Online demo
Download
Contact

Because information matters

  • OpenLDAP authentication

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Tue Jun 17, 2025 3:08 pm

OpenLDAP authentication

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

OpenLDAP authentication

 #5393  by flekschas
 
Hi,

I've recently configured OpenKM to use OpenLDAP as authentication. Everything works fine except the assignment of the AdminRoles.
Even though people are member of the AdminRole group they have no admin rights.
(I know there are already topics about LDAP. But I haven't found anything that helps me solving my problem)

So here are my configs:
First of all the OpenKM.cfg:
Code: Select all
restrict.file.mime=off
restrict.file.extension=*~,*.bak,._*
max.file.size=25
system.antivir=/usr/bin/clamscan
system.pdf2swf=/usr/bin/pdf2swf
system.openoffice=on
application.url=http://msc.charite.de:8080/OpenKM/es.git.openkm.frontend.Main/index.jsp
repository.home=/data/application/openkm

principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://localhost:389
principal.ldap.security.principal=cn=admin,dc=***,dc=***
principal.ldap.security.credentials=***
principal.ldap.user.search.base=ou=bcrt,dc=***,dc=***
principal.ldap.user.search.filter=(objectclass=inetOrgPerson)
principal.ldap.user.attribute=uid
principal.ldap.role.search.base=ou=openkm,ou=application,dc=***,dc=***
principal.ldap.role.search.filter=(objectclass=groupOfNames)
principal.ldap.role.attribute=memberOf
system.login.lowercase=on
The login-config.xml:
Code: Select all
<application-policy name="OpenKM">
  <authentication>
	<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
	  <module-option name="java.naming.provider.url">ldap://localhost:389</module-option>
	  <module-option name="java.naming.security.authentication">simple</module-option>
	  <module-option name="bindDN">cn=admin,dc=***,dc=***</module-option>
	  <module-option name="bindCredential">***</module-option>
	  <module-option name="baseCtxDN">ou=bcrt,dc=***,dc=***</module-option>
	  <module-option name="baseFilter">(uid={0})</module-option>
	  <module-option name="rolesCtxDN">ou=openkm,ou=applications,dc=***,dc=***</module-option>
	  <module-option name="roleFilter">(member={1})</module-option>
	  <module-option name="roleAttributeID">memberOf</module-option>
	  <module-option name="roleAttributeIsDN">true</module-option>
	  <module-option name="roleNameAttributeID">cn</module-option>
	  <module-option name="roleRecursion">-1</module-option>
	  <module-option name="searchScope">SUBTREE_SCOPE</module-option>
	  <module-option name="allowEmptyPasswords">False</module-option>
	  <module-option name="defaultRole">UserRole</module-option>
	</login-module>
  </authentication>
</application-policy>
And finally my LDAP looks like this:
Code: Select all
dn: dc=***,dc=***
objectclass: dcObject
objectclass: organization
dc: ***
o: ***

dn: ou=people,dc=***,dc=***
objectclass: top
objectclass: organizationalUnit
ou: people

dn: uid=maxm,ou=people,dc=***,dc=***
objectclass: top
objectclass: person
objectclass: iNetOrgPerson
objectclass: organizationalPerson
uid: maxm
cn: maxm
sn: max
userPassword: ***
displayName: Max Mustermann
givenName: max
mail: ***@gmail.com

dn: ou=applications,dc=***,dc=***
objectclass: top
objectclass: organizationalUnit
ou: applications

dn: ou=openkm,ou=applications,dc=***,dc=***
objectclass: top
objectclass: organizationalUnit
ou: openkm

dn: cn=UserRole,ou=openkm,ou=applications,dc=***,dc=***
objectClass: top
objectClass: groupOfNames
cn: UserRole
description: OpenKM User
member: uid=maxm,ou=people,dc=***,dc=***

dn: cn=AdminRole,ou=openkm,ou=applications,dc=***,dc=***
objectClass: groupOfNames
objectClass: top
cn: AdminRole
description: OpenKM Administrators
member: uid=maxm,ou=people,dc=***,dc=***
(I tried it with beeing a member of both groupOfNames and with beeing only in one of the groups, but it makes no difference)

Has anyone an idea how I can achieve the assignment of the AdminRole?

Thanks for your help.

Re: OpenLDAP authentication

 #5405  by jllort
 
try removing in login-config.xml ( it removes default role assignation )
Code: Select all
<module-option name="defaultRole">UserRole</module-option>
Could be a problem getting roles in login-config.xml ( it's only reason why I've got in mind )

Re: OpenLDAP authentication

 #5431  by flekschas
 
jllort wrote:try removing in login-config.xml ( it removes default role assignation )
Code: Select all
<module-option name="defaultRole">UserRole</module-option>
Could be a problem getting roles in login-config.xml ( it's only reason why I've got in mind )
When leaving that option out I'm getting an 403 error for bad authentication. I've tried several other configurations but nothing has worked.
Does anyone have another idea what's wrong?

Re: OpenLDAP authentication

 #5436  by jllort
 
Enable in log4j debug to login to see better what happens ... sure there's something wrong in your login-config.xml conection parameters.

Re: OpenLDAP authentication

 #5484  by flekschas
 
Okay I've turned on debug logging. And I'm getting the following information: (After trying to log-in and facing a 403 page)
Code: Select all
2010-06-17 13:44:02,368 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@680af281
2010-06-17 13:44:02,373 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@150abd60
2010-06-17 13:44:02,373 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CachePolicy set to: org.jboss.util.TimedCachePolicy@7416f46a
2010-06-17 13:44:02,373 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@7416f46a
2010-06-17 13:44:02,374 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added OpenKM, org.jboss.security.plugins.SecurityDomainContext@232a32bf to map
The strange thing is that I got LDAP working with the same user but using another groupOfNames entry I created when I was testing things. Both groupOfNames are exactly the same the only difference between them is their location in the ldap-directory.
To be sure that this could actually leads to the error I have copied the original groupOfNames to another location et voilà everything works fine again. It seems as if my original configuration leads to a bug or something.

Thanks for the support though
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -