Configuring openkm.xml

By default OpenKM is not using openkm.xml from the file system, it is using the openkm.xml file what is into openkm.war

By default OpenKM comes with tree authentication providers:

Superuser in memory.
Database.
Active Directory ( LDAP ).

The configuration added into openkm.xml file is loaded only if all the OpenKM internal security providers are disabled.

You should disable internal authentication in the openkm.properties:

#Authentication
okm.authentication.database=false
okm.authentication.supervisor=false
okm.authentication.ldap=false

Default openkm.xml configuration:

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd">
  
</beans:beans>

Enable external openkm.xml

To enable external openkm.xml file you must change the configuration parameter named okm.authentication.config in the openkm.properties file. The values of the parameter okm.authentication.config might be the file system path to the openkm.xml file.

Example:

okm.authentication.config=file:/home/openkm/tomcat-8.5.69/openkm.xml

Memory sample

Although a user is created in memory, the user must also be defined within the OpenKM database. Otherwise, the authentication process will throw an error because the application will not be able to establish the user's tenant.

The password must be encrypted with bcrypt.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd">

  <!-- Security delegated to classes -->
  <security:authentication-manager alias="authenticationManager">
	<security:authentication-provider>
	  <security:password-encoder hash="bcrypt"/>
      <security:user-service>
        <security:user name="okmAdmin" password="$2a$10$Z5R69bZZgX9z3tU9zjSYyuwE4iAA8Tk58xCnZ8t86Rb3WEg48dNoC" authorities="ROLE_ADMIN" />
      </security:user-service>
    </security:authentication-provider>
  </security:authentication-manager>
  
</beans:beans>

Database authentication sample

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

  <!-- Security delegated to classes -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider>
      <security:password-encoder hash="bcrypt"/>
      <security:jdbc-user-service
        data-source-ref="dataSource"
        users-by-username-query="select usr_id, usr_password, 1 from OKM_USER where usr_id=? and usr_active='T'"
        authorities-by-username-query="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
    </security:authentication-provider>
  </security:authentication-manager>  
  
</beans:beans>

Ldap Authentication sample

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd">

  <!-- Security delegated to classes -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
		<beans:constructor-arg value="ldap://192.168.1.40"/>
		<beans:property name="userDn" value="CN=Administrator,CN=Users,DC=openkm,DC=local"/>
		<beans:property name="password" value="Darkman2017i"/>
		<beans:property name="baseEnvironmentProperties">
			 <beans:map>
					<beans:entry>
						 <beans:key>
							<beans:value>java.naming.referral</beans:value>
						</beans:key>
						<beans:value>follow</beans:value>
					</beans:entry>
				</beans:map>
		 </beans:property>
	</beans:bean>

	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:property name="userSearch" ref="userSearch"/>
			</beans:bean>
		</beans:constructor-arg>
		<beans:constructor-arg name="authoritiesPopulator" ref="defaultLdapAuthoritiesPopulator"/>
	</beans:bean>

	<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
		<beans:constructor-arg index="0" value="DC=openkm,DC=local" />
		<beans:constructor-arg index="1" value="(sAMAccountName={0})" />
		<beans:constructor-arg index="2" ref="contextSource" />
		<beans:property name="searchSubtree" value="true" />
	</beans:bean>

	<beans:bean id="defaultLdapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		<beans:constructor-arg ref="contextSource"/>
		<beans:constructor-arg value="DC=openkm,DC=local"/>
		<beans:property name="groupSearchFilter" value="member={0}"/>
		<beans:property name="groupRoleAttribute" value="cn"/>
		<beans:property name="searchSubtree" value="true" />
		<beans:property name="convertToUpperCase" value="false" />
		<beans:property name="rolePrefix" value="" />
	</beans:bean>

	<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<beans:constructor-arg ref="userSearch"/>
		<beans:constructor-arg ref="defaultLdapAuthoritiesPopulator"/>
	</beans:bean>
  
</beans:beans>

Multiple providers sample