• Authenticating with AD

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #46724  by DrydenK
 
Hi,
I' trying to authenticate users with my AD, but it's not working.

I followed https://docs.openkm.com/kcenter/view/ok ... ation.html. After entering all the required information in the administration panel, OpenKM has successfully retrieved the users and roles from my domain. Then, after setting the principal.adapter property to com.openkm.principal.LdapPrincipalAdapter and replacing Openkm.xml with the one suggested in the web page (and updating the url, manager-dn and manager-password), I restarted tomcat the enable those settings.

Following catalina.out, after some time, I got the following error:
Code: Select all
05-Sep-2018 10:46:14.222 SEVERE [localhost-startStop-1] org.springframework.web.context.ContextLoader.initWebApplicationContext Context initialization failed
 org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from URL [file:/home/openkm/tomcat-8.5.24/OpenKM.xml] is invalid; nested exception
 is org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 64; The prefix "security" for element "security:authentication-manager" is not bound.
I've tried some variations in the OpenKM.xml, without success. Do special characters ($, @, % and other) need to be escaped? Do I have to install some OS library to make it work? Does it make any difference to use FQDN or IP in the url?

I'm using OpenKM 6.3.6, build 787d181f
OS is Ubuntu 18.4 x64

tks,

Roberto
 #46737  by jllort
 
Something wrong into XML.

1- Take care with passwords with strange character what might need to be scaped into the XML.
2- Ensure you have commented database xml configuration section.

What OpenKM version are you using?

Can you share your OpenKM.xml commenting private information to take a look on it.
 #46759  by DrydenK
 
As mentioned in the first post, I'm using version 6.3.6, build 87d181f.

My Openkm.xml file is the following:
Code: Select all
<security:ldap-server id="ldapServer"
  url="ldap://ad.fdn.fundunesp.unesp.br:389/DC=<domain>"
  manager-dn="<admin_user, copied from Apache Directory>"
  manager-password="<my_admin_user_pass>"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="ldapServer"
    user-search-base="cn=Users"
    user-search-filter="(sAMAccountName={0})"
    group-search-base="cn=Users"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="none">
  </security:ldap-authentication-provider>
</security:authentication-manager>
Roberto
 #46773  by jllort
 
I do not like this minimalist configuration I suggest go in the direction explained in this documentation section, you will have more control of what really happens with the integration https://docs.openkm.com/kcenter/view/ok ... roles.html

First, start with OpenKM administration configuration ( OpenKM LDAP parameters ) and when success there, go with authentication, this is the easiest way for doing it and you will restart the server less times ( where usually it is expended a lot of time ).
 #46777  by DrydenK
 
GREAT!!!!!

This version works nicely. There was only one hiccup: The documentation in that page is outdated and needs to be fixed. In the XML, where it reads
Code: Select all
xsi:schemaLocation="http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
     http://www.springframework.org/schema/security
     http://www.springframework.org/schema/security/spring-security-3.1.xsd
     http://www.springframework.org/schema/task
     http://www.springframework.org/schema/task/spring-task-3.1.xsd">
It should be
Code: Select all
xsi:schemaLocation="http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
     http://www.springframework.org/schema/security
     http://www.springframework.org/schema/security/spring-security-3.2.xsd
     http://www.springframework.org/schema/task
     http://www.springframework.org/schema/task/spring-task-3.2.xsd">
If you don't replace the '3.1' entries with '3.2', Tomcat fails with the following message:
Code: Select all
13-Sep-2018 10:04:22.970 INFO [localhost-startStop-1] org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions Lo                                       ading XML bean definitions from URL [file:/home/openkm/tomcat-8.5.24/OpenKM.xml]
13-Sep-2018 10:04:23.020 SEVERE [localhost-startStop-1] org.springframework.web.context.ContextLoader.initWebApplicationContext Context in                                       itialization failed
 org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: You cannot use a spring-security-2.0.xsd                                        or spring-security-3.0.xsd or spring-security-3.1.xsd schema with Spring Security 3.2. Please update your schema declarations to the 3.2                                        schema.
Anyway, tks for the help.

Roberto

PS: Where do I report the above problem with the documentation?
 #46787  by jllort
 
Also you can remove the numbers and should working. In newer versions of the OpenKM.xml file we have removed them.
 #46790  by DrydenK
 
Ok. It would be nice to update the documentation with that information. Who would be responsible for that?
 #46819  by ColH
 
Sorry if this is a dumb question, but is it necessary to change both the OpenKM.xml file and to set the principal.ldap.* settings in the Admin web page? They seem to be the same kind of values etc in many cases, and I'm not sure what the relationship is between the two.
 #46830  by jllort
 
Are the same, but the parameters from the administration are used by OpenKM to retrieve user and roles list. The OpenKM.xml is used for authentication. I suggest first work with administration parameters and when you success on it, then work with OpenKM.xml, usually is the quick way to success on it.

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.