Add user to group with LDAP

[michel-openkm]

Hi,

I have a question
WE have LDAP connection now working, but is it possible to add users in a group?
Now all user are having adminrole or userrole dependent on the login config settings.
WE have made a group (Adminrole) in the ad, and add a user to this group. But it doesn't work. We can see the Adminrole group from the AD in Openkm.
I hope you can advise us in this.

[jllort]

Be care roles might be case sensitive don't write Adminrole use correct groups name AdminRole and UserRole.

Can you post login-config.xml I'm interesting on taking a look on it, because It's possible you got there UserRole as default role, and I want to be ensure you're really authenticating by some role not setting by default in login-config.xml

[michel-openkm]

Here is or Login-config.xml

Code: Select all

  <application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
        <module-option name="java.naming.provider.url">ldap://IP adres</module-option>
        <module-option name="bindDN">CN=Login,OU=Or OU,DC=domain,DC=org</module-option> 
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">Password</module-option>
        <module-option name="baseCtxDN">OU=or OU,DC=Domain,DC=org</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=OR OU,DC=Domain,DC=org</module-option>
        <module-option name="roleFilter">(member={1})</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="roleAttributeIsDN">false</module-option>
        <module-option name="roleRecursion">2</module-option>
        <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        <module-option name="defaultRole">AdminRole</module-option>
      </login-module>
     </authentication>
   </application-policy>

We have changed the values for privacy reasons .
If you can see we have AdminRole in the login-config. And also in the AD.

[jllort]

Remote it

Code: Select all

<module-option name="defaultRole">AdminRole</module-option>

Because with it all users has AdminRole by default. Tell me if you are connecting to ldap after removing it ( you must restart jboss after changing it ).

[michel-openkm]

tnx it works,
But is it possible to use more than one OU? We have more users in different ou in the AD.
And is it possible to add profiles to users? That's doesn't works with LDAP.

[jllort]

In the case you expose there's no query for doing it directly ( I've not found any, if you found some one tell me ). In these special cases must be done a PrincipalLdapAdapter class that with program logic covers all your cases. Really it's easy to be done, but for doing yourself must install develop environment and make this simply program ( for example you can take a look the actual LdapPrincipalAdapter at http://openkm.svn.sourceforge.net/viewv ... iew=markup ).

If you're interesting in our support program contact with us at www.openkm.com/Contact