• LDAP Paged search

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #52974  by moealiassaad
 
Hello,

we have an AD with more that 5000 users, and when we sync it with openkm, we only get the first 1000 due to pagination limits in the AD.

How can we configure OpenKM.xml so that we perform a paged search and get all users?

we are using OpenKM CE. 6.3

Best
 #52985  by jllort
 
That is a restriction that comes from AD configuration what do not allow to retrieve more than 1000 elements. Check your AD configuration because it is on its side.
 #52994  by moealiassaad
 
thanks for your reply.

I understand that. For now our AD management does not wish to change this limit from their side and want us to find a solution on our side.

I found a way to do paged search in plain java, which returns all the results, but in the case of openkm, the configuration is in an xml file, and I couldnt find online a configuration to perform paged search on AD via xml.

Isnt there any other solution but changing the AD configuration?
 #53005  by jllort
 
I suggest create your own the LdapPrincipalAdapter.java class and do the pagination there. Anyway from my point of view this is a bad aproach, does all the users in the AD have access to OpenKM? because only members of ROLE_AMIN and ROLE_USER should have access to OpenKM -> then the list to users from AD should be only these that are member of these two groups ( I ignore if you have more than 1000 users members of these roles or not ? ). For example, take a look here https://docs.openkm.com/kcenter/view/ok ... roles.html the configuration parameter named principal.ldap.user.search.filter
 #53042  by moealiassaad
 
No not all employees have OKM_USER role in AD ur right.
So here is my understanding: there are two places where LDAP is configured -> in Administration Configuration (to get full list of users), and in OpenKM.xml (for AD login).

When I use these values in Administration Configuration:
  • For principal.ldap.mail.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.role.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.roles.by.user.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.user.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.username.search.base: ou=XXX,dc=YYYYYYY,dc=net
I get only the people (from OU) who some of them have the role OKM_USER.

However, I dont see any user from outside of (OU=XXX).
If I remove OU, and use only dc=YYYYYYY,dc=net, I dont see any user in our OU as I only get the first 1000.

Is there a way to get only users from AD who have OKM_USERS / OKM_ADMIN roles regardless of the OU? (our company has many entities and OU=XXX contains the list of employees from our own entities only).

I hope my explanation was clear.
Thanks for your support
 #53069  by moealiassaad
 
Dear jllort,

Just to give you a feedback on this issue, we managed to filter users by group by using the following syntax
(|(memberOf=CN=OpenKM_Users,OU=Administration,OU=Security,OU=Groups,OU=xxx,DC=yyyy,DC=net)(memberOf=CN=OpenKM_Admins,OU=Administration,OU=Security,OU=Groups,OU=xxx,DC=yyyy,DC=net))
in the field principal.ldap.user.search.filter
and by setting the search base for all items to DC=yyyy,DC=net.

Now we only see users that are in these security groups. I still did not try the login filter, but I guess following the link you sent me, it is straight forward action.

Thank you for your support
 #53082  by jllort
 
You should create a security group named ROLE_USER and ROLE_ADMIN and your OpenKM_Users should be ROLE_USER and the same idea for the other user.

ROLE_USER and ROLE_ADMIN names are the expected security group names used by default for OpenKM, changing them is possible but I do not suggest them.

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.