Page 1 of 1

LDAP Paged search

PostPosted:Tue Nov 02, 2021 7:27 am
by moealiassaad
Hello,

we have an AD with more that 5000 users, and when we sync it with openkm, we only get the first 1000 due to pagination limits in the AD.

How can we configure OpenKM.xml so that we perform a paged search and get all users?

we are using OpenKM CE. 6.3

Best

Re: LDAP Paged search

PostPosted:Fri Nov 05, 2021 7:04 pm
by jllort
That is a restriction that comes from AD configuration what do not allow to retrieve more than 1000 elements. Check your AD configuration because it is on its side.

Re: LDAP Paged search

PostPosted:Mon Nov 08, 2021 8:51 am
by moealiassaad
thanks for your reply.

I understand that. For now our AD management does not wish to change this limit from their side and want us to find a solution on our side.

I found a way to do paged search in plain java, which returns all the results, but in the case of openkm, the configuration is in an xml file, and I couldnt find online a configuration to perform paged search on AD via xml.

Isnt there any other solution but changing the AD configuration?

Re: LDAP Paged search

PostPosted:Sat Nov 13, 2021 9:12 am
by jllort
I suggest create your own the LdapPrincipalAdapter.java class and do the pagination there. Anyway from my point of view this is a bad aproach, does all the users in the AD have access to OpenKM? because only members of ROLE_AMIN and ROLE_USER should have access to OpenKM -> then the list to users from AD should be only these that are member of these two groups ( I ignore if you have more than 1000 users members of these roles or not ? ). For example, take a look here https://docs.openkm.com/kcenter/view/ok ... roles.html the configuration parameter named principal.ldap.user.search.filter

Re: LDAP Paged search

PostPosted:Mon Nov 22, 2021 4:07 pm
by moealiassaad
No not all employees have OKM_USER role in AD ur right.
So here is my understanding: there are two places where LDAP is configured -> in Administration Configuration (to get full list of users), and in OpenKM.xml (for AD login).

When I use these values in Administration Configuration:
  • For principal.ldap.mail.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.role.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.roles.by.user.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.user.search.base: ou=XXX,dc=YYYYYYY,dc=net
  • For principal.ldap.username.search.base: ou=XXX,dc=YYYYYYY,dc=net
I get only the people (from OU) who some of them have the role OKM_USER.

However, I dont see any user from outside of (OU=XXX).
If I remove OU, and use only dc=YYYYYYY,dc=net, I dont see any user in our OU as I only get the first 1000.

Is there a way to get only users from AD who have OKM_USERS / OKM_ADMIN roles regardless of the OU? (our company has many entities and OU=XXX contains the list of employees from our own entities only).

I hope my explanation was clear.
Thanks for your support

Re: LDAP Paged search

PostPosted:Sat Nov 27, 2021 12:18 pm
by jllort
You should use the base and not the OU. Here there's a sample about this matter https://docs.openkm.com/kcenter/view/ok ... roles.html

Re: LDAP Paged search

PostPosted:Thu Dec 02, 2021 2:00 pm
by moealiassaad
Dear jllort,

Just to give you a feedback on this issue, we managed to filter users by group by using the following syntax
(|(memberOf=CN=OpenKM_Users,OU=Administration,OU=Security,OU=Groups,OU=xxx,DC=yyyy,DC=net)(memberOf=CN=OpenKM_Admins,OU=Administration,OU=Security,OU=Groups,OU=xxx,DC=yyyy,DC=net))
in the field principal.ldap.user.search.filter
and by setting the search base for all items to DC=yyyy,DC=net.

Now we only see users that are in these security groups. I still did not try the login filter, but I guess following the link you sent me, it is straight forward action.

Thank you for your support

Re: LDAP Paged search

PostPosted:Sat Dec 04, 2021 9:23 am
by jllort
You should create a security group named ROLE_USER and ROLE_ADMIN and your OpenKM_Users should be ROLE_USER and the same idea for the other user.

ROLE_USER and ROLE_ADMIN names are the expected security group names used by default for OpenKM, changing them is possible but I do not suggest them.