• Configure ROLE_ADMIN for specific LDAP users, without modification of LDAP entries

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #45298  by ulinuha
 
Hello...

I have successfully configured authentication through LDAP by setting OpenKM.xml and the settings in the admin page.
I have set DefaultRole parameter in OpenKM.xml to ROLE_USER because i have only "read only" mode access to LDAP server.

In this case, is there any easy way to enter the OpenKM with Admin Role beside switching from LDAP to database adapter or switching DefaultRole from ROLE_USER to ADMIN_USER?
 #45312  by ulinuha
 
Yes I wanna set all the users to be as ROLE_USER, and it works by setting the defaultrole parameter. However when i wanna configure something in admin page i have a difficulty to enter the admin page. It is because i have to switch the defaultrole parameter to ROLE_ADMIN again and then after finishing doing the admin stuff, i have to swtich back again the defaultrole to ROLE_USER again. In this case I'm not the admin of the LDAP server, so i can't modify it (make specific role: admin & user role in it).
 #45339  by ulinuha
 
Yes i can't set ROLE_ADMIN via LDAP (I'm not the administrator, so i only have "read onl"y access). Is there any way to set ROLE_ADMIN via OPENKM admin page instead?

Here's the code:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?> <beans:beans 
xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
  
<security:authentication-manager 
alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" 
/> </security:authentication-manager>
  
<beans:bean id="contextSource" 
class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg 
value="ldap://xxxx:389"/>
  <beans:property name="userDn" value="xxxx"/>
  <beans:property name="password" value="xxxx"/> 
</beans:bean> <beans:bean id="ldapAuthProvider" 
class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean 
class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean 
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" 
value="division=IT"/>
      <beans:property name="groupRoleAttribute" 
value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" 
value="false" />
      <beans:property name="rolePrefix" value="" />
	  <beans:property name="defaultRole" 
value="ROLE_USER" />
    </beans:bean>
  </beans:constructor-arg> </beans:bean> <beans:bean 
id="userSearch" 
class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="O=MyOrg" />
  <beans:constructor-arg index="1" value="uid={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" /> 
</beans:bean>
</beans:beans>
 #45347  by jllort
 
In professional version we have mixed configuration where users comes from AD and roles are into OpenKM database, but in community this feature has not been released.

Watching your configuration seems you are using openldap, for each role you should create and attribute memberUid with the value of each user into.

The problem is in this section of the xml:
Code: Select all
<beans:bean 
class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" 
value="division=IT"/>
      <beans:property name="groupRoleAttribute" 
value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" 
value="false" />
      <beans:property name="rolePrefix" value="" />
	  <beans:property name="defaultRole" 
value="ROLE_USER" />
    </beans:bean>
Where you should have something like:
Code: Select all
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=roles"/>
                <beans:property name="groupSearchFilter" value="memberUid={1}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />
 
        <beans:property name="rolePrefix" value="" /> 
 
            </beans:bean>
Take a look at this section of the documentation https://docs.openkm.com/kcenter/view/ok ... login.html

The problem with openldap is for setting the relation between roles and user. You must declare attribute into roles and also attribute into user for bidirectional relation ( the second relation is not mandatory , will only take effect from UI when you are getting roles by user, but the first is mandatory you must add an attribute into each role to set the relation between users and roles ).

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.