• Local vs LDAP Users

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #52995  by teera_w
 
I have some question about Local vs LDAP Users.

In case that we configure OpenKM 6.3 to integrated with LDAP for authentication.
Can we still used Local Users together with LDAP users? Because our requirements may have mixed types of users (Both Local & LDAP users)

Thank you.
TW.
 #53006  by jllort
 
You can have several sources working together but not easy to manage them. The most difficulties are in the administration screen where is shown the user list. In case using Ldap and Database resources is not possible using this screen ( because AD user can not be modified but Database can be ). In this scenario is necessary small customization to manage users from another screen.

The problem is not in login, the problem comes from managing users and getting the unified user list required by OpenKM. In the case of the professional edition we have done some configuration in this manner.
 #53029  by teera_w
 
jllort wrote: Sat Nov 13, 2021 9:16 am You can have several sources working together but not easy to manage them. The most difficulties are in the administration screen where is shown the user list. In case using Ldap and Database resources is not possible using this screen ( because AD user can not be modified but Database can be ). In this scenario is necessary small customization to manage users from another screen.

The problem is not in login, the problem comes from managing users and getting the unified user list required by OpenKM. In the case of the professional edition we have done some configuration in this manner.
Thanks, jllort.

I have more questions:
1) I was found OpenKM.xml on 2 locations : at Tomcat's root, and under OpenKM war folder, Do I should update LDAP config on which files?
2) If we configured both Local & LDAP authen together, can we put xml tag like below in OpenKM.xml -- Both Local (DB) & LDAP

As sample:

OpenKM.xml:
Code: Select all
.....
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
      <security:password-encoder hash="md5"/>
      <security:jdbc-user-service
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>
  <security:ldap-server id="ldapServer"
    url="ldap://192.168.0.6:389/DC=ldap,dc=company,dc=local"
    manager-dn="CN=Administrator,cn=users,dc=company,dc=local"
    manager-password="password"/>
  
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="cn=Users"
      user-search-filter="(sAMAccountName={0})"
      group-search-base="cn=Users"
      group-search-filter="(member={0})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>
.....
 #53034  by jllort
 
Seems I do not succeed in trying to explain that having both together is not a good idea. You must apply changes in the OpenKM.xml in the tomcat folder ( forget the file into the war ).

First should set the focus in getting LDAP integrated, obviously, the XML you have wrotten is uncomplete, I suggest take a look here https://docs.openkm.com/kcenter/view/ok ... roles.html

We do not have a multiple providers sample for the CE, but I think the sample for professional might be used as a guide https://docs.openkm.com/kcenter/view/ok ... derssample
 #53052  by teera_w
 
Hi Jllort,

I have understand your concerned about manage users together Local & AD.

If we configured both Local & AD users, local users will disappeared from User list screen.
But local users still logon to OpenKM but cannot managing local users anymore (add/update/delete)

Could you share the way that OpenKM professional managed users in case of turn on both Local & AD in same Admin UI?
 #53058  by jllort
 
In the case of the professional edition, we have two screens. Default user list shows AD users and in a secondary tab ( customization ) we manage database users. Basically, we use default OpenKM configuration to show AD in the standard way and an extra tab with database users management ( that's is the customization ).

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.