OpenLDAP example with URL base at login
LDAP Structure
dc=com
dc=some
ou=organization
cn=ROLE_ADMIN
memberUid=okmAdmin
memberUid=user1
memberUid=user2
cn=ROLE_USER
memberUid=user3
memberUid=user4
...
ou=organization
uid=user1
mail=user@mail.com
cn=User Name 1
uid=user2
mail=user2@mail.com
cn=User Name 3
uid=user3
mail=user3@mail.com
cn=User Name 3
uid=user4
mail=user4@mail.com
cn=User Name 4
Valid roles:
- cn=ROLE_X,ou=roles,dc=some,dc=com
- cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
- cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com
Invalid roles:
- cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )
Valid users:
- uid=USER_X,ou=organization,dc=some,dc=com
- uid=USER_Y,ou=dept id,ou=organization,dc=some,dc=com
- uid=USER_Z,ou=dept administrator,ou=organization,dc=some,dc=com
Invalid users:
- uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )
The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from the LDAP. This list is cached during 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clean the cache from Administration > Tools > Cache stats. In the second step configure login, this configuration works always in real time.
Step 1 - configuration parameters
We suggest login in OpenKM with the admin URL ( for example http://localhost:8080/openkm/admin/index ) because in the next steps will be necessary to restart OpenKM service and you do not want to lose administration access.
The first action should be to modify principal.adapter parameter value and restart OpenKM service. Because session ID is kept in the browser you should not lose the login after the service restarted and can continue working in the administration. After this change, the users and roles list will be empty from the administration. Until success configuring the next parameters these lists will be empty.
Go to Administration > Configuration parameters:
| Field / Property | Type | Description |
|---|---|---|
| principal.adapter | String |
com.openkm.principal.LdapPrincipalAdapter |
| system.login.lowercase | String |
false |
| principal.ldap.server | String |
ldap://192.168.xxx.xxx:389 |
| principal.ldap.security.principal | String |
cn=Manager,dc=some,dc=com |
| principal.ldap.security.credentials | String |
password |
| principal.ldap.referral | String |
|
| principal.ldap.users.from.roles | Boolean |
false |
| principal.ldap.user.attribute | String |
uid |
|
principal.ldap.user.search.base |
List |
ou=users,dc=some,dc=com |
|
principal.ldap.user.search.filter |
String |
(objectClass=inetOrgPerson) |
|
principal.ldap.username.attribute |
String |
cn |
|
principal.ldap.username.search.base |
String |
ou=users,dc=some,dc=com |
|
principal.ldap.username.search.filter |
String |
(uid={0}) |
| principal.ldap.mail.attribute | String |
|
| principal.ldap.mail.search.base | String |
dc=some,dc=com |
| principal.ldap.mail.search.filter | String |
(uid={0}) |
|
principal.ldap.role.attribute |
String |
cn |
|
principal.ldap.role.search.base |
List |
ou=roles,dc=some,dc=com |
|
principal.ldap.role.search.filter |
String |
(objectClass=posixGroup) |
|
principal.ldap.roles.by.user.attribute |
String |
cn |
|
principal.ldap.roles.by.user.search.base |
String |
ou=roles,dc=some,dc=com |
|
principal.ldap.roles.by.user.search.filter |
String |
(memberUid={0}) |
|
principal.ldap.users.by.role.attribute |
String |
memberUid |
|
principal.ldap.users.by.role.search.base |
String |
ou=roles,dc=some,dc=com |
|
principal.ldap.users.by.role.search.filter |
String |
(&(objectClass=posixGroup)(cn={0})) |
Step 2 - configure login
- Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
- Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. ou=roles"/> really points to ou=roles,dc=some,dc=com"/>
- Users filter base is ou=organization ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. to
- User filter is uid={0}
- Finally take in consideration the value 1 at memberUid={1}"/>
Apply changes in the openkm.properties file.
The parameter "okm.authentication.database" is used to disable database login.
The parameter "okm.authentication.ldap" is used to enable ldap login.
#Authentication
okm.authentication.database=false
okm.authentication.ldap=true
#LDAP
ldap.server=ldap://192.168.0.13
ldap.manager.distinguished.name=CN=Administrator,CN=Users,DC=openkm,DC=local
ldap.manager.password=*secret*
ldap.base=DC=openkm,DC=local
ldap.role.attribute=cn
ldap.user.search.filter=uuid={0}
ldap.role.search.filter=memberUid={1}After the update of the openkm.properties file must restart the openkm service to take effect.
Another option to configure login
In some cases might be interested to set configuration in file openkm.xml please refer to Configuring openkm.xml documentation section for more information.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
<beans:property name="password" value="******"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg name="authoritiesPopulator" ref="defaultLdapAuthoritiesPopulator"/>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=organization" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
<beans:bean id="defaultLdapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=roles"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
<!--Needed for remember-me services -->
<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg ref="userSearch"/>
<beans:constructor-arg ref="defaultLdapAuthoritiesPopulator"/>
</beans:bean>
</beans:beans>
