Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

AD integration openkm 6.3 community edition issue

https://forum.openkm.com/viewtopic.php?t=24560

Page 1 of 1

AD integration openkm 6.3 community edition issue

PostPosted:Tue Apr 26, 2022 1:13 pm
by sanojs
Hi,

I am getting "Authentication error" while logging to openkm after AD integration.

Followed the below link to configure it

https://docs.openkm.com/kcenter/view/ok ... ation.html

Configuration parameters done and able to see AD users in User list screen for openkm. Updated openKM.xml file. But getting Authentication error while login.

OpenKM.XMl file

--------------------
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/b ... -beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/s ... curity.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/t ... g-task.xsd">

<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>

<security:ldap-server id="ldapServer"
url="ldap://192.168.*.*:389/DC=users,dc=saturn,dc=local"
manager-dn="CN=Administrator,cn=users,dc=**,dc=local"
manager-password="****"/>

<security:authentication-manager alias="authenticationManager">
<security:ldap-authentication-provider
server-ref="ldapServer"
user-search-base="cn=Users"
user-search-filter="(sAMAccountName={0})"
group-search-base="cn=Users"
group-search-filter="(member={0})"
group-role-attribute="cn"
role-prefix="none">
</security:ldap-authentication-provider>
</security:authentication-manager>

</beans:beans>
--------------------

Thanks

Re: AD integration openkm 6.3 community edition issue

PostPosted:Sat Apr 30, 2022 5:52 pm
by jllort
Begore playing with the authentication the best option is to get user and role list from administration. I suggest follow this section of the documentation to integrate OpenKM with AD https://docs.openkm.com/kcenter/view/ok ... roles.html

The first step should be playing with configuration parameters and success retrieving users and roles from the AD in the adminitration. Did you succeed on it?

Re: AD integration openkm 6.3 community edition issue

PostPosted:Mon May 09, 2022 1:32 pm
by sanojs
HI

The first step should be playing with configuration parameters and success retrieving users and roles from the AD in the administration. Did you succeed on it?

>>> yes, it is succeeded, able to see all users from AD in openKM.

OpenKM.xml File
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.197"/>
  <beans:property name="userDn" value="CN=Administrator,OU=Users,DC=***,DC=local"/>
  <beans:property name="password" value="****"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=saturn,DC=local"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=****,DC=local" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>
Logs
Code: Select all
192.168.0.141 - - [09/May/2022:17:25:15 +0400] "GET /OpenKM/logo/login HTTP/1.1" 200 11261
192.168.0.141 - - [09/May/2022:17:25:22 +0400] "POST /OpenKM/j_spring_security_check HTTP/1.1" 302 -
192.168.0.141 - - [09/May/2022:17:25:23 +0400] "GET /OpenKM/login.jsp?error=1 HTTP/1.1" 200 9084

Re: AD integration openkm 6.3 community edition issue

PostPosted:Sat May 14, 2022 3:46 pm
by jllort
Users must be members of ROLE_USER or ROLE_ADMIN, this is mandatory, otherwise you do not have enought grants to login in OpenKM. Must create two groups in your AD named ROLE_USER and ROLE_ADMIN and assign to your users.

The next filter is wrong, should filter by users members of ROLE_USER and ROLE_ADMIN
Code: Select all
(&amp;(sAMAccountName={0})(|(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)(memberOf=CN=Administrator,OU=Users,DC=****,DC=local)))
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited