Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

[Solved] OpenLDAP problem

https://forum.openkm.com/viewtopic.php?t=5830

Page 1 of 1

[Solved] OpenLDAP problem

PostPosted:Fri Mar 16, 2012 4:32 pm
by lineac
Hi,

We are currently installing OpenKM as a DMS for our society but we are encountering a problem configuring it for LDAP authentification.

Here is our LDAP entries:
Code: Select all
-fr
--soc
---groups
--------AdminRole (memberUid = user1, memberUid = user2)
--------UserRole (memberUid = user2)
---users
----intern
--------user1 
--------user2
However, we don't have any memberOf attribute in our user entries, so here is how we worked around it:

OpenKM.cfg:
Code: Select all
principal.adapter					 com.openkm.principal.LdapPrincipalAdapter	    		    
principal.ldap.mail.attribute			 mail	    
principal.ldap.mail.search.base			 ou=intern,ou=users,dc=soc,dc=fr	    
principal.ldap.mail.search.filter			 (&(objectClass=inetOrgPerson)(cn={0}))	    
principal.ldap.referral				 	    
principal.ldap.role.attribute			 cn	    
principal.ldap.role.search.base			 ou=groups,dc=soc,dc=fr	    
principal.ldap.role.search.filter			 (objectClass=posixGroup)	    
principal.ldap.roles.by.user.attribute		 cn	    
principal.ldap.roles.by.user.search.base		 ou=groups,dc=soc,dc=fr	    
principal.ldap.roles.by.user.search.filter		(memberUid={0})	    
principal.ldap.security.credentials		****
principal.ldap.security.principal			cn=admin,dc=soc,dc=fr	    
principal.ldap.server	String			 ldap://192.168.0.xxx:389	    
principal.ldap.user.attribute			cn	    
principal.ldap.user.search.base			ou=intern,ou=users,dc=soc,dc=fr	    
principal.ldap.user.search.filter			(objectClass=inetOrgPerson)	    
principal.ldap.users.by.role.attribute		memberUid	    
principal.ldap.users.by.role.search.base		ou=groups,dc=soc,dc=fr	    
principal.ldap.users.by.role.search.filter		(&(objectClass=posixGroup)(memberUid={0}))
login-config.xml:
Code: Select all
        <application-policy name="OpenKM">
          <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://192.168.0.xxx:389</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=admin,dc=soc,dc=fr</module-option>
             <module-option name="bindCredential">****</module-option>
             <module-option name="baseCtxDN">ou=intern,ou=users,dc=soc,dc=fr</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">dc=soc,dc=fr</module-option>
             <module-option name="roleFilter">(memberUid={0})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
             <module-option name="defaultRole">UserRole</module-option>
           </login-module>
          </authentication>
        </application-policy>

We can log in using LDAP, and when we see the users, everything is correctly imported: roles, mails, etc. However, when we log in with a user who has AdminRole like user2, we don't have access to the Administration Panel. Actually we discovered that the defaultRole is applied. Our guess is that the problem comes from login-config.xml, but we couldn't fix it and we're running out of ideas.

Any help will be appreciated

Re: OpenLDAP problem

PostPosted:Mon Mar 19, 2012 12:44 pm
by jllort
Remove it <module-option name="defaultRole">UserRole</module-option> this line force all users will have UserRole

Re: OpenLDAP problem

PostPosted:Thu Mar 22, 2012 9:49 am
by lineac
After deleting that line, when we try to login with one ldap account :

HTTP Status 403 - Access to the requested resource has been denied

It looks like OpenKM can't find any roles from LDAP for a given user, yet it's still able to correctly import them (we checked in the admin panel, roles/user section).

Any other idea?

Re: OpenLDAP problem

PostPosted:Fri Mar 23, 2012 6:35 pm
by jllort
concentrate first in your login-config.xml after with administration configuration.

1- Ensure any user has UserRole
2- I think your roleFilter is incorrect. With active directory should be <module-option name="roleFilter">(member={1})</module-option> I don know which is your ldap I supposed active directory.

i suggest you browser across your repository to understanding better the ldap properties try http://directory.apache.org/studio/ or http://technet.microsoft.com/en-us/sysi ... 63907.aspx

Re: OpenLDAP problem

PostPosted:Wed Mar 28, 2012 10:40 pm
by lineac
Okay, I think I'm getting close to fully understand the authentication process, but I need to know one thing: in
Code: Select all
principal.ldap.users.by.role.search.filter
, what does the {0} stands for? will it be replaced by the user's login name (uid of user) or the role's name (role's cn)?

Re: OpenLDAP problem

PostPosted:Fri Mar 30, 2012 10:05 am
by jllort
Code: Select all
principal.ldap.users.by.role.search.filter      (&(objectClass=posixGroup)(memberUid={0}))
I do not know if the parameter is correct but in active directoy is posixGroup=group, the idea is getting all group and filter to some one {0} = the name usergroup ( in active directory cn=groupname, etc... then cn={0}=some group name )

Re: OpenLDAP problem

PostPosted:Fri Mar 30, 2012 11:01 am
by lineac
Okay we solved our problem. We are using OpenLDAP and not Active Directory btw ;P (look at the thread title)

The problem was case: login must be in lowercase... In all case, we modified our login-config.xml and Openkm.cfg to be more accurate. Here is our config, to help any future user encountering same problems:

LDAP Structure:
Code: Select all
dc=fr
	dc=soc
		ou=groups
			cn=UserRole, objectClass=posixGroup, memberUid = jack, memberUid = joe
			cn=AdminRole, objectClass=posixGroup, memberUid = jack
		ou=people
			ou=intern
				cn = jack, objectClass=inetOrgperson, uid = jack
				cn = joe, objectClass=inetOrgperson, uid = joe
Our OpenKM.cfg:
Code: Select all
principal.adapter				com.openkm.principal.LdapPrincipalAdapter
principal.database.filter.inactive.users	Active
principal.ldap.mail.attribute			mail
principal.ldap.mail.search.base			ou=intern,ou=users,dc=soc,dc=fr
principal.ldap.mail.search.filter		(&(objectClass=inetOrgPerson)(cn={0}))
principal.ldap.referral				follow
principal.ldap.role.attribute			cn
principal.ldap.role.search.base			ou=groups,dc=soc,dc=fr
principal.ldap.role.search.filter		(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute		cn
principal.ldap.roles.by.user.search.base	ou=groups,dc=soc,dc=fr
principal.ldap.roles.by.user.search.filter	(memberUid={0})
principal.ldap.security.credentials		xxxxxx
principal.ldap.security.principal		cn=admin,dc=soc,dc=fr
principal.ldap.server				ldap://192.168.xxx.xxx:389
principal.ldap.user.attribute			cn
principal.ldap.user.search.base			ou=intern,ou=users,dc=soc,dc=fr
principal.ldap.user.search.filter		(objectClass=inetOrgPerson)
principal.ldap.users.by.role.attribute		memberUid
principal.ldap.users.by.role.search.base	ou=groups,dc=soc,dc=fr
principal.ldap.users.by.role.search.filter	(&(objectClass=posixGroup)(cn={0}))

system.login.lowercase				Active
That last line is waht we were looking for: it makes the login in lowercase (though it's possible to cheat and post uppercase username), but for user's use, it's sufficient.

login-config.xml:
Code: Select all
<application-policy name="OpenKM">
          <authentication>
           <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://192.168.xxx.xxx:389</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="bindDN">cn=admin,dc=soc,dc=fr</module-option>
             <module-option name="bindCredential">******</module-option>
             <module-option name="baseCtxDN">ou=intern,ou=users,dc=soc,dc=fr</module-option>
             <module-option name="baseFilter">(uid={0})</module-option>
             <module-option name="rolesCtxDN">ou=groups,dc=soc,dc=fr</module-option>
             <module-option name="roleFilter">(memberUid={0})</module-option>
             <module-option name="roleAttributeID">cn</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <module-option name="allowEmptyPasswords">false</module-option>
     <!--        <module-option name="defaultRole">UserRole</module-option> -->
           </login-module>
          </authentication>
        </application-policy>
Thanks for having answered our questions, it is greatly appreciated =)

Re: [Solved] OpenLDAP problem

PostPosted:Sat Mar 31, 2012 7:15 am
by pavila
You are welcome :)

Re: [Solved] OpenLDAP problem

PostPosted:Sun Apr 01, 2012 8:58 pm
by jllort
I will create a ldap configuration example section with your configuration in online documentation.

Re: [Solved] OpenLDAP problem

PostPosted:Mon Apr 02, 2012 3:05 pm
by jllort
I have added here http://wiki.openkm.com/index.php/LDAP_a ... r_examples
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited