
Code: Select all
 principal.ldap.user.attribute=sAMAccountName
 principal.ldap.user.search.base=DC=company,DC=com
 principal.ldap.user.search.filter=(objectclass=user)
 
 #43122  by vinodhsatyam
 
Hi jllort,

Thank you for the reply.

I am able to login with the users from AD but still unable to get the list of users under Administration. Attaching the values provided in OpenKM.xml and Configuration parameters. Could you please compare these and let me know how to achieve this.


Thanks,
Vinodh
Attachments
xml.png
xml.png (229.87 KiB) Viewed 5527 times
config.png
config.png (228.46 KiB) Viewed 5527 times
 #43151  by vinodhsatyam
 
Hi jllort,

Thank you for the reply.
I installed OpenKM on some other machine and was able to successfully fetch the users from AD. There might be some connection issue from my account. I want the AD users to be used in jbpm workflow. I need to send a task to a group of users but unable to add the AD users to particular roles in OpenKM. Could you please let me know how to achieve this with AD users.
 #43399  by AdamChen
 
Hi jllort! I'm Adam
I can't login with ldap setting is always authentication error!
this is my company ldap tree
DIT --
| Root DSE
| ---- CN=Partition1,DC=moss, DC=com
| ---- ---- cn=Groups
| ---- ---- cn=ron
| ---- ---- cn=Users
| ---- ---- ---- cn=shanghai
| ---- ---- ---- cn=taiwan
| ---- ---- ---- ---- cn=taipei
| ---- ---- ---- ---- cn=taichung

and this is tomcat -> openkm.xml
Code: Select all
	<security: ldap-server id="ldapServer"
	url="ldap://10.0.0.XX:XXX/cn=Partition1,dc=moss,dc=com"
	manager-dn="cn=Partition1,dc=moss,dc=com"
	manager-password="xxxx">
	
	<security:authentication-manager alias="authenticationManager">
		<security:ldap-authentication-provider
			server-ref="ldapServer"
			user-search-base="cn=Users"
			user-search-filter="(sAMAccountName={0})"
			group-search-base="cn=Users"
			group-search-filter="(member={0})"
			group-role-attribute="cn"
			role-prefix="none">
		</security:ldap-authentication-provider>
	<security:authentication-manager>
I just setting this , and I right?

I don't know where I need to write for " OpenKM integration "

thank you for your help!!
 #43414  by AdamChen
 
Hi jllort, thank you very much for help!

I already setting with ldap !

but now , I got new problem with Users too much

My company for ldap by user almost over 10,000 people

and I found the user list if you over 1,000 will get the error code 4, Sizelimit Exceeded

How can I solve this problem?

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.