Page 1 of 1
Ldap login
PostPosted:Wed Sep 17, 2014 2:54 pm
by kylep84
Hello, we have just started testing openkm 6.4.14 Pro trial to see if this is what we are looking for. So far everything is working good except I cannot get ldap logins to work. Openkm ldap integration is set up and working and I can see populated users and roles from active directory.
Seems like me problem is configuring OpenKM.xml, all documentation says this file should be in $TOMCAT_HOME. I did find the file under tomcat/webapps/OpenKM/WEB-INF/classes/OpenKM.xml.
Now my question is do I create a new OpenKM.xml in $TOMCAT_HOME or do I modify the one I found under the webapps folder? Doesn't seem to mater what I do its not even trying ldap login its always using the same old database method.
Any help or ideas would be great, this is the one little thing we need to get working. Thanks
Re: Ldap login
PostPosted:Fri Sep 19, 2014 12:01 pm
by pldemon
Hi,
we saw the same behavior during our LDAP-tests so we have changed the webapps/OpenKM/WEB-INF/applicationContext.xml directly. Please find included a simple Perl script which we have used:
Code: Select all perl -ne '$t=1 if /security:authentication-manager/;print if !$t;if (/\/security:authentication-manager/) {$t=0; print "\%\%REPLACE\%\%"}' < $directory/webapps/OpenKM/WEB-INF/applicationContext.xml > /tmp/applicationContext.xml
sed -i 's|%%REPLACE%%| <!-- Changed by pldemon -->\
<security:authentication-manager alias="authenticationManager">\
<security:authentication-provider ref="ldapAuthProvider" />\
</security:authentication-manager>\
\
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">\
<beans:constructor-arg value="ldap://localhost:389/"/>\
<beans:property name="userDn" value="cn=ldapadmin,ou=People,dc=XXcompanyXX,dc=XXourXX"/>\
<beans:property name="password" value="XXourpassXX"/>\
</beans:bean>\
\
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">\
<beans:constructor-arg>\
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">\
<beans:constructor-arg ref="contextSource"/>\
<beans:property name="userSearch" ref="userSearch"></beans:property>\
</beans:bean>\
</beans:constructor-arg>\
<beans:constructor-arg>\
<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">\
<beans:constructor-arg ref="contextSource"/>\
<beans:constructor-arg value="ou=OKMRoles,dc=XXcompanyXX,dc=XXourXX"/>\
<beans:property name="groupSearchFilter" value="(memberUid={1})"/>\
<beans:property name="groupRoleAttribute" value="cn"/>\
<beans:property name="searchSubtree" value="true" />\
<beans:property name="convertToUpperCase" value="true" />\
<beans:property name="rolePrefix" value="" />\
</beans:bean>\
</beans:constructor-arg>\
</beans:bean>\
\
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">\
<beans:constructor-arg index="0" value="ou=People,dc=XXcompanyXX,dc=XXourXX" />\
<beans:constructor-arg index="1" value="(uid={0})" />\
<beans:constructor-arg index="2" ref="contextSource" />\
<beans:property name="searchSubtree" value="true" />\
</beans:bean>|' /tmp/applicationContext.xml
Cheers!
Re: Ldap login
PostPosted:Fri Sep 19, 2014 4:04 pm
by kylep84
Thank you very much, I had to use a different config but as soon as I added it into the applicationcontext file everything works great.
Kyle P
Re: Ldap login
PostPosted:Sun Sep 21, 2014 6:46 am
by jllort
Is not necessary change applicationContext.xml directly. Only in few cases ( when change main roles is necessary patch this internal file ). I suggest read with care this example
http://wiki.openkm.com/index.php/Ldap-example3 take in mind integration with ldap is not an easy task, I've got more than 20 installations in my back integrated with ldap and I need about 1-2 hour for doing it. Ldap integration is part of services offered by us during installation I suggest to do not spend a lot of time on it because if you finally decide for us, this is done by us.
However, if you want to try, I suggest apply the changes in OpenKM.xml at the end. And start first with Administration integration ( configuration parameteres that allows to see users, and roles in openkm administration lists ).
Re: Ldap login
PostPosted:Sun Sep 21, 2014 7:44 am
by kylep84
I see, I did change the default roles so I guess that why I had to change that file. I have ldap working completely and everything is running smooth now.
It's not that hard to set up it, as you said it just takes a bit of time.
Re: Ldap login
PostPosted:Wed Sep 24, 2014 7:19 am
by jllort
First time I configured an LDAP integration, I needed about 2-3 days to understand it. Now, after more than 20 LDAP installations obviously it's faster, anyway it's needed about 1-2 hours. Is quite difficult try to explain in documentation how to integrate with LDAP, because each one can be quite different. In documentation we've tried to do clear explanation with 2-3 examples to inspire LDAP administrator. However is mandatory for them have some previous skills on LDAP. I'm opened to any suggestions about how to improve this documentation section.
Re: Ldap login
PostPosted:Tue Jan 06, 2015 2:11 pm
by bonniebm
Im testing OpenKM Pro with the intention of buying the Software, but After following the Active Directory
http://wiki.openkm.com/index.php/Active ... OpenKM_6.2 it seems like there is a missing step in the Documentation.
I have managed to follow step by step and all the users on my AD Server are now Visible in OpenKM, all the Groups are also visible, but they cannot authenticate, like what was hapening for the user in the first post.
Trying to use the perl script and editing directly the applicationContext.xml resulted in the application failing to start, so i had to revert back to the original applicationContext.xml. What can i do to solve the authentication issues.
What can i do to enable the users that i see in OpenKM to log in
regards
bonnie
Re: Ldap login
PostPosted:Wed Jan 07, 2015 4:43 pm
by jllort
The applicationContext.xml has changed from 6.2 to 6.4 version. Did you got other roles than ROLE_ADMIN and ROLE_OPENKM in your AD ( you can not create it, otherwise is not necesary modify applicationContext.xml ?
About LDAP integration is part of openkm installation service, do not worry for it.