Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

OpenKM LDAP auth against ClearOS

https://forum.openkm.com/viewtopic.php?t=9959

Page 1 of 1

OpenKM LDAP auth against ClearOS

PostPosted:Wed Jun 05, 2013 3:50 pm
by DavidYerger
Been working at this for a while, hope this helps somebody...

Tested with OpenKM Community 6.2.3, ClearOS Community 6.4.0

Need to install the Certificate Manager and Directory Server modules.

* Create an okmAdmin user in ClearOS.
* Create role_admin, role_users groups in ClearOS, populate.

Note: ClearOS crunches upper case in group names, convert to upper case in OpenKM.xml.

OpenKM.xml:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

 
  <!-- Security configuration -->
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
  	   
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    	<beans:constructor-arg value="ldaps://ldap.mydomain.local:636/dc=mydomain,dc=local"/>
  		<beans:property name="userDn" value="cn=Manager,ou=Internal,dc=mydomain,dc=local"/>
    	<beans:property name="password" value="pass1234"/>
  </beans:bean>
    			  	   
  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	<beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
			<beans:constructor-arg ref="contextSource"/>
			<beans:property name="userSearch" ref="userSearch"></beans:property>
  		</beans:bean>
	</beans:constructor-arg>
	<beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
			<beans:constructor-arg ref="contextSource"/>
			<beans:constructor-arg value="ou=groups,ou=Accounts"/>
			<beans:property name="groupSearchFilter" value="member={0}"/>
			<beans:property name="groupRoleAttribute" value="cn"/>
			<beans:property name="searchSubtree" value="true" />
			<beans:property name="convertToUpperCase" value="true" />
			<beans:property name="rolePrefix" value="" /> 
         
		</beans:bean>
	</beans:constructor-arg>
  </beans:bean>
					   
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
       <beans:constructor-arg index="0" value="ou=Users,ou=Accounts" />
       <beans:constructor-arg index="1" value="uid={0}" />
       <beans:constructor-arg index="2" ref="contextSource" />
       <beans:property name="searchSubtree" value="true" />
   </beans:bean>
                      
</beans:beans>
Configuration:
Code: Select all
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.adapter', 'string', 'com.openkm.principal.LdapPrincipalAdapter');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.database.filter.inactive.users', 'boolean', 'true');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.hide.connection.roles', 'boolean', 'false');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.mail.attribute', 'string', 'mail');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.mail.search.base', 'string', 'dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.mail.search.filter', 'string', '(&(objectclass=inetOrgPerson)(uid={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.referral', 'string', '');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.role.attribute', 'string', 'cn');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.role.search.base', 'list', 'ou=Groups,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.role.search.filter', 'string', '(objectClass=posixGroup)');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.roles.by.user.attribute', 'string', 'memberOf');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.roles.by.user.search.base', 'string', 'ou=Users,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.roles.by.user.search.filter', 'string', '(&(objectClass=person)(uid={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.security.credentials', 'string', 'pass1234');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.security.principal', 'string', 'cn=Manager,ou=Internal,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.server', 'string', 'ldaps://ldap.mydomain.local:636');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.user.attribute', 'string', 'uid');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.user.search.base', 'list', 'ou=Users,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.user.search.filter', 'string', '(objectClass=inetOrgPerson)');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.username.attribute', 'string', 'cn');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.username.search.base', 'string', 'ou=Users,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.username.search.filter', 'string', '(&(objectclass=inetOrgPerson)(uid={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.by.role.attribute', 'string', 'member');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.by.role.search.base', 'string', 'ou=Groups,ou=Accounts,dc=mydomain,dc=local');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.by.role.search.filter', 'string', '(&(objectClass=posixGroup)(cn={0}))');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('principal.ldap.users.from.roles', 'boolean', 'false');
INSERT INTO OKM_CONFIG (CFG_KEY, CFG_TYPE, CFG_VALUE) VALUES ('system.login.lowercase', 'boolean', 'true');
ClearOS by default only allows LDAPS. You should create a certificate on ClearOS with the leftmost RDN of the Subject being the common name (FQDN) of your ClearOS server. Easy way is to only specify the common name, and when signing use a policy that is permissive.

You can create an alias (CNAME) called ldap if you wish.
Code: Select all
# openssl req -out ldap.csr -key private/sys-0-key.pem -new
# openssl ca -policy policy_anything -days 3650 -out /etc/pki/CA/certs/ldap.mydomain.local.crt -infiles ldap.csr
Add the CA cert to the nssdb:
Code: Select all
# certutil -A -d /etc/pki/nssdb/ -n "CA certificate" -t "CT,," -a -i /etc/pki/CA/ca-cert.pem
The LDAP server certificate needs to be saved in the nssdb with the name of Server-Cert.
Code: Select all
# openssl pkcs12 -export -inkey /etc/pki/CA/private/sys-0-key.pem -in /etc/pki/CA/certs/ldap.mydomain.local.crt -out /root/Server-Cert.p12 -nodes -name 'Server-Cert'
# pk12util -i /root/Server-Cert.p12 -d /etc/pki/nssdb/
In /etc/openldap/slapd.conf:
Code: Select all
TLSCACertificatePath    /etc/pki/nssdb 
TLSCertificateFile      Server-Cert
TLSVerifyClient			never
Allow LDAP in ClearOS to be queried by OpenKM - edit the end of slapd.conf thusly:
Code: Select all
access to *
    by self write
    by peername.ip=127.0.0.1 read
	...
    by peername.ip=<OpenKM's IP address> read
Copy ClearOS' public CA certificate to the OpenKM server and add it to OpenKM's keystore:
Code: Select all
# keytool -import -trustcacerts -keystore /opt/openkm-6.2.3-community/java/jre/lib/security/cacerts -alias myca -file /etc/pki/tls/certs/myca.pem

Re: OpenKM LDAP auth against ClearOS

PostPosted:Fri Jun 07, 2013 9:39 am
by pavila
Seems quite interesting. Thanks for sharing.

BTW, I would like to add this info to the documentation wiki (http://wiki.openkm.com/index.php/ClearOS_LDAP).

Re: OpenKM LDAP auth against ClearOS

PostPosted:Mon Jun 10, 2013 12:11 pm
by DavidYerger
I looked at the wiki entry you created, thank you!

One suggestion: where I suggested
Note: ClearOS crunches upper case in group names, convert to upper case in OpenKM.xml.

I should have made explicit that in the configuration in OpenKM.xml immediately following, it is the property
Code: Select all
<beans:property name="convertToUpperCase" value="true" />
that implements this for you. Maybe text to this effect, and/or highlighting that line would be helpful.

Thanks again

Re: OpenKM LDAP auth against ClearOS

PostPosted:Tue Jun 11, 2013 10:45 am
by jllort
That can create a problem DavidYerger because in principal context you will got roles upper case but when you get by quering ldap ( configuration parameters ) you will get in lowercase and that can cause inconsistences. I think always is better do not force uppercase.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited