Hi,
Sorry in advance for my english.
I have successfully install openkm community edition (Version 6.3.6, Tomcat-8.5.24) with MS AD using advanced configuration and best practices in docs : https://docs.openkm.com/kcenter/view/ok ... ation.html
https://docs.openkm.com/kcenter/view/ok ... roles.html
But with these docs, I had two problems the user ID was a trigram (sAMAccountName) and the user ID in Role was a First Name and Last Name (CN).
With the option Principal.ldap.users.from.roles on True, i could see openKm creates users with ID First Name and Last Name (CN).
For one user, i had two accounts : ID = MLE Name= Mi** Lenormand Mail= *** Roles = ROLE_USER ROLE_TEST
ID = Mi** Lenormand Name=Mi** Lenormand Mail = (empty) Roles = (empty)
The second account have Roles empty but present in the role (ex: ROLE_USER) when i filter.
I think the problem comes from :
principal.ldap.users.by.role.attribute member
principal.ldap.users.by.role.search.base OU=IT,OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter (&(objectClass=group)(cn={0}))
we can't filter by sAMAccountName because in member there is no sAMAccountName :
The second problems is role does not work when i logging with MLE. ( in Log, i can't logging with ID = Mi** Lenormand)
After many manipulation i have solve the first problem, i am logging with CN and password. But the second problem is always present.
In administration TAB
In [Tomcat-8.5.24]/OpenKM.xml
Here are the results that make me think that I'm on the right track :
Do you have any idea for this problem ?
Best Regards,
Mi Lenormand
Sorry in advance for my english.
I have successfully install openkm community edition (Version 6.3.6, Tomcat-8.5.24) with MS AD using advanced configuration and best practices in docs : https://docs.openkm.com/kcenter/view/ok ... ation.html
https://docs.openkm.com/kcenter/view/ok ... roles.html
But with these docs, I had two problems the user ID was a trigram (sAMAccountName) and the user ID in Role was a First Name and Last Name (CN).
With the option Principal.ldap.users.from.roles on True, i could see openKm creates users with ID First Name and Last Name (CN).
For one user, i had two accounts : ID = MLE Name= Mi** Lenormand Mail= *** Roles = ROLE_USER ROLE_TEST
ID = Mi** Lenormand Name=Mi** Lenormand Mail = (empty) Roles = (empty)
The second account have Roles empty but present in the role (ex: ROLE_USER) when i filter.
I think the problem comes from :
principal.ldap.users.by.role.attribute member
principal.ldap.users.by.role.search.base OU=IT,OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter (&(objectClass=group)(cn={0}))
we can't filter by sAMAccountName because in member there is no sAMAccountName :
The second problems is role does not work when i logging with MLE. ( in Log, i can't logging with ID = Mi** Lenormand)
After many manipulation i have solve the first problem, i am logging with CN and password. But the second problem is always present.
In administration TAB
Code: Select all
system.login.lowercase=true
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://sd01cdg***:389
principal.ldap.security.principal=CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***
principal.ldap.security.credentials=*******************
principal.ldap.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.user.search.filter=objectclass=person
principal.ldap.user.attribute=CN
principal.ldap.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=cn=OpenKM_ROLE,ou=cdg,ou=sda,dc=**,dc=**))
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.mail.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.mail.attribute=mail
principal.ldap.username.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.username.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.username.attribute=cn
principal.ldap.users.by.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member
principal.ldap.users.from.roles=true
principal.ldap.roles.by.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.referral=follow
In [Tomcat-8.5.24]/OpenKM.xml
Code: Select all
If i don't use <beans:property name="defaultRole" value="ROLE_ADMIN" />, i can't logging in ROLE_ADMIN<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xmlns:amq="http://activemq.apache.org/schema/core"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://sd01cdgdc:389"/>
<beans:property name="userDn" value="CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***"/>
<beans:property name="password" value="******************"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="OU=IT,OU=CDG,OU=SDA,DC=*****,DC=***"/>
<beans:property name="groupSearchFilter" value="member={0}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="false" />
<!-- <beans:property name="rolePrefix" value="ROLE_" /> -->
<beans:property name="rolePrefix" value="" />
<beans:property name="defaultRole" value="ROLE_ADMIN" />
<!-- <beans:property name="defaultRole" value="ROLE_USER" /> -->
</beans:bean>
</beans:constructor-arg>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="OU=CDG,OU=SDA,DC=*****,DC=**" />
<beans:constructor-arg index="2" ref="contextSource" />
<!-- <beans:constructor-arg index="1" value="sAMAccountName={0}" /> -->
<beans:constructor-arg index="1" value="CN={0}" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Here are the results that make me think that I'm on the right track :
Do you have any idea for this problem ?
Best Regards,
Mi Lenormand
Last edited by milenormand on Thu Jun 28, 2018 8:25 am, edited 3 times in total.