Page 1 of 2
OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Tue Apr 24, 2012 1:42 pm
by rasha123
hey all,
i am new to OpenKM , IM USING OPENKM 5.1.9, tried for a while to configure Openkm With Active directory , at end it was successfully done but i am facing a problem , i dont know where i miss the configuration.
when i log in with any user , the user its not stored even the user group " role " that i created in the active directory is not retrieved. when i lig in as admin users i cant have a log file for the users logged to openkm.
this is my login-conf file
Code: Select all<application-policy name="OpenKM">
<authentication>
<login-module flag="required" code="org.jboss.security.auth.spi.LdapExtLoginModule">
<module-option name="java.naming.factory.initial">com.sun.jndi.ldap.LdapCtxFactory</module-option>
<module-option name="java.naming.provider.url">ldap://10.100.x.x:389/</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">xxxx\Administrator</module-option>
<module-option name="bindCredential">password</module-option>
<module-option name="baseCtxDN">ou=user,dc=xxx,dc=local</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">ou=user,dc=xxxx,dc=local</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="java.naming.referral">follow</module-option>
</login-module>
</authentication>
</application-policy>
and this Openkm.cfg :
Code: Select allsystem.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://10.100.200.91:389/
principal.ldap.security.principal=CN=Administrator,ou=user,dc=xx,dc=local
principal.ldap.security.credentials=password
principal.ldap.user.search.base=ou=user,dc=xxx,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=ou=xxx,dc=xxx,dc=local
principal.ldap.role.search.filter=(jectcoblass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},ou=xxx,dc=xxx,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
principal.ldap.users.by.role.search.base=ou=xxxx,dc=xxx,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
principal.ldap.roles.by.user.search.base=ou=xxxx,dc=xxx,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf
i created users under UserRole and AdminRole. when i log in as admin user i cant see the users logged other Roles.
please if any one can help me with the configuration.
thanks.
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Wed Apr 25, 2012 2:03 pm
by rasha123
any help
why loged in users don't appear in the user list ?? also the roles not imported from active directory.
should i add any configuration any where else??
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Fri Apr 27, 2012 7:24 am
by pavila
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Sun Apr 29, 2012 6:09 am
by rasha123
HI,
i read the article did every change to login-config.xml , Openkm.cfg , still users and roles are not imported from active directory to openkm. did i miss something ???? i also made changes to OKM_APP.
Code: Select all INSERT INTO OKM_CONFIG VALUES('principal.adapter','string','com.sun.jndi.ldap.LdapCtxFactory')
INSERT INTO OKM_CONFIG VALUES('principal.database.filter.inactive.users','boolean','true')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.mail.attribute','string','mail')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.mail.search.base','string','ou=Rejectionfile,dc=xxx,dc=local')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.mail.search.filter','string','(objectclass=person)')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.role.attribute','string','name')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.role.search.base','string','ou=Rejectionfile,dc=xxx,dc=local')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.role.search.filter','string','(objectclass=group)')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.roles.by.user.attribute','string','memberOf')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.roles.by.user.search.base','string','ou=Rejectionfile,dc=xxxx,dc=local')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.roles.by.user.search.filter','string','(&(objectClass=person)(cn={0}))')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.security.credentials','string','Aministrator')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.security.principal','string','CN=Aministrator,ou=Rejectionfile,dc=xxxx,dc=local')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.server','string','ldap://10.xx.xx.xx:389/')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.user.attribute','string','sAMAccountName')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.user.search.base','string','ou=Rejectionfile,dc=xxxx,dc=local)
INSERT INTO OKM_CONFIG VALUES('principal.ldap.user.search.filter','string','(objectclass=person)')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.users.by.role.attribute','string','member')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.users.by.role.search.base','string','ou=Rejectionfile,dc=xxxx,dc=local')
INSERT INTO OKM_CONFIG VALUES('principal.ldap.users.by.role.search.filter','string','(&(objectClass=group)(cn={0}))')
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Sun Apr 29, 2012 10:40 am
by jllort
You have not changed Database class to ldapClass ( why are you using inserting and not using OpenKM administration view ? ). This configuration parameters need you reload application.
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Mon Apr 30, 2012 5:52 am
by rasha123
hi,
i made the changes in OpenKM administration view but the problem that every time i reload and run the jboss again all the configuration i made is deleted!!
where can i change the database class to ldapclass exactly???
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Tue May 01, 2012 4:22 pm
by jllort
have you changed OpenKM.cfg parameter to do not reset configuration, read it with care
http://wiki.openkm.com/index.php/Quick_ ... m2ddl=none
And the parameter in administration should be principal.adapter=com.openkm.principal.LdapPrincipalAdapter
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Wed May 02, 2012 9:35 am
by rasha123
hi,
i changed
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
now i can make changes in the administration and its accepting it , but still users and rols are not imported from active directory.
this is the DN FROM ACTIVE DIRECTORY
"cn= user1, CN=group1,OU=xxx,DC=xxxx,DC=local"
"cn= user2,CN=group2,OU=xxx,DC=xxxx,DC=local"
"cn= user3,CN=group3,OU=xxx,DC=xxxx,DC=local"
where users and roles (groups) under OU
i m not sure if my mistake is in the configuring of roles ands users ?!
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Sat May 05, 2012 8:21 am
by jllort
take a look at advanced configuration in our online wiki documentation because your users are in several active directory nodes and ensure principal.ldap.referral=follow
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Sat May 05, 2012 2:11 pm
by rasha123
HI ,
thanks for replying.
i did read the advanced conguration and apply it to mine but still did not work
i used ldap browser to figure out the structure of om active directory and the list of DNs
and this is the structure
dc=mydomain.local
.. ou=users (DN: OU=users,DC=mydomain,DC=local)
......cn=user1 (DN: CN=user1,OU=users,DC=mashfa,DC=local) CN=person
..... cn=user2
......cn=department1 <<<group (DN: CN=deparment1,OU=users,DC=mashfa,DC=local) CN=group
......cn=deprtment2<<<<< group
i am really confused i can log in and i can see in the trace the login user and the member of but still not imported to openkm
Code: Select all Principal: administrator
Principal: Roles(members:AdminRole)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@1f5a0bbc{principal=administrator,subject=2103521203}
17:10:45,814 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
17:10:45,814 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
17:10:46,819 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
17:10:46,820 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
Principal: administrator
Principal: Roles(members:AdminRole)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@50b873b8{principal=administrator,subject=2103521203}
17:10:46,820 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
17:10:46,821
I would really appreciate if some one can tell me if i miss something here
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Sun May 06, 2012 9:37 am
by jllort
Login is only one part of configuration and independant xml configuration file. You should configure correctly parameters from administration tab. You should revise it. Concentrate in get users parameters, ldap server configuration, copy here your configuration parameters
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Sun May 06, 2012 1:00 pm
by rasha123
this is my configuration parameters in administration
Code: Select all#Lince OpenKM 5.1 this file is only used for Hibernate configuration.
# To change configuration parameters, use Administration -> Configuration
#
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=create
system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://10.100.XX.XX:389/
principal.ldap.security.principal=CN=Administrator,ou=users,dc=xxx,dc=local
principal.ldap.security.credentials=PASSWORD
principal.ldap.user.search.base=ou=users,dc=xxx,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=ou=users,dc=xxx,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},ou=users,dc=xxx,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
principal.ldap.users.by.role.search.base=cn={0},ou=users,dc=xxx,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
principal.ldap.roles.by.user.search.base=ou=users,dc=xxx,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Mon May 07, 2012 5:32 pm
by jllort
I can not see
Let's concentrate on it:
Code: Select allprincipal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://10.100.XX.XX:389/
principal.ldap.security.principal=CN=Administrator,ou=users,dc=xxx,dc=local
principal.ldap.security.credentials=PASSWORD
principal.ldap.user.search.base=ou=users,dc=xxx,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
Seems correctly, ensure credentials are right, server and you have got principal.ldap.referral=follow. Remember when you make this change principal.adapter=com.openkm.principal.LdapPrincipalAdapter you should restart the server !!! if you have not done, do it.
Other observation, you have post OpenKM.cfg from version 5.1 the parameters after first time you run openkm must be set from administration OpenKM.cfg is only for initial charge parameters
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Tue May 08, 2012 6:05 am
by rasha123
hi,
thanks again for replying and trying to solve my problem
as you mentioned i set principal.ldap.referral=follow
and i restarted the server after changing principal.adapter=com.openkm.principal.LdapPrincipalAdapter
the file OpenKM.cfg is empty i only changed
ibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
and all the other changes i made from administration, im not sure which credentials i have to make sure of :s please clarify
also i really dont understand what cn{0} means here?
Re: OPENKM WITH ACTIVE DRECTORY, CANT FIND USERS
PostPosted:Thu May 10, 2012 8:05 am
by rasha123
hi,
thanks again for helping me all the way.
finally , i solved my problem
and this is the correct configuration in the administration
Code: Select all system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://10.xxx.xx.xx:381/
principal.ldap.security.principal=domain\Administrator
principal.ldap.security.credentials=password
principal.ldap.user.search.base=ou=user,dc=xxx,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=ou=xxx,dc=xxx,dc=local
principal.ldap.role.search.filter=(jectcoblass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},ou=xxx,dc=xxx,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
principal.ldap.users.by.role.search.base=ou=xxxx,dc=xxx,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
principal.ldap.roles.by.user.search.base=ou=xxxx,dc=xxx,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf
principal.ldap.referral=follow
it appeared that there was a mistake in the credentials
in may case it took the domain\administrator
it worked just fine users and roles where correctly imported just needed minor changes in some attribute names to get the correct value
in Openkm.cfg i added
Code: Select allhibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
now all working fine