Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

OPenKM 5.1.10 - LDAP Configuration

https://forum.openkm.com/viewtopic.php?t=8278

Page 1 of 1

OPenKM 5.1.10 - LDAP Configuration

PostPosted:Thu Oct 04, 2012 3:30 pm
by Lorderich
Hello,

i am trying to implement a ldap authentification against our Lotus Domino Server.

After searching around i found this wiki article from openkm: http://wiki.openkm.com/index.php/LDAP_a ... r_examples

With this information i have configured the login.xml and out in the necessary information into the administration area from OpenKM. In the userlist i can see the user, so the connection to the ldap server is established. I can also see the roles, which i have created in our ldap directory.

I didn´t have find any information, about the necessary configuration requirement for the openkm.cfg file.

No user is able to login with an account from the ldap directory. All ldap users get the error message: "Authentication Error". In the Userlist no user, which was imported from the ldap directory have in the column "Roles" a role included.

I have configured the login.xml with the following information:
-----------------
Code: Select all
<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://10.10.20.10:9091</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">CN=bind ldap,O=organization</module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">ou=organizationunit,O=organization</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="rolesCtxDN">""</module-option>
<module-option name="roleFilter">(member={0})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
    <!-- <module-option name="defaultRole">GroupName</module-option> -->
    </login-module>
    </authentication>
</application-policy>
--------------------------------------------------

The following information are included in the administration tab:
--------------------------------------------------
Code: Select all
principal.adapter String com.openkm.principal.LdapPrincipalAdapter       
principal.database.filter.inactive.users Boolean        
principal.ldap.mail.attribute String mail       
principal.ldap.mail.search.base String OU=organizationunit;O=organization       
principal.ldap.mail.search.filter String (&(objectClass=dominoperson)(cn={0}))       
principal.ldap.referral String follow       
principal.ldap.role.attribute String CN       
principal.ldap.role.search.base String       
principal.ldap.role.search.filter String (objectClass=dominogroup)       
principal.ldap.roles.by.user.attribute String CN       
principal.ldap.roles.by.user.search.base String       
principal.ldap.roles.by.user.search.filter String (member={0})       
principal.ldap.security.credentials String secret  
principal.ldap.security.principal String bindCN       
principal.ldap.server String ldap://server:9091 -> I am using another ldap port, so that is okay       
principal.ldap.user.attribute String CN       
principal.ldap.user.search.base String OU=organizationalunit;O=organization   
principal.ldap.user.search.filter String (objectclass=person)       
principal.ldap.username.attribute String CN       
principal.ldap.username.search.base String       
principal.ldap.username.search.filter String (&(objectclass=person)(CN={0}))       
principal.ldap.users.by.role.attribute String member       
principal.ldap.users.by.role.search.base String       
principal.ldap.users.by.role.search.filter String (&(objectClass=dominogroup)(CN={0}))
-----------------------------------------------------------

Could you please have a look on the configuration. I think i didn´t see the misconfiguration.

Kind regards

René alias Lorderich

Re: OPenKM 5.1.10 - LDAP Configuration

PostPosted:Fri Oct 05, 2012 9:58 am
by Lorderich
Hello,

can it have something to do with the usernames that openkm imports from LDAP?

Because OpenKM get the username with the Format Firstname Surname. Is the space between Firstname und Surname the problem, so that nobody can login?

Kind regards

René alias Lorderich

Re: OPenKM 5.1.10 - LDAP Configuration

PostPosted:Sat Oct 06, 2012 7:38 pm
by jllort
Go by phases ldap integration is not trivial. Which openkm version do you have installed ?
This example you have seen in wiki is for openldap, with active directory should be made some changes
And finally first concentrate in login, meanwhile login is not correctly do not work in other parameters. If you get error 403 permission denied you're on right direction you login but users have not UserRole or AdminRole ( consider all users should have one of this ).

Re: OPenKM 5.1.10 - LDAP Configuration

PostPosted:Mon Oct 08, 2012 8:26 am
by Lorderich
Hello,

after playing a while around i get it worked.

So the user is able to login, but only with the configuration <module-option name="defaultRole">UserRole</module-option>. Is there an option to change the default user Role to 1 one Role which are available in our ldap environment?

For example, all users which will be able to login to the OpenKM System get the Role "=KM_Role". All admins will be get the Role "=KM_Admin_Role".

My actual login-config logs like this:
Code: Select all
<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
         <module-option name="java.naming.provider.url">ldap://ldap.emphasys.corp:9091</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindDN">CN=login ,O=Organization/module-option>
<module-option name="bindCredential">secret</module-option>
<module-option name="baseCtxDN">ou=emp,o=EMPHASYS.CORP</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="baseFilter">(CN={0})</module-option>
<module-option name="rolesCtxDN">O=EMPHASYS.CORP</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="defaultRole">UserRole</module-option>
    </login-module>
    </authentication>
</application-policy>
Thank for your help in advance.

René alias Lorderich

PS: Installed Version is 5.1.10.

Re: OPenKM 5.1.10 - LDAP Configuration

PostPosted:Wed Oct 10, 2012 5:38 am
by jllort
Basically indicates you got problem getting roles with actual configuration and should continue working on it.

This is sure wrong ( seems in your ldap you do not need login credential otherside with this bind I do no know how you're login :
Code: Select all
<module-option name="bindDN">CN=login ,O=Organization/module-option>
This is very strange too:
Code: Select all
<module-option name="rolesCtxDN">O=EMPHASYS.CORP</module-option>
It's a microsoft active directory or other kind of ldap ?
You have not inspired in our wiki documentation for this configuration no ?
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited