Page 1 of 1
Local vs LDAP Users
PostPosted:Tue Nov 09, 2021 4:50 am
by teera_w
I have some question about Local vs LDAP Users.
In case that we configure OpenKM 6.3 to integrated with LDAP for authentication.
Can we still used Local Users together with LDAP users? Because our requirements may have mixed types of users (Both Local & LDAP users)
Thank you.
TW.
Re: Local vs LDAP Users
PostPosted:Sat Nov 13, 2021 9:16 am
by jllort
You can have several sources working together but not easy to manage them. The most difficulties are in the administration screen where is shown the user list. In case using Ldap and Database resources is not possible using this screen ( because AD user can not be modified but Database can be ). In this scenario is necessary small customization to manage users from another screen.
The problem is not in login, the problem comes from managing users and getting the unified user list required by OpenKM. In the case of the professional edition we have done some configuration in this manner.
Re: Local vs LDAP Users
PostPosted:Fri Nov 19, 2021 10:13 am
by teera_w
jllort wrote: ↑Sat Nov 13, 2021 9:16 am
You can have several sources working together but not easy to manage them. The most difficulties are in the administration screen where is shown the user list. In case using Ldap and Database resources is not possible using this screen ( because AD user can not be modified but Database can be ). In this scenario is necessary small customization to manage users from another screen.
The problem is not in login, the problem comes from managing users and getting the unified user list required by OpenKM. In the case of the professional edition we have done some configuration in this manner.
Thanks, jllort.
I have more questions:
1) I was found OpenKM.xml on 2 locations : at Tomcat's root, and under OpenKM war folder, Do I should update LDAP config on which files?
2) If we configured both Local & LDAP authen together, can we put xml tag like below in OpenKM.xml -- Both Local (DB) & LDAP
As sample:
OpenKM.xml:
Code: Select all.....
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider>
<security:password-encoder hash="md5"/>
<security:jdbc-user-service
data-source-ref="dataSource"
users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</security:authentication-provider>
</security:authentication-manager>
<security:ldap-server id="ldapServer"
url="ldap://192.168.0.6:389/DC=ldap,dc=company,dc=local"
manager-dn="CN=Administrator,cn=users,dc=company,dc=local"
manager-password="password"/>
<security:authentication-manager alias="authenticationManager">
<security:ldap-authentication-provider
server-ref="ldapServer"
user-search-base="cn=Users"
user-search-filter="(sAMAccountName={0})"
group-search-base="cn=Users"
group-search-filter="(member={0})"
group-role-attribute="cn"
role-prefix="none">
</security:ldap-authentication-provider>
</security:authentication-manager>
.....
Re: Local vs LDAP Users
PostPosted:Sun Nov 21, 2021 9:23 am
by jllort
Seems I do not succeed in trying to explain that having both together is not a good idea. You must apply changes in the OpenKM.xml in the tomcat folder ( forget the file into the war ).
First should set the focus in getting LDAP integrated, obviously, the XML you have wrotten is uncomplete, I suggest take a look here
https://docs.openkm.com/kcenter/view/ok ... roles.html
We do not have a multiple providers sample for the CE, but I think the sample for professional might be used as a guide
https://docs.openkm.com/kcenter/view/ok ... derssample
Re: Local vs LDAP Users
PostPosted:Fri Nov 26, 2021 9:42 am
by teera_w
Hi Jllort,
I have understand your concerned about manage users together Local & AD.
If we configured both Local & AD users, local users will disappeared from User list screen.
But local users still logon to OpenKM but cannot managing local users anymore (add/update/delete)
Could you share the way that OpenKM professional managed users in case of turn on both Local & AD in same Admin UI?
Re: Local vs LDAP Users
PostPosted:Sat Nov 27, 2021 12:24 pm
by jllort
In the case of the professional edition, we have two screens. Default user list shows AD users and in a secondary tab ( customization ) we manage database users. Basically, we use default OpenKM configuration to show AD in the standard way and an extra tab with database users management ( that's is the customization ).