Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Authenticating with AD

https://forum.openkm.com/viewtopic.php?t=22016

Page 1 of 1

Authenticating with AD

PostPosted:Wed Sep 05, 2018 5:57 pm
by DrydenK
Hi,
I' trying to authenticate users with my AD, but it's not working.

I followed https://docs.openkm.com/kcenter/view/ok ... ation.html. After entering all the required information in the administration panel, OpenKM has successfully retrieved the users and roles from my domain. Then, after setting the principal.adapter property to com.openkm.principal.LdapPrincipalAdapter and replacing Openkm.xml with the one suggested in the web page (and updating the url, manager-dn and manager-password), I restarted tomcat the enable those settings.

Following catalina.out, after some time, I got the following error:
Code: Select all
05-Sep-2018 10:46:14.222 SEVERE [localhost-startStop-1] org.springframework.web.context.ContextLoader.initWebApplicationContext Context initialization failed
 org.springframework.beans.factory.xml.XmlBeanDefinitionStoreException: Line 1 in XML document from URL [file:/home/openkm/tomcat-8.5.24/OpenKM.xml] is invalid; nested exception
 is org.xml.sax.SAXParseException; lineNumber: 1; columnNumber: 64; The prefix "security" for element "security:authentication-manager" is not bound.
I've tried some variations in the OpenKM.xml, without success. Do special characters ($, @, % and other) need to be escaped? Do I have to install some OS library to make it work? Does it make any difference to use FQDN or IP in the url?

I'm using OpenKM 6.3.6, build 787d181f
OS is Ubuntu 18.4 x64

tks,

Roberto

Re: Authenticating with AD

PostPosted:Thu Sep 06, 2018 6:02 pm
by jllort
Something wrong into XML.

1- Take care with passwords with strange character what might need to be scaped into the XML.
2- Ensure you have commented database xml configuration section.

What OpenKM version are you using?

Can you share your OpenKM.xml commenting private information to take a look on it.

Re: Authenticating with AD

PostPosted:Mon Sep 10, 2018 2:01 pm
by DrydenK
As mentioned in the first post, I'm using version 6.3.6, build 87d181f.

My Openkm.xml file is the following:
Code: Select all
<security:ldap-server id="ldapServer"
  url="ldap://ad.fdn.fundunesp.unesp.br:389/DC=<domain>"
  manager-dn="<admin_user, copied from Apache Directory>"
  manager-password="<my_admin_user_pass>"/>

<security:authentication-manager alias="authenticationManager">
  <security:ldap-authentication-provider
    server-ref="ldapServer"
    user-search-base="cn=Users"
    user-search-filter="(sAMAccountName={0})"
    group-search-base="cn=Users"
    group-search-filter="(member={0})"
    group-role-attribute="cn"
    role-prefix="none">
  </security:ldap-authentication-provider>
</security:authentication-manager>
Roberto

Re: Authenticating with AD

PostPosted:Thu Sep 13, 2018 6:25 am
by jllort
I do not like this minimalist configuration I suggest go in the direction explained in this documentation section, you will have more control of what really happens with the integration https://docs.openkm.com/kcenter/view/ok ... roles.html

First, start with OpenKM administration configuration ( OpenKM LDAP parameters ) and when success there, go with authentication, this is the easiest way for doing it and you will restart the server less times ( where usually it is expended a lot of time ).

[Solved] Re: Authenticating with AD

PostPosted:Thu Sep 13, 2018 1:30 pm
by DrydenK
GREAT!!!!!

This version works nicely. There was only one hiccup: The documentation in that page is outdated and needs to be fixed. In the XML, where it reads
Code: Select all
xsi:schemaLocation="http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
     http://www.springframework.org/schema/security
     http://www.springframework.org/schema/security/spring-security-3.1.xsd
     http://www.springframework.org/schema/task
     http://www.springframework.org/schema/task/spring-task-3.1.xsd">
It should be
Code: Select all
xsi:schemaLocation="http://www.springframework.org/schema/beans
     http://www.springframework.org/schema/beans/spring-beans-3.2.xsd
     http://www.springframework.org/schema/security
     http://www.springframework.org/schema/security/spring-security-3.2.xsd
     http://www.springframework.org/schema/task
     http://www.springframework.org/schema/task/spring-task-3.2.xsd">
If you don't replace the '3.1' entries with '3.2', Tomcat fails with the following message:
Code: Select all
13-Sep-2018 10:04:22.970 INFO [localhost-startStop-1] org.springframework.beans.factory.xml.XmlBeanDefinitionReader.loadBeanDefinitions Lo                                       ading XML bean definitions from URL [file:/home/openkm/tomcat-8.5.24/OpenKM.xml]
13-Sep-2018 10:04:23.020 SEVERE [localhost-startStop-1] org.springframework.web.context.ContextLoader.initWebApplicationContext Context in                                       itialization failed
 org.springframework.beans.factory.parsing.BeanDefinitionParsingException: Configuration problem: You cannot use a spring-security-2.0.xsd                                        or spring-security-3.0.xsd or spring-security-3.1.xsd schema with Spring Security 3.2. Please update your schema declarations to the 3.2                                        schema.
Anyway, tks for the help.

Roberto

PS: Where do I report the above problem with the documentation?

Re: Authenticating with AD

PostPosted:Fri Sep 14, 2018 6:18 pm
by jllort
Also you can remove the numbers and should working. In newer versions of the OpenKM.xml file we have removed them.

Re: Authenticating with AD

PostPosted:Fri Sep 14, 2018 6:25 pm
by DrydenK
Ok. It would be nice to update the documentation with that information. Who would be responsible for that?

Re: Authenticating with AD

PostPosted:Sat Sep 15, 2018 8:12 am
by jllort
OpenKM staff are who manage documentation. Add the issue https://github.com/openkm/document-mana ... tem/issues and we will change OpenKM.xml and also documentation information

Re: Authenticating with AD

PostPosted:Fri Sep 21, 2018 12:37 pm
by ColH
Sorry if this is a dumb question, but is it necessary to change both the OpenKM.xml file and to set the principal.ldap.* settings in the Admin web page? They seem to be the same kind of values etc in many cases, and I'm not sure what the relationship is between the two.

Re: Authenticating with AD

PostPosted:Sat Sep 22, 2018 8:23 am
by jllort
Are the same, but the parameters from the administration are used by OpenKM to retrieve user and roles list. The OpenKM.xml is used for authentication. I suggest first work with administration parameters and when you success on it, then work with OpenKM.xml, usually is the quick way to success on it.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited