Page 1 of 1
system user
PostPosted:Sun Mar 22, 2009 9:42 am
by samkaya
I\'m logged in as with the admin account, but i can\'t see the administration menu item like this image
.
Is there another admin then the admin acccount, like the system user account. If so, what are the credentials of the system account? This system user has been stated in the administration guide
Re:system user
PostPosted:Mon Mar 23, 2009 7:34 am
by jllort
It has been changed on OpenKM 3.0. System user now is called okmAdmin and we\'ve replaced the admin menu options to new tab on (desktop | search | dashboard | administration ). But you only see this new tab if you\'re loged as administrator.
Re: system user
PostPosted:Mon Feb 15, 2010 12:49 pm
by pito
Hello,
according to this I changed my system user to okmAdmin user but I still cannot see Administration tab. I use LDAP. okmAdmin is in group AdminRole. I have set up storage to be in database (postgresql). Apart from not displaying administration tab everything works fine. What could be wrong?
Thank you for any help and have a nice day.
Re: system user
PostPosted:Mon Feb 15, 2010 4:21 pm
by jllort
Really the problem is not on user is on role sure. Since openkm 4.0 can be more than one user as administrators, now we control by role not by name. You might ensure AdminRole is assigned to this user, and is well typewriten ( case sensitive ).
Re: system user
PostPosted:Mon Feb 15, 2010 4:37 pm
by pito
Just to make it clear: you are saying that in case the user is in group/role AdminRole than what concerns version 4.0 he is admin with access to all admin tools just like user "system" in previous versions. Is that right or do you have to explicitly mention list of admin users somewhere?
Thank you.
Re: system user
PostPosted:Tue Feb 16, 2010 9:05 am
by jllort
Is right, since version 4.0 any user with AdminRole have full privileges, in older version there was only one user who had this grants.
Re: system user
PostPosted:Tue Feb 16, 2010 2:17 pm
by pito
Thank you.
There is maybe some bug or confusion in this mechanism. AdminRole is not visible along other groups in "update Security" interface. When I change name of the group to something different it appears there instantly (after reopening "update Security"). When I change it back to "AdminRole" it disapears (neither previous name nor AdminRole is shown in Groups view). This I believe is correct since you probably redesigned it the way that AdminRole has rights for everything by default and cannot be changed, which is great. But Administration tab is still not appearing for users in AdminRole group. Not even after logout/login or restarting the server. Any Ideas what to check next?
Thanks a lot
(Just a reminder: I am using LDAP for users and groups)
Re: system user
PostPosted:Wed Feb 17, 2010 8:05 am
by jllort
If you're integrated with ldap, really users in administration tab has no effect. Anything you see, or put there has no effect with OpenKM Authentication.
Try accessing directly to OpenKM/es.git.openkm.backend.Main/ if it's showed a js popup alert it means user has no AdminRole, sure, the estrange is that you can accessing, that means has UserRole ( if you've got it, means ldap assignation is right ). It's really strange.
Other question, you're integrating active directory or other ldap ?
If nothing runs we could try to compile some LDapPrincipalAdapter with logs to see what's happening.
Re: system user
PostPosted:Wed Feb 17, 2010 10:18 am
by pito
jllort wrote:If you're integrated with ldap, really users in administration tab has no effect. Anything you see, or put there has no effect with OpenKM Authentication.
Yes I am aware of that. Thank you. I want admin tab for other things.
jllort wrote:Try accessing directly to OpenKM/es.git.openkm.backend.Main/ if it's showed a js popup alert it means user has no AdminRole, sure, the estrange is that you can accessing, that means has UserRole ( if you've got it, means ldap assignation is right ). It's really strange.
Yes I got popup that only administrator user can log in to administration.
jllort wrote:Other question, you're integrating active directory or other ldap ?
We are using OpenLDAP (v. 2.4.11 Debian Lenny).
jllort wrote:If nothing runs we could try to compile some LDapPrincipalAdapter with logs to see what's happening.
Maybe we could try this because I am out of ideas what else to try.
Re: system user
PostPosted:Wed Feb 17, 2010 10:20 pm
by jllort
Try replacing in OpenKM.war the
(5.12 KiB) Downloaded 395 times
ldapPrincipalAdapter class it has some log info ( Please make a backup of OpenKM.war file before doing anything, and make changes with jboss stopped ).
But I think your problems are on OpenKM.cfg and login-config.xml
Try in some jsp to put this code ( for example into OpenKM.war place test.jsp ) and try this jsp page after you have loged with the user.
Code: Select allSystem.out.println("has roles" + request.isUserInRole("AdminRole"));
With it you'll be sure that authenticated user has this role.
Re: system user
PostPosted:Thu Feb 18, 2010 5:04 pm
by pito
Thank you very much. I tested it and found out that no other than UserRole is being assigned. The issue is probably (as you foretold) in login-config.xml. I had:
<module-option name="defaultRole">UserRole</module-option>
so UserRole was asigned by default (forced - thus the confusion)
I commented it out and I am no longer able to log in so the role assignment does not work correctly.
Could you help me with what could be wrong here?
from login-config.xml
Code: Select all <application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://ldap.example.org</module-option>
<module-option name="bindDN">cn=admin,dc=example,dc=org</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">ou=example,ou=People,dc=example,dc=org</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">ou=example,ou=Groups,dc=example,dc=org</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleRecursion">1</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<!--module-option name="defaultRole">UserRole</module-option-->
</login-module>
</authentication>
</application-policy>
I tryied to change scope to subtree (even it should not matter because there is no deeper level) and I also tried to change roleRecursion to 0,1,2 (not sure what does this one do) and no effect so far.
Re: system user
PostPosted:Thu Feb 18, 2010 6:04 pm
by jllort
That is ok sure, but tested on windows:
192.168.0.6, Administrador, password and weyler values must be changed
Code: Select all<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://192.168.0.6</module-option>
<module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<module-option name="defaultRole">UserRole</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>
You might search in jboss forum if in your ldap must be applied other configuration
Re: system user
PostPosted:Fri Feb 19, 2010 9:55 am
by pito
The config you posted did not work either. I searched jboss formu as you suggested and found a configuration with a little bit different approach and it worked out:
code directly from
http://community.jboss.org/thread/124487:
Code: Select all<login-module code="org.jboss.security.auth.spi.LdapLoginModule" flag="required">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://localhost:10389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="principalDNPrefix">uid=</module-option>
<module-option name="principalDNSuffix">,ou=People,o=test,dc=portal,dc=example,dc=com</module-option>
<module-option name="rolesCtxDN">ou=Roles,o=test,dc=portal,dc=example,dc=com</module-option>
<module-option name="uidAttributeID">member</module-option>
<module-option name="matchOnUserDN">true</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module>
I still do not understand where the big difference is.
Thank you for your help.
Have a nice day,
Pito
Re: system user
PostPosted:Fri Feb 19, 2010 5:37 pm
by jllort
The configuration you posted run in your system. As I written in last post, last configuration is for active directory ( that's a ldap structure too ), but I can not sure that same configuration is running on windows be the same that your ldap is in linux ( openldap or similar ), probably some parameters are the same but others not.
If you finally can connect, it'll be interesting to see the diferences. Try looking in google for "ldap jboss and your os or your ldap version" probably you'll find better information.