Page 1 of 1

How can I login KM with windows AD?

PostPosted:Mon Sep 16, 2013 5:16 am
by Charles.Hung
Open.xml
Code: Select all
        <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	  <beans:constructor-arg ref="ldapBindAuthenticator"/>
	  <beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
	</beans:bean>
	
	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
	  <!-- MS Active Directory -->
	  <beans:constructor-arg value="ldap://AD IP:389"/>
	  <beans:property name="userDn" value="cn=AD account,cn=Users,dc=domain"/>
	  <beans:property name="password" value="AD PWD"/>
	  <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
	</beans:bean>
	
	<beans:bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
	  <beans:constructor-arg ref="contextSource"/>
	  <beans:property name="userSearch" ref="userSearch"/>
	</beans:bean>
	
	<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
	  <!-- MS Active Directory -->
	  <!-- user-search-base; relative to base of configured context source -->
	  <beans:constructor-arg index="0" value="dc=domain"/>
	  <!-- user-search-filter -->
	  <beans:constructor-arg index="1" value="(sAMAccountName={0})"/>
	  <beans:constructor-arg index="2" ref="contextSource"/>
	</beans:bean>
	
	<beans:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
	  <beans:constructor-arg ref="contextSource" />
	  <beans:constructor-arg value="dc=domain" />
	  <beans:property name="groupSearchFilter" value="(member={0})"/>
	  <beans:property name="groupRoleAttribute" value="CN" />
	  <beans:property name="rolePrefix" value=""/>
	  <beans:property name="searchSubtree" value="true"/>
	  <beans:property name="convertToUpperCase" value="false"/>
	  <beans:property name="ignorePartialResultException" value="true"/>
	</beans:bean>
Configuration
Code: Select all
system.login.lowercase=true
principal.adapter=com.openkm.principal.LdapPrincipalAdapter	
principal.database.filter.inactive.users=true
principal.hide.connection.roles=false
principal.ldap.mail.attribute=mail	
principal.ldap.mail.search.base=dc=domain
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))	
principal.ldap.referral=follow	
principal.ldap.role.attribute=cn	
principal.ldap.role.search.base=dc=domain
principal.ldap.role.search.filter=(cn=*)	
principal.ldap.roles.by.user.attribute=memberOf	
principal.ldap.roles.by.user.search.base=dc=domain
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(sAMAccountName={0}))	
principal.ldap.security.credentials=AD PWD
principal.ldap.security.principal=CN=AD account,cn=Users,dc=domain
principal.ldap.server=ldap://192.168.99.11:389	
principal.ldap.user.attribute=sAMAccountName	
principal.ldap.user.search.base=dc=domain
principal.ldap.user.search.filter=(&(objectClass=user)(objectCategory=person))	
principal.ldap.username.attribute=cn	
principal.ldap.username.search.base=dc=domain
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))	
principal.ldap.users.by.role.attribute=member	
principal.ldap.users.by.role.search.base=dc=domain
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))	
principal.ldap.users.from.roles=false
An other qns:In KM, should I have to create an account which is used in AD?

Pls help, thanks.

Re: How can I login KM with windows AD?

PostPosted:Mon Sep 16, 2013 8:23 am
by dejanfc
OpenKM will automatically generate a user if the AD authentication is sucessful.

Re: How can I login KM with windows AD?

PostPosted:Mon Sep 16, 2013 8:34 am
by Charles.Hung
dejanfc wrote:OpenKM will automatically generate a user if the AD authentication is sucessful.
Tks!

I think my code is error, so I can not login KM with AD...

I do not know how to solve this problem...

Re: How can I login KM with windows AD?

PostPosted:Mon Sep 16, 2013 9:14 am
by dejanfc
Try using the AD auth provider that's built into spring security:

http://docs.spring.io/spring-security/s ... /ldap.html

I also wrote a small tutorial on how to get Kerberos working for SSO - http://wiki.openkm.com/index.php/Kerberos

Since it's an integral part of AD you could also use this method (although, if you don't require single sign on I'd personally go with AD auth provider since it's easier to configure).

And please paste any errors you get, it's possible that it's something trivial like wrong role retrieval.

Re: How can I login KM with windows AD?

PostPosted:Mon Sep 16, 2013 10:03 am
by Charles.Hung
dejanfc wrote:Try using the AD auth provider that's built into spring security:

http://docs.spring.io/spring-security/s ... /ldap.html

I also wrote a small tutorial on how to get Kerberos working for SSO - http://wiki.openkm.com/index.php/Kerberos

Since it's an integral part of AD you could also use this method (although, if you don't require single sign on I'd personally go with AD auth provider since it's easier to configure).

And please paste any errors you get, it's possible that it's something trivial like wrong role retrieval.
After I use your method, I can login.

But...

Re: How can I login KM with windows AD?

PostPosted:Mon Sep 16, 2013 11:01 am
by dejanfc
That means that you're not getting the correct roles. OpenKM uses ROLE_USER and ROLE_ADMIN by default, if you have the option simply create these two groups in your AD, add a test user to each and then try again. Otherwise you'll have to change the default roles in OpenKM configuration and remove the role_prefix bean from applicationContext.xml.

Re: How can I login KM with windows AD?

PostPosted:Tue Sep 17, 2013 2:09 am
by Charles.Hung
dejanfc wrote:That means that you're not getting the correct roles. OpenKM uses ROLE_USER and ROLE_ADMIN by default, if you have the option simply create these two groups in your AD, add a test user to each and then try again. Otherwise you'll have to change the default roles in OpenKM configuration and remove the role_prefix bean from applicationContext.xml.
Ok.....I think I should give you my AD.....

KM is 6.2.4

In the attachment, you will see OUs. I want to see all user by using OU=HQ_IFT,DC=infortrend

My admin role is "MIS", other people's role are "Domain Users"

Pls see the attachment

Re: How can I login KM with windows AD?

PostPosted:Wed Sep 18, 2013 5:46 pm
by jllort
Is Mandatory all users should have ROLE_USER ( like I've written with uppercase etc... ), that's needed to pass login page. After it you should have enought roles ( by user ) to read main nodes okm:root , okm:categories and okm:templates

here you can see complete examples with full description http://wiki.openkm.com/index.php/LDAP_examples

Re: How can I login KM with windows AD?

PostPosted:Mon Oct 21, 2013 11:14 am
by chasedream285
It's easy.
Just modify following source code 'openkm\src\main\java\com\openkm\module\db\stuff\DbSimpleAccessManager.java' and add some code lines:
Code: Select all
                    java.util.Iterator it = roles.iterator();
                    int count=0;
                    while( it.hasNext()){
                        count++;
                    }
                    if( count == 0){
                        log.info("*****AAAAABBBBB************role is null,add it manually !");
                        String  roleUSer= new String("ROLE_USER");
                        roles.add(roleUSer);
                    }else
                        log.info("*****AAAAABBBBB*******************null=***");
				    

after below codes:
Code: Select all
				if (roles.contains(Config.DEFAULT_ADMIN_ROLE)) {
					// An user with AdminRole has total access
					access = true;
				} else {

It will grant 'ROLE_USER' to AD user manually whatever you get ROLE or not with your origianal AD configuration :D
Also I thinks it's reality way to define your own KM group organizations exclude AD group organization.

Re: How can I login KM with windows AD?

PostPosted:Tue Oct 22, 2013 6:50 am
by jllort
There's other way in ldap configuration to set a role by default without modify source code, add <beans:property name="defaultRole" value="ROLE_USER" />

<
Code: Select all
beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=localhost,DC=local"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
	<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>

Re: How can I login KM with windows AD?

PostPosted:Wed Nov 20, 2013 9:39 am
by chasedream285
jllort wrote:There's other way in ldap configuration to set a role by default without modify source code, add <beans:property name="defaultRole" value="ROLE_USER" />

<
Code: Select all
beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=localhost,DC=local"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
	<beans:property name="defaultRole" value="ROLE_USER" />
</beans:bean>
Hi , jllort,
I adopted your way to add 'defaultRole' in'OpenKM.xml',
1)if I set 'defaultRole' = 'ROLE_ADMIN', everything is OK.
2)if I set 'defaultRole' = 'ROLE_USER', I found I can login into OpenKM ,but the screen is halted somehow, seems the ldap user is lack of priviledge to read 'okm_root' ...., I don't know how to resolve this, please help.

Re: How can I login KM with windows AD?

PostPosted:Wed Nov 20, 2013 5:28 pm
by jllort
Your users should have enouht privileges to see okm:root okm:categories and okm:templates based in roles they have and roles assigned to these nodes. There's no other mistery on it.