Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Administration tab is not showing (AD)

https://forum.openkm.com/viewtopic.php?t=21703

Page 1 of 1

Administration tab is not showing (AD)

PostPosted:Sun Mar 18, 2018 8:35 am
by saleem55
I have successfully install openkm-dev integrated with MS AD using example3 ,

but I have a problem when I am login with okmadmin I can not see administration TAB

I have create two roles in AD , ROLE_ADMIN and ROLE_USER and I put okmAdmin as a member of ROLE_ADMIN but still the administration tab is not working
I don't whan to assign admins to all users:
<beans:property name="defaultRole" value="ROLE_ADMIN" />
I want only okmAdmin to be administrator

- I Am using default profile and administration is enabled

I am hiding the ip and domain (XXXX)

please help me to trace out the issue
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

  <!-- Security configuration -->
  <security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
  
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om"/>
  <beans:property name="userDn" value="CN=XXXXXX,OU=Users,OU=IT,OU=Departments,DC=XXXXXX,DC=com,DC=om"/>
  <beans:property name="password" value="XXXXXXX"/>
  
   <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" value="memberOf={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" /> 
	  <!--<beans:property name="defaultRole" value="ROLE_ADMIN" />-->
	  
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=OPENKM,DC=XXXX,DC=com,dc=om)(memberOf=CN=ROLE_USER,OU=OPENKM,DC=XXXX,DC=com,dc=om)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>
</beans:beans>
Thanks
Saleem

Re: Administration tab is not showing (AD)

PostPosted:Sun Mar 18, 2018 7:08 pm
by jllort
I think the issue comes because you have used memberOf={1} while you should use
Code: Select all
<beans:property name="groupSearchFilter" value="member={0}"/>
Also I suggest to remove "dc=XXXX,dc=com,dc=om" from the end of ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om and set into each bean definition, you can take a look at https://docs.openkm.com/kcenter/view/ok ... roles.html where is shown ( basically is the same, you can filter base from ldap connection or from each bean ).

Re: Administration tab is not showing (AD)

PostPosted:Sun Mar 18, 2018 8:15 pm
by saleem55
jllort wrote: Sun Mar 18, 2018 7:08 pm I think the issue comes because you have used memberOf={1} while you should use
Code: Select all
<beans:property name="groupSearchFilter" value="member={0}"/>
Also I suggest to remove "dc=XXXX,dc=com,dc=om" from the end of ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om and set into each bean definition, you can take a look at https://docs.openkm.com/kcenter/view/ok ... roles.html where is shown ( basically is the same, you can filter base from ldap connection or from each bean ).

Thanks jllort ,
Your are right, it is working now and I am able to get the administration tab


but when I remove "dc=XXXX,dc=com,dc=om" from the end of ldap://172.XX.XXXXX:389/dc=XXXX,dc=com,dc=om and I set it into each bean definition
I am not able to login
Thanks
Saleem

Re: Administration tab is not showing (AD)

PostPosted:Mon Mar 19, 2018 7:22 pm
by jllort
you must set in the two bean, take a look at the sample, might be you have missed one. Look for DC=company,DC=com into the xml sample.

Check your "dc=XXXX,dc=com,dc=om , sure it ends with dc=om, might be you have added something extra ?

Re: Administration tab is not showing (AD)

PostPosted:Tue Mar 20, 2018 12:51 pm
by saleem55
jllort wrote: Mon Mar 19, 2018 7:22 pm you must set in the two bean, take a look at the sample, might be you have missed one. Look for DC=company,DC=com into the xml sample.

Check your "dc=XXXX,dc=com,dc=om , sure it ends with dc=om, might be you have added something extra ?
Yes our domain ends with om
I will re-try and i will let you know

Thanks

Re: Administration tab is not showing (AD)

PostPosted:Fri Mar 23, 2018 6:18 pm
by jllort
if ends with dc=om then is right. Here the issue in deep is that from the user logged is not been able to get the roles, otherwise will going right, or you missed assigning the role to the user.

Re: Administration tab is not showing (AD)

PostPosted:Sun May 27, 2018 8:18 am
by saleem55
It working
Thanks
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited