ClearOS LDAP configuration

Need to install the Certificate Manager and Directory Server modules.

  • Create an okmAdmin user in ClearOS.
  • Create ROLE_ADMIN, ROLE_USER groups in ClearOS, populate.

LDAP Structure

dc=local
    dc=mydomain
	    ou=Accounts
		    ou=Groups
			    cn=ROLE_ADMIN
				    member=okmAdmin
				    member=user1
				    member=user2
				    objectClass=posixGroup
			    cn=ROLE_USER
				    member=user3
				    member=user4
				    objectClass=posixGroup
			    cn=ROLE_XXXX
				    objectClass=posixGroup
			    cn=ROLE_YYYY
				    objectClass=posixGroup
			    ...
ou=Users uid=okmAdmin memberOf=CN=ROLE_ADMIN,ou=Groups,ou=Accounts,dc=mydomain,dc=local mail=okmAdmin@mail.com cn=OpenKM Administrator objectClass=inetOrgPerson uid=user1 memberOf=CN=ROLE_ADMIN,ou=Groups,ou=Accounts,dc=mydomain,dc=local mail=user1@mail.com cn=User Name 1 objectClass=inetOrgPerson uid=user2 memberOf=CN=ROLE_ADMIN,ou=Groups,ou=Accounts,dc=mydomain,dc=local mail=user2@mail.com cn=User Name 3 objectClass=inetOrgPerson

Any distinguished name include by default dc=mydomain,dc=local

Configuration parameters

Go to Administration > Configuration parameters 

Field / PropertyTypeDescription
principal.adapter String

com.openkm.principal.LdapPrincipalAdapter

principal.database.filter.inactive.users Boolean

true

principal.hide.connection.roles Boolean

false

system.login.lowercase String

true

principal.ldap.server String

ldaps://ldap.mydomain.local:636

principal.ldap.security.principal String

cn=Manager,ou=Internal,dc=mydomain,dc=local

principal.ldap.security.credentials String
pass1234
principal.ldap.referral String

 

principal.ldap.users.from.roles    Boolean

false

principal.ldap.user.attribute String
uid

principal.ldap.user.search.base

List

ou=Users,ou=Accounts,dc=mydomain,dc=local

principal.ldap.user.search.filter

String

(objectClass=inetOrgPerson)

principal.ldap.username.attribute

String

cn

principal.ldap.username.search.base

String

ou=Users,ou=Accounts,dc=mydomain,dc=local

principal.ldap.username.search.filter

String

(&(objectclass=inetOrgPerson)(uid={0}))

principal.ldap.mail.attribute

String

mail

principal.ldap.mail.search.base

String

dc=company,dc=local

principal.ldap.mail.search.filter

String

(&(objectclass=inetOrgPerson)(uid={0}))

principal.ldap.role.attribute

String

cn

principal.ldap.role.search.base

List

ou=Groups,ou=Accounts,dc=mydomain,dc=local

principal.ldap.role.search.filter

String

objectClass=posixGroup

principal.ldap.roles.by.user.attribute

String

memberOf

principal.ldap.roles.by.user.search.base

String

ou=Users,ou=Accounts,dc=mydomain,dc=local

principal.ldap.roles.by.user.search.filter

String

(&(objectClass=person)(uid={0}))

principal.ldap.users.by.role.attribute

String

member

principal.ldap.users.by.role.search.base

String

ou=Groups,ou=Accounts,dc=mydomain,dc=local

principal.ldap.users.by.role.search.filter

String

(&(objectClass=posixGroup)(cn={0}))

OpenKM.xml

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
 
  <!-- Security configuration -->
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    	<beans:constructor-arg value="ldaps://ldap.mydomain.local:636/dc=mydomain,dc=local"/>
  		<beans:property name="userDn" value="cn=Manager,ou=Internal,dc=mydomain,dc=local"/>
    	<beans:property name="password" value="pass1234"/>
  </beans:bean>
 
  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	<beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
			<beans:constructor-arg ref="contextSource"/>
			<beans:property name="userSearch" ref="userSearch"></beans:property>
  		</beans:bean>
	</beans:constructor-arg>
	<beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
			<beans:constructor-arg ref="contextSource"/>
			<beans:constructor-arg value="ou=groups,ou=Accounts"/>
			<beans:property name="groupSearchFilter" value="member={0}"/>
			<beans:property name="groupRoleAttribute" value="cn"/>
			<beans:property name="searchSubtree" value="true" />
			<beans:property name="convertToUpperCase" value="true" />
			<beans:property name="rolePrefix" value="" /> 
 
		</beans:bean>
	</beans:constructor-arg>
  </beans:bean>
 
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
       <beans:constructor-arg index="0" value="ou=Users,ou=Accounts" />
       <beans:constructor-arg index="1" value="uid={0}" />
       <beans:constructor-arg index="2" ref="contextSource" />
       <beans:property name="searchSubtree" value="true" />
   </beans:bean>
 
</beans:beans>

Create a Certificate

ClearOS by default only allows LDAPS.

You should create a certificate on ClearOS with the leftmost RDN of the Subject being the common name (FQDN) of your ClearOS server. Easy way is to only specify the common name, and when signing use a policy that is permissive.

You can create an alias (CNAME) called ldap if you wish.

$ openssl req -out ldap.csr -key private/sys-0-key.pem -new
$ openssl ca -policy policy_anything -days 3650 -out /etc/pki/CA/certs/ldap.mydomain.local.crt -infiles ldap.csr

Add the CA cert to the nssdb:

$ certutil -A -d /etc/pki/nssdb/ -n "CA certificate" -t "CT,," -a -i /etc/pki/CA/ca-cert.pem

The LDAP server certificate needs to be saved in the nssdb with the name of Server-Cert.

$ openssl pkcs12 -export -inkey /etc/pki/CA/private/sys-0-key.pem -in /etc/pki/CA/certs/ldap.mydomain.local.crt -out /root/Server-Cert.p12 -nodes -name 'Server-Cert'
$ pk12util -i /root/Server-Cert.p12 -d /etc/pki/nssdb/

Edit the file/etc/openldap/slapd.conf:

$ vim /etc/openldap/slapd.conf

TLSCACertificatePath    /etc/pki/nssdb
TLSCertificateFile      Server-Cert
TLSVerifyClient         never

Allow LDAP in ClearOS to be queried by OpenKM - edit the end of slapd.conf thusly:

access to *
    by self write
    by peername.ip=127.0.0.1 read
    ...
    by peername.ip=<OpenKM's IP address> read

Copy ClearOS' public CA certificate to the OpenKM server and add it to OpenKM's keystore:

$ keytool -import -trustcacerts -keystore /opt/openkm-6.2.3-community/java/jre/lib/security/cacerts -alias myca -file /etc/pki/tls/certs/myca.pem