Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

LDAP Integration with custom AD Groups

https://forum.openkm.com/viewtopic.php?t=22725

Page 1 of 1

LDAP Integration with custom AD Groups

PostPosted:Thu Aug 29, 2019 1:01 pm
by tvsuhail
Appreciate if someone can provide a solution for the below as I am not able to reach on my goal even after going through all the documents available for OpenKM.

I have three AD groups as IT Admins, HR, Accounts.

1. I need to allow only these group members to logon on OpenKM.
2. Restrict the access on folders created under okm:root for each department based on the groups.

Apart from above, few other clarifications.

1. LDAP configuration under Administration-Configuration is purely to list AD users and roles under Administration-Users screen? And, OpenKM.xml is for authentication?
2. Why I am not able to get other attributes in the screen such as Mail, Roles? whereas i am able to see Name and ID (ID is also not as expected).

I am attaching screenshot of my user screen and configuration under Administration as below.
Code: Select all
principal.ldap.mail.attribute	:	userPrincipalName
principal.ldap.mail.search.base	:	DC=mydom,DC=ae
principal.ldap.mail.search.filter	:	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.referral	:	
principal.ldap.role.attribute	:	cn
principal.ldap.role.search.base	List	DC=mydom,DC=ae
principal.ldap.role.search.filter	:	(&(objectclass=group)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
principal.ldap.roles.by.user.attribute	:	memberOf
principal.ldap.roles.by.user.search.base	:	DC=mydom,DC=ae
principal.ldap.roles.by.user.search.filter	:	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.security.credentials	:	*********
principal.ldap.security.principal	:	CN=ad admin,OU=IT,OU=Infra-team,DC=mydom,DC=ae
principal.ldap.server	:	ldap://10.20.20.1:389
principal.ldap.user.attribute	:	sAMAccountName
principal.ldap.user.search.base	List	DC=mydom,DC=ae
principal.ldap.user.search.filter	:	(&(objectclass=person)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
principal.ldap.username.attribute	:	displayName
principal.ldap.username.search.base	:	DC=mydom,DC=ae
principal.ldap.username.search.filter	:	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	:	member
principal.ldap.users.by.role.search.base	:	DC=mydom,DC=ae
principal.ldap.users.by.role.search.filter	:	(&(objectClass=group)(cn={0}))

Re: LDAP Integration with custom AD Groups

PostPosted:Sat Aug 31, 2019 9:43 am
by jllort
About users:
Code: Select all
principal.ldap.user.search.filter	:	(&(objectclass=person)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
Should correct it, should be members or ROLE_USER and ROLE_OPENKM
Code: Select all
principal.ldap.user.search.filter	:	(&(objectclass=person)(|(memberOf=CN=ROLE_USER,OU=Groups,OU=Infra-team,DC=mydom,DC=ae)(memberOf=CN=ROLE_ADMIN,OU=Groups,OU=Infra-team,DC=mydom,DC=ae)))
About role list:
Code: Select all
principal.ldap.role.search.filter	:	(&(objectclass=group)(memberOf=CN=OpenKM,OU=Groups,OU=Infra-team,DC=mydom,DC=ae))
It means ROLE_USER and ROLE_ADMIN are members or ROLE_OPENKM

About email:
Code: Select all
principal.ldap.mail.attribute	:	userPrincipalName
Usually, the attribute in AD what contains the email is named mail ( I suggest navigate in low level with Microsoft Active Directory Explorer https://docs.openkm.com/kcenter/view/ok ... ation.html )

Finally, remember the inheritance between roles is not allowed. That means the user okmAdmin is a member of ROLE_ADMIN ( ROLE_ADMIN is a member of ROLE_OPENKM but do not expect when user okmAdmin be a member of ROLE_OPENKM also will inherit ROLE_ADMIN, that will not happens ). The relation between users and roles must be a direct relation ( not inherit ).

ROLE_OPENKM is used to filtering roles among all the groups you have in your AD ( you might not be interested in showing all groups like Administrators etc... then this is used for filtering purposes, only showing groups what are a member of ROLE_OPENKM )

In general I see a good configuration I do not appreciate mistakes or observations in other sections. Remember after applying any change go to administration > tools > cache stats and reset all ( the AD list is cached and that might be laying you after a change ).
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited