Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

LDAP Login with UID and MAIL

https://forum.openkm.com/viewtopic.php?t=20305

Page 1 of 1

LDAP Login with UID and MAIL

PostPosted:Mon May 04, 2015 2:44 pm
by Catscratch
Hi,

I want all users to be able to login either with login name (uid) or mail address (mail).

Therefor, I modified the spring security bean configuration to enable both ways.
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:...">

    <security:authentication-manager alias="authenticationManager">
      <security:authentication-provider ref="ldapAuthProvider" />
    </security:authentication-manager>

    <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
      <beans:constructor-arg value="MY SERVER URL"/>
      <beans:property name="userDn" value="cn=ldap"/>
      <beans:property name="password" value="MY PWD"/>
    </beans:bean>

    <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	
      <beans:constructor-arg>
        <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
          <beans:constructor-arg ref="contextSource"/>
          <beans:property name="userSearch" ref="userSearch"/>
        </beans:bean>
      </beans:constructor-arg>
	  
      <beans:constructor-arg>
        <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
          <beans:constructor-arg ref="contextSource"/>
          <beans:constructor-arg value="ou=groups,dc=myrealm"/>
          <beans:property name="groupSearchFilter" value="uniqueMember={0}"/>
          <beans:property name="groupRoleAttribute" value="uid"/>
          <beans:property name="searchSubtree" value="true" />
          <beans:property name="convertToUpperCase" value="false" />
          <beans:property name="rolePrefix" value="" /> 
		  <beans:property name="defaultRole" value="ROLE_USER" />
        </beans:bean>
      </beans:constructor-arg>
	  
    </beans:bean>

    <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
      <beans:constructor-arg index="0" value="ou=people,dc=myrealm" />
      <beans:constructor-arg index="1" value="(|(uid={0})(mail={0}))" />
      <beans:constructor-arg index="2" ref="contextSource" />
      <beans:property name="searchSubtree" value="true" />
    </beans:bean>

</beans:beans>
This is working great! The magic happens here:
Code: Select all
<beans:constructor-arg index="1" value="(|(uid={0})(mail={0}))" />
Ok, but now the problem.

Since the user logged in, his permissions are only available when he uses his UID to login. When he uses his MAIL attribute, no permissions are applied. Means, the user can't the e.g. folders he got read permissions. So it seems, somewhere the attribute used for login is used to match the ldap user specified in permissions. And when he uses MAIL no match is found.

For completeness the ldap configuration inside OpenKM.
Code: Select all
principal.ldap.mail.attribute:       mail
principal.ldap.mail.search.base:     ou=people,dc=myrealm
principal.ldap.mail.search.filter:  (&(objectClass=person)(uid={0}))
principal.ldap.role.attribute:       cn
principal.ldap.role.search.base:     ou=groups,dc=myrealm
principal.ldap.role.search.filter:   (objectClass=groupOfUniqueNames)
principal.ldap.roles.by.user.attribute: memberOf
principal.ldap.roles.by.user.search.base: ou=people,dc=myrealm
principal.ldap.roles.by.user.search.filter: (&(objectClass=person)(uid={0}))
principal.ldap.security.credentials:  MY PWD
principal.ldap.security.principal:    cn=ldap
principal.ldap.server:                ldaps://myrealm.myserver.net:389
principal.ldap.user.attribute:        uid
principal.ldap.user.search.base:      ou=people,dc=myrealm
principal.ldap.user.search.filter:    (objectClass=person)
principal.ldap.username.attribute:     cn
principal.ldap.username.search.base:   ou=people,dc=myrealm
principal.ldap.username.search.filter: (uid={0})
principal.ldap.users.by.role.attribute: uniqueMember
principal.ldap.users.by.role.search.base: cn={0},ou=groups,dc=myrealm
principal.ldap.users.by.role.search.filter: (objectClass=groupOfUniqueNames)
principal.ldap.users.from.roles:       Inactive
Thanks for hints.

I don't know if it is a spring security related problem or a configuration problem inside OpenKM or if it is simply not possible to use both login methods at the same time.

Regards!

Re: LDAP Login with UID and MAIL

PostPosted:Tue May 05, 2015 10:51 am
by jllort
This kind of configuration will be conflictive because for application you got two logged id, for example user XXX with mail XXXX@mail Well the problem comes into application because for it the session is set to XXX or XXXX@mail this ID are distinct, in someplace on spring you should change XXXX@mail to XXX user otherwise you got on session mail id not user session.

I suspect you should try to solve it from a new spring security class and not on LdapPrincipalAdapter - also is possible modify the openkm ldap adapter - there should receive the userId not the mailId althought it has been user for login purpose.

Re: LDAP Login with UID and MAIL

PostPosted:Tue May 05, 2015 12:02 pm
by Catscratch
Ok thanks for clarifying. I might have known it.

Do you have any idea how to start configuring spring security in this way, it replaces the mail address by the users identifier so that the OpenKM LdapAdapter is working again?

Re: LDAP Login with UID and MAIL

PostPosted:Fri May 08, 2015 10:10 pm
by jllort
I think a good starting point could be writing your own FilterBasedLdapUserSearch class
https://github.com/spring-projects/spri ... earch.java
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited