Online demo
Download
Contact

Because information matters

  • No User/Groups in OpenKM with Active Directory Login

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Tue Jun 17, 2025 3:09 pm

No User/Groups in OpenKM with Active Directory Login

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

No User/Groups in OpenKM with Active Directory Login

 #5614  by Dan
 
Hello,

I am trying to setup OpenKM for Active Directory Authentication with some success. I can login using active directory as both a user and administrator with problems. My problem is when trying to update the security settings on folders in OpenKM there are no groups or users displayed except for the user who created the folder.

Setup:
1. In Active Directory created the groups AdminRole, UserRole, and OpenKm
2. Added all desired admins to the AdminRole group
3. Added all desired users to the UserRole group
4. Added all desired Active Directory groups to the OpenKM group

OpenKM.cfg
Code: Select all
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://ad.mydomain.net
principal.ldap.security.principal=cd=myADAdmin,cn=Users,dc=mydomain,dc=net
principal.ldap.security.credentials=myPasswd
principal.ldap.user.search.base=cn=Users,dc=mydomain,dc=net
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,CN=Users,DC=mydomain,DC=net))
principal.ldap.user.atribute=cn
principal.ldap.role.search.base=cn=users,dc=mydomain,dc=net
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,CN=Users,DC=mydomain,DC=net))
principal.ldap.role.atribute=cn
principal.ldap.mail.search.base=cn={0},cn=Users,dc=mydomain,dc=net
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.atribute=mail
system.login.lowercase=on
login-config.xml
Code: Select all
<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://ad.mydomain.net</module-option>
      <module-option name="bindDN">CN=Administrator,cn=Users,dc=mydomain,dc=net</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">myPasswd</module-option>
      <module-option name="baseCtxDN">cn=Users,dc=mydomain,dc=net</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=Users,dc=mydomain,dc=net</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=UserRole,CN=Users,DC=mydomain,DC=net))</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module>
  </authentication>
</application-policy
All of my users and groups are under CN=Users,DC=mydomain,DC=net

Any help would be appreciated.

Thanks,

-Dan

Re: No User/Groups in OpenKM with Active Directory Login

 #5615  by strandgeck
 
I'm having the same problem. I've been looking through the LDAP traffic to see what is going on, it looks like OpenKM does a search request and gets the names of the roles back from "principal.ldap.role.search.base" but then tries to do a search request on the name of the role it self, i.e. "AdminRole", and the LDAP server returns invaliddnsyntax since "AdminRole" is indeed an invalid DN.

Re: No User/Groups in OpenKM with Active Directory Login

 #5638  by Dan
 
I tracked down the issue. There were two problems related to the OpenKM.cfg

1. I had a '#" in the password that caused issues with the principal.ldap.security.credentials
2. Changed
Code: Select all
principal.ldap.security.principal=cn=myADAdmin,cn=Users,dc=mydomain,dc=net


to
Code: Select all
principal.ldap.security.principal=myADAdmin@mydomain.net
After this I was was able to get all the users and groups from Active Directory.

Thanks,

-Dan

Re: No User/Groups in OpenKM with Active Directory Login

 #5753  by pavila
 
The properties principal.ldap.security.principal and principal.ldap.security.credentials are needed if the LDAP database access is protected by user and password.
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -