OpenLDAP example with URL base at login
LDAP Structure
dc=com
dc=some
ou=organization
cn=ROLE_ADMIN
memberUid=okmAdmin
memberUid=user1
memberUid=user2
cn=ROLE_USER
memberUid=user3
memberUid=user4
...
ou=organization
uid=user1
mail=user@mail.com
cn=User Name 1
uid=user2
mail=user2@mail.com
cn=User Name 3
uid=user3
mail=user3@mail.com
cn=User Name 3
uid=user4
mail=user4@mail.com
cn=User Name 4
Valid roles:
- cn=ROLE_X,ou=roles,dc=some,dc=com
- cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
- cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com
Invalid roles:
- cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )
Valid users:
- uid=USER_X,ou=organization,dc=some,dc=com
- uid=USER_Y,ou=dept id,ou=organization,dc=some,dc=com
- uid=USER_Z,ou=dept administrator,ou=organization,dc=some,dc=com
Invalid users:
- uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )
The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from the LDAP. This list is cached for 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clean the cache from Administration > Tools > Cache stats. In the second step, configure login. This configuration always works in real time.
Step 1 - configuration parameters
We suggest logging in to OpenKM with the admin URL (for example http://localhost:8080/openkm/admin/index) because, in the next steps, it will be necessary to restart the OpenKM service and you do not want to lose administrative access.
The first action should be to modify principal.adapter parameter value and restart OpenKM service. Because the session ID is kept in the browser, you should not lose the login after the service is restarted and can continue working in the administration console. After this change, the users and roles lists will be empty in the administration. Until you successfully configure the next parameters, these lists will remain empty.
Go to Administration > Configuration parameters:
| Field / Property | Type | Description |
|---|---|---|
| principal.adapter | String |
com.openkm.principal.LdapPrincipalAdapter |
| system.login.lowercase | String |
false |
| principal.ldap.server | String |
ldap://192.168.xxx.xxx:389 |
| principal.ldap.security.principal | String |
cn=Manager,dc=some,dc=com |
| principal.ldap.security.credentials | String |
password |
| principal.ldap.referral | String |
|
| principal.ldap.users.from.roles | Boolean |
false |
| principal.ldap.user.attribute | String |
uid |
|
principal.ldap.user.search.base |
List |
ou=users,dc=some,dc=com |
|
principal.ldap.user.search.filter |
String |
(objectClass=inetOrgPerson) |
|
principal.ldap.username.attribute |
String |
cn |
|
principal.ldap.username.search.base |
String |
ou=users,dc=some,dc=com |
|
principal.ldap.username.search.filter |
String |
(uid={0}) |
| principal.ldap.mail.attribute | String |
|
| principal.ldap.mail.search.base | String |
dc=some,dc=com |
| principal.ldap.mail.search.filter | String |
(uid={0}) |
|
principal.ldap.role.attribute |
String |
cn |
|
principal.ldap.role.search.base |
List |
ou=roles,dc=some,dc=com |
|
principal.ldap.role.search.filter |
String |
(objectClass=posixGroup) |
|
principal.ldap.roles.by.user.attribute |
String |
cn |
|
principal.ldap.roles.by.user.search.base |
String |
ou=roles,dc=some,dc=com |
|
principal.ldap.roles.by.user.search.filter |
String |
(memberUid={0}) |
|
principal.ldap.users.by.role.attribute |
String |
memberUid |
|
principal.ldap.users.by.role.search.base |
String |
ou=roles,dc=some,dc=com |
|
principal.ldap.users.by.role.search.filter |
String |
(&(objectClass=posixGroup)(cn={0})) |
Step 2 - configure login
- Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com, which is concatenated by default in all filter queries.
- Roles (groups) filter base is ou=roles (real distinguished name is ou=roles,dc=some,dc=com). Any valid role should have it as a parent. ou=roles really points to ou=roles,dc=some,dc=com.
- Users filter base is ou=organization (real distinguished name is ou=organization,dc=some,dc=com). Any valid user should have it as a parent.
- User filter is uid={0}
- Finally, take into consideration the value 1 in memberUid={1}.
Apply changes in the openkm.properties file.
The parameter "okm.authentication.database" is used to disable database login.
The parameter "okm.authentication.ldap" is used to enable LDAP login.
#Authentication
okm.authentication.database=false
okm.authentication.ldap=true
#LDAP
ldap.server=ldap://192.168.0.13
ldap.manager.distinguished.name=CN=Administrator,CN=Users,DC=openkm,DC=local
ldap.manager.password=*secret*
ldap.base=DC=openkm,DC=local
ldap.role.attribute=cn
ldap.user.search.filter=uuid={0}
ldap.role.search.filter=memberUid={1}After updating the openkm.properties file, you must restart the OpenKM service for the changes to take effect.
Another option to configure login
In some cases, you might be interested in setting the configuration in the file openkm.xml; please refer to Configuring openkm.xml in the documentation for more information.
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
xmlns:security="http://www.springframework.org/schema/security"
xmlns:task="http://www.springframework.org/schema/task"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans
http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/security
http://www.springframework.org/schema/security/spring-security.xsd
http://www.springframework.org/schema/task
http://www.springframework.org/schema/task/spring-task.xsd">
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
<beans:property name="password" value="******"/>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"></beans:property>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg name="authoritiesPopulator" ref="defaultLdapAuthoritiesPopulator"/>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=organization" />
<beans:constructor-arg index="1" value="uid={0}" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
<beans:bean id="defaultLdapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
<beans:constructor-arg ref="contextSource"/>
<beans:constructor-arg value="ou=roles"/>
<beans:property name="groupSearchFilter" value="memberUid={1}"/>
<beans:property name="groupRoleAttribute" value="cn"/>
<beans:property name="searchSubtree" value="true" />
<beans:property name="convertToUpperCase" value="true" />
<beans:property name="rolePrefix" value="" />
</beans:bean>
<!--Needed for remember-me services -->
<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg ref="userSearch"/>
<beans:constructor-arg ref="defaultLdapAuthoritiesPopulator"/>
</beans:bean>
</beans:beans>
