Role notification not working

[kabtx]

I am using OpenKM 6.3.12 CE. I have it configured using ldap (active directory). Users and groups are imported fine. No problem with logins or security. The issue I have is that while I can send email to users, I cannot send to roles. If I try to send an email to a role exclusively, the Accept button does not become enabled when I move the role to the right pane as it does when I add a user.

When viewing the user list, it shows the email addresses. However, when I filter the user list on a role, the email column is blank. I don't know if this is the issue.

Thanks,
Keith

[jllort]

Please share some screenshots for better understanding

[kabtx]

The Accept button is not enabled after selecting a role to receive the email

Accept not enabled when role selected
Email 1.png (11.87 KiB) Viewed 13016 times

When showing all users, the email addresses are shown.

Email when filtering by all
Email 3.png (365.92 KiB) Viewed 13016 times

When filtering by a role, no email addresses are shown.

No email when filtering by role
Email 2.png (22.93 KiB) Viewed 13016 times

I wonder if the fact that ne email addresses are shown when filtering by role has something to do with not being able to send email/notifications to roles.

Keith

[jllort]

Could you share the LDAP configuration parameters ( do not share credentials and or host )

[kabtx]

My redacted LDAP config is below.

Code: Select all

<security:ldap-server id="ldapServer"
  url="ldap://ad3/dc=detex,dc=com"
  manager-dn="cn=ldap query,ou=service accounts,ou=detex users,DC=detex,DC=com"
  manager-password="XXXX"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="XXXX"
    user-search-base="ou=Detex Users"
    user-search-filter="(sAMAccountName={0})"
    group-search-base="ou=Detex Users"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="none">
  </security:ldap-authentication-provider>
</security:authentication-manager>

[kabtx]

As a quick test, try manually adding a mail attribute to one of your Roles in the Administration panel (if CE allows it in your setup) just to see if the button lights up. That'll tell you for sure if it's a mapping issue or a UI glitch.

Unfortunately, it seems the CE version doesn't allow this.

[jllort]

I suggest using this aproach for LDAP login configuration ( do a backup of the current one ):
https://docs.openkm.com/kcenter/view/ok ... roles.html

[kabtx]

I'll give that a try and let you know how it goes. Thanks.

[kabtx]

Unfortunately, using the new configuration did not help with the group notifications. Here is the config.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.1.15"/>
  <beans:property name="userDn" value="cn=ldap query,ou=service accounts,ou=detex users,DC=detex,DC=com"/>
  <beans:property name="password" value="XXXX"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=detex,DC=com"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=detex,DC=com" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OPENKM,OU=PermissionGroups,OU=Detex Users,DC=detex,DC=com)(memberOf=CN=ROLE_USER,OU=OPENKM,OU=PermissionGroups,OU=Detex Users,DC=detex,DC=com)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>
 
</beans:beans>