Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

[Resolved] Role does not work with (LDAP) Active directory

https://forum.openkm.com/viewtopic.php?t=21854

Page 2 of 2

Re: Role does not work with (LDAP) Active directory

PostPosted:Fri Jun 22, 2018 11:58 am
by jllort
1- This section is wrong sure:
Code: Select all
<beans:constructor-arg value="OU=IT,OU=CDG,OU=SDA,DC=*****,DC=***"/>
Should be only:
Code: Select all
<beans:constructor-arg value="DC=*****,DC=***"/>
You have with it wrong in two section of the XML

2- The section below is also wrong:
Code: Select all
<beans:constructor-arg index="1" value="CN={0}" />
should be
Code: Select all
<beans:constructor-arg index="1" value="sAMAccountName={0}" />
3- Try accessing to IP directly rather than ldap://sd01cdgdc:389 ( might be you have balanced domain server etc... and there's some issue there ). But I think issue is not here, is in point 1

I suggest review the sample from here https://docs.openkm.com/kcenter/view/ok ... roles.html and consider the issue was on much restrictive base, you should use "DC=*****,DC=***" as Base for filtering. I suspect roles are outside the base you have set and that the reason why are not applyed.

If it goes right at the end I suggest apply some restriction like what is shown below:
Code: Select all
(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=company,DC=com)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=company,DC=com)))

Re: Role does not work with (LDAP) Active directory

PostPosted:Thu Jun 28, 2018 8:11 am
by milenormand
Hi jllort,

Thank you for reply,
1- This section is wrong sure:
CODE: SELECT ALL

<beans:constructor-arg value="OU=IT,OU=CDG,OU=SDA,DC=*****,DC=***"/>
Should be only:
CODE: SELECT ALL

<beans:constructor-arg value="DC=*****,DC=***"/>
You have with it wrong in two section of the XML

you are right in this point,for help other people i have changed that too :

in [tomcat]/OpenKM.xml :
Code: Select all
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=*****,DC=**" />

in [tomcat]/webapps/openKM/WEB-INF/appContext.xml and [unzip_OpenKM.war]/OpenKM/WEB-INF/appContext.xml :
Code: Select all
 <!-- Remove prefix to be able of use custom roles -->
  <beans:bean id="roleVoter" class="org.springframework.security.access.vote.RoleVoter">
    <beans:property name="rolePrefix" value=""/>
  </beans:bean>
for remove rolePrefix "ROLE_"


after many tests
If your users have a role, the role must be assigned to the root of taxonomy, metadata, thesaurus, and templates to work.


Best Regards,
Mi Lenormand
All times are UTC
Page 2 of 2
Powered by phpBB® Forum Software © phpBB Limited