Open Source Document Management System | OpenKM

PostPosted:**Tue Jun 05, 2018 8:20 am**

Hi,

Sorry in advance for my english.

I have successfully install openkm community edition (Version 6.3.6, Tomcat-8.5.24) with MS AD using advanced configuration and best practices in docs : https://docs.openkm.com/kcenter/view/ok ... ation.html
https://docs.openkm.com/kcenter/view/ok ... roles.html

But with these docs, I had two problems the user ID was a trigram (sAMAccountName) and the user ID in Role was a First Name and Last Name (CN).
With the option Principal.ldap.users.from.roles on True, i could see openKm creates users with ID First Name and Last Name (CN).

For one user, i had two accounts : ID = MLE Name= Mi** Lenormand Mail= *** Roles = ROLE_USER ROLE_TEST
ID = Mi** Lenormand Name=Mi** Lenormand Mail = (empty) Roles = (empty)

The second account have Roles empty but present in the role (ex: ROLE_USER) when i filter.

I think the problem comes from :
principal.ldap.users.by.role.attribute member
principal.ldap.users.by.role.search.base OU=IT,OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter (&(objectClass=group)(cn={0}))

we can't filter by sAMAccountName because in member there is no sAMAccountName :

The second problems is role does not work when i logging with MLE. ( in Log, i can't logging with ID = Mi** Lenormand)

After many manipulation i have solve the first problem, i am logging with CN and password. But the second problem is always present.

In administration TAB

Code: Select all

system.login.lowercase=true
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://sd01cdg***:389
principal.ldap.security.principal=CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***
principal.ldap.security.credentials=*******************

principal.ldap.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.user.search.filter=objectclass=person
principal.ldap.user.attribute=CN

principal.ldap.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=cn=OpenKM_ROLE,ou=cdg,ou=sda,dc=**,dc=**))
principal.ldap.role.attribute=cn

principal.ldap.mail.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.mail.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.mail.attribute=mail

principal.ldap.username.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.username.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.username.attribute=cn

principal.ldap.users.by.role.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.users.by.role.attribute=member

principal.ldap.users.from.roles=true 

principal.ldap.roles.by.user.search.base=OU=CDG,OU=SDA,DC=**,DC=**
principal.ldap.roles.by.user.search.filter=(&(objectClass=person)(cn={0}))
principal.ldap.roles.by.user.attribute=memberOf

principal.ldap.referral=follow

In [Tomcat-8.5.24]/OpenKM.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xmlns:amq="http://activemq.apache.org/schema/core"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">


<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://sd01cdgdc:389"/>
  <beans:property name="userDn" value="CN=OpenKm,OU=Compte de Service,OU=SDA,DC=***,DC=***"/>
  <beans:property name="password" value="******************"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="OU=IT,OU=CDG,OU=SDA,DC=*****,DC=***"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
     <!-- <beans:property name="rolePrefix" value="ROLE_" /> -->
      <beans:property name="rolePrefix" value="" />
      <beans:property name="defaultRole" value="ROLE_ADMIN" />
     <!-- <beans:property name="defaultRole" value="ROLE_USER" /> -->
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="OU=CDG,OU=SDA,DC=*****,DC=**" />
  <beans:constructor-arg index="2" ref="contextSource" />
<!--  <beans:constructor-arg index="1" value="sAMAccountName={0}" /> -->
  <beans:constructor-arg index="1" value="CN={0}" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

 </beans:beans>

If i don't use <beans:property name="defaultRole" value="ROLE_ADMIN" />, i can't logging in ROLE_ADMIN

Here are the results that make me think that I'm on the right track :

Do you have any idea for this problem ?

Best Regards,
Mi Lenormand

PostPosted:**Tue Jun 05, 2018 2:48 pm**

can you please upload a video of how to integrate AD in Openkm

PostPosted:**Wed Jun 06, 2018 6:09 am**

Hi i.m.ashish,

Sorry i am not a videomaker, but if you need help follow step-by-step this :

1 ) Go to Administration > Configuration parameters:

principal.adapter String com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users Boolean True
principal.hide.connection.roles Boolean False
principal.identifier.validation String ^[a-zA-Z0-9_]+$

principal.ldap.mail.attribute String mail
principal.ldap.mail.search.base String OU=**,OU=**,OU=**,DC=**,DC=***
principal.ldap.mail.search.filter String (&(objectClass=person)(sAMAccountName={0}))

principal.ldap.referral String follow

principal.ldap.role.attribute String cn
principal.ldap.role.search.base List OU=**,OU=**,OU=**,DC=**,DC=***
principal.ldap.role.search.filter String (objectclass=group)

principal.ldap.roles.by.user.attribute String memberOf
principal.ldap.roles.by.user.search.base String DC=sid,DC=afi
principal.ldap.roles.by.user.search.filter String (&(objectClass=person)(sAMAccountName={0}))

principal.ldap.security.credentials String Password of Mi** LENORMAND
principal.ldap.security.principal String CN=Mi** LENORMAND,OU=**,OU=**,OU=**,DC=**,DC=***

principal.ldap.server String ldap://NameServer:389

principal.ldap.user.attribute String sAMAccountName
principal.ldap.user.search.base List DC=**,DC=**
principal.ldap.user.search.filter String (objectclass=person)

principal.ldap.username.attribute String cn
principal.ldap.username.search.base String DC=**,DC=**
principal.ldap.username.search.filter String (&(objectClass=person)(sAMAccountName={0}))

principal.ldap.users.by.role.attribute String member
principal.ldap.users.by.role.search.base String CN={0},OU=**,OU=**,OU=**,DC=**,DC=***

Carefull to system.login.lowercase in beginning

After that you go to Administration > Utilities > Cache stats : clic to reset all

2) Restart Tomcat

Check you Users, after that go to OpenKM.XML for filter result.

https://docs.openkm.com/kcenter/view/ok ... ation.html
https://docs.openkm.com/kcenter/view/ok ... roles.html
https://docs.openkm.com/kcenter/view/ok ... oting.html

Best Regards,
Mi Lenormand

PostPosted:**Wed Jun 06, 2018 10:12 am**

will this work for openkm 6.3.4

PostPosted:**Wed Jun 06, 2018 12:28 pm**

Hi i.m.ashish,

Are your roles effective (work) ? without the default role arrive you to login as administrator ?

Best Regards,
Mi LENORMAND

PostPosted:**Wed Jun 06, 2018 12:58 pm**

do i need to creat ROLE_ADMIN & ROLE_USER in AD for AD user login in Openkm

PostPosted:**Wed Jun 06, 2018 3:30 pm**

Hi lenormand

i have attached my OpenKM logs plz help

PostPosted:**Thu Jun 07, 2018 5:40 am**

Hi i.m.ashish,

i think this is a error sAMAccountName=okAdmin, follow previous message.
you have got users ?
and follow : https://docs.openkm.com/kcenter/view/ok ... ation.html

In the OpenKM.XML file don't forget "<beans:property name="defaultRole" value="ROLE_ADMIN" />" for troubleshooting.
can you logging with your account (AD) ?
After that i can't help you, i am blocked here.

Best regards,
Mi LENORMAND

PostPosted:**Sat Jun 09, 2018 6:54 am**

Hi lenormand

my AD has connected but rit now im facing the problem with LDAPS ssl error
so where to apply the ssl certificate in it

PostPosted:**Sun Jun 10, 2018 5:40 pm**

If your users are not able to see TAB Administration is because they are not members of ROLE_ADMIN ( group what must be created into your AD an assign to the users ).

I suggest you concentrate first with integration without SSL and later when you have everything right, start a new topic with the issue for SSL authentication with complete file log stack trace for understanding the issue in deep.

PostPosted:**Tue Jun 12, 2018 5:40 am**

i have successfully login, in Openkm with AD user without ssl now i want to do it with ssl so please guide me

PostPosted:**Thu Jun 14, 2018 6:54 pm**

Share with us the connection url or port changes you are using for SSL authentication.
Also we need to take a look at the catalina.log file for the error raised while trying to login ( only we need the stack trace error section, not all the catalina.log file ) -> you can upload the error section into a file in this post.

PostPosted:**Mon Jun 18, 2018 6:38 am**

Hi jlort,

Thank you for reply,

jllort wrote: ↑Sun Jun 10, 2018 5:40 pm If your users are not able to see TAB Administration is because they are not members of ROLE_ADMIN ( group what must be created into your AD an assign to the users ).

My users not able to see the TAB Administration, but the users is in members of ROLE_ADMIN :

I can see the users in the group ROLE_ADMIN :

wihtout <beans:property name="defaultRole" value="ROLE_ADMIN" />, i can't logging whit Admin right (ROLE_ADMIN)

for more information i think wihtout <beans:property name="defaultRole" value="ROLE_ADMIN" />, all users are no authorization of any folders and files. (no right)

Best Regards,
Mi Lenormand

PostPosted:**Wed Jun 20, 2018 4:15 pm**

If you are not watching administration is because your logged users are not inherit ROLE_ADMIN ( I hope you have not changed the configuration parameter default.admin.role=ROLE_ADMIN you can check it from OKM_CONFIG database looking for CFG_KEY='default.admin.role').

I do not understanding how are you able for doing administration screenshots if you are not logging with ROLE_ADMIN users ?

PostPosted:**Thu Jun 21, 2018 1:22 pm**

Hi jlort,

If you are not watching administration is because your logged users are not inherit ROLE_ADMIN ( I hope you have not changed the configuration parameter default.admin.role=ROLE_ADMIN you can check it from OKM_CONFIG database looking for CFG_KEY='default.admin.role').

Thank you for reply,

How check the inherit Roles ? (i thnk my problems is here)

i haven't changed the configuration of the default roles :

In the table OKM_CONFIG :

I do not understanding how are you able for doing administration screenshots if you are not logging with ROLE_ADMIN users ?

for troubleshooting i use the exemple "Force all users to be members of ROLE_USER" https://docs.openkm.com/kcenter/view/ok ... oting.html

but with the ROLE_ADMIN <beans:property name="defaultRole" value="ROLE_ADMIN" />.

thanks in advance,
Best Regards,
Mi Lenormand

Open Source Document Management System | OpenKM

[Resolved] Role does not work with (LDAP) Active directory

[Resolved] Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory

Re: Role does not work with (LDAP) Active directory