• AD integration openkm 6.3 community edition issue

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #53449  by sanojs
 
Hi,

I am getting "Authentication error" while logging to openkm after AD integration.

Followed the below link to configure it

https://docs.openkm.com/kcenter/view/ok ... ation.html

Configuration parameters done and able to see AD users in User list screen for openkm. Updated openKM.xml file. But getting Authentication error while login.

OpenKM.XMl file

--------------------
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/b ... -beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/s ... curity.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/t ... g-task.xsd">

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>

<security:ldap-server id="ldapServer"
url="ldap://192.168.*.*:389/DC=users,dc=saturn,dc=local"
manager-dn="CN=Administrator,cn=users,dc=**,dc=local"
manager-password="****"/>

<security:authentication-manager alias="authenticationManager">
<security:ldap-authentication-provider
server-ref="ldapServer"
user-search-base="cn=Users"
user-search-filter="(sAMAccountName={0})"
group-search-base="cn=Users"
group-search-filter="(member={0})"
group-role-attribute="cn"
role-prefix="none">
</security:ldap-authentication-provider>
</security:authentication-manager>

</beans:beans>
--------------------

Thanks
Attachments
OpenKM error.PNG
OpenKM error.PNG (35.19 KiB) Viewed 808 times
 #53458  by jllort
 
Begore playing with the authentication the best option is to get user and role list from administration. I suggest follow this section of the documentation to integrate OpenKM with AD https://docs.openkm.com/kcenter/view/ok ... roles.html

The first step should be playing with configuration parameters and success retrieving users and roles from the AD in the adminitration. Did you succeed on it?
 #53473  by sanojs
 
HI

The first step should be playing with configuration parameters and success retrieving users and roles from the AD in the administration. Did you succeed on it?

>>> yes, it is succeeded, able to see all users from AD in openKM.

OpenKM.xml File
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.197"/>
  <beans:property name="userDn" value="CN=Administrator,OU=Users,DC=***,DC=local"/>
  <beans:property name="password" value="****"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=saturn,DC=local"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=****,DC=local" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
Logs
Code: Select all
192.168.0.141 - - [09/May/2022:17:25:15 +0400] "GET /OpenKM/logo/login HTTP/1.1" 200 11261
192.168.0.141 - - [09/May/2022:17:25:22 +0400] "POST /OpenKM/j_spring_security_check HTTP/1.1" 302 -
192.168.0.141 - - [09/May/2022:17:25:23 +0400] "GET /OpenKM/login.jsp?error=1 HTTP/1.1" 200 9084
 #53492  by jllort
 
Users must be members of ROLE_USER or ROLE_ADMIN, this is mandatory, otherwise you do not have enought grants to login in OpenKM. Must create two groups in your AD named ROLE_USER and ROLE_ADMIN and assign to your users.

The next filter is wrong, should filter by users members of ROLE_USER and ROLE_ADMIN
Code: Select all
(&amp;(sAMAccountName={0})(|(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)))

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.