1. Home
  2. OpenKM 7.1
  3. Setup
  4. LDAP configuration
  5. Active Directory mixed configuration with LDAP synced
  1.  

OpenKM 7.1
Hardware and software requirements
Installation
Setup
Antivirus configuration
Cleaning older activity log data
Configuring Apache HTTP Reverse-Proxy
Configuring Apache HTTPS Reverse-Proxy
Configuring Nginx HTTP Reverse-Proxy
Configuring Apache HTTP to rewrite old OpenKM URL
Configuring Lucene Analyzer
Configuring CADViewer
Configuring OCR engine
Configuring SWFTools
Configuring OpenSSL
Configuring mail
Configuring Tomcat memory utilization
Configuring Tomcat port
Configuring Tomcat session timeout
Configuring Tomcat timezone
Configuring openkm.xml
Configuring jBPM
Configuring ONLYOFFICE
Configuring Collabora Online
Configuring safe trash purge
Configuring search highlighter
Configuring Tomcat to work behind an Internet proxy
Configuring VidSigner
Change repository home
Change default role names
Enable extensions
Enable WebDAV
LDAP configuration
OpenLDAP example with URL base at login
Active Directory example with referral enabled
Active Directory example with login based on filtering users by roles
Active Directory basic configuration
Active Directory advanced configuration
Active Directory mixed configuration
Active Directory mixed configuration with LDAP synced
LDAP best practices for filtering users and roles
ClearOS LDAP configuration
LDAP troubleshooting
Log configuration
LibreOffice configuration
Security configuration
SSO Configuration
Configuring Two Factor Authentication
Configuring document expiration
Configuring CIFS
Cache configuration
Configuring email digital signature
Configuring anonymous user
Prometheus configuration
Troubleshooting
Administration guide
User guide
Update guide
Development

Active Directory mixed configuration with LDAP synced

The objective of this configuration is to authenticate against Active Directory while obtaining roles, usernames, and email addresses from the database. When this configuration is enabled, a cron job named "Sync LDAP users" periodically synchronizes the Active Directory users' data (username, email) in the OpenKM database and removes any database user that is not present in the Active Directory user list.

Available since OpenKM version 7.1.37

LDAP structure

dc=com
    dc=company
        cn=users
            sAMAccountName=okmAdmin
                cn=users,dc=company,dc=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                cn=users,dc=company,dc=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                cn=users,dc=company,dc=com
                userPrincipalName=user2@mail.com
                cn=User Name 3

The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from LDAP. This list is cached for 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clear the cache from Administration> Tools > Cache stats. In the second step, configure the login; this configuration always works in real time.

Step 1 - configuration parameters

We suggest logging into OpenKM using the admin URL (for example, http://localhost:8080/openkm/admin/index) because the next steps will require restarting the OpenKM service, and you do not want to lose administrative access.

The first action should be to modify the principal.adapter parameter value and restart the OpenKM service. Because the session ID is kept in the browser, you should not lose the login after the service restarts, and you can continue working in the Administration. After this change, the users and roles lists will be empty in the Administration. Until you successfully configure the following parameters, these lists will remain empty.

We suggest using "com.openkm.plugin.principal.DatabasePrincipalAdapter" in the principal.adapter configuration parameter value, rather than "com.openkm.plugin.principal.MixedLdapSyncedPrincipalAdapter" value shown in the table below.

If you use "DatabasePrincipalAdapter", the restrictions are:

  • Before users log in, you must create all user data in the database.
  • The password you set in the database will not be applied; the login process works only with an AD connection.

  • Users who are members of ROLE_ADMIN or ROLE_USER are created in the database.

Go to Administration> Configuration parameters:

Field / PropertyTypeDescription
principal.adapter String

com.openkm.plugin.principal.MixedLdapSyncedPrincipalAdapter
system.login.lowercase String

true
principal.ldap.server String

ldap://192.168.0.6:389
principal.ldap.security.principal String

CN=Administrator,cn=users,dc=company,dc=local
principal.ldap.security.credentials String

password
principal.ldap.referral String

 
principal.ldap.users.from.roles    Boolean

false
principal.ldap.user.attribute String

sAMAccountName

principal.ldap.user.search.base

 List

dc=company,dc=local

principal.ldap.user.search.filter

 String

(objectclass=person)

principal.ldap.username.attribute

 String

cn

principal.ldap.username.search.base

 String

dc=company,dc=local

principal.ldap.username.search.filter

 String

(&(objectClass=person)(sAMAccountName={0}))

principal.ldap.mail.attribute

 String

mail

principal.ldap.mail.search.base

 String

dc=company,dc=local

principal.ldap.mail.search.filter

 String

(&(objectClass=person)(sAMAccountName={0}))

Step 2 - configure login

You must disable the default OpenKM authentication to enable openkm.xml.

You must set the location of the openkm.xml file.

Apply changes in the openkm.properties file.

The parameter "okm.authentication.database" disables database login.

The parameter "okm.authentication.ldap" disables internal LDAP login.

# Disable default OpenKM authentication
okm.authentication.database=false
okm.authentication.ldap=false

# Enable openkm.xml configuration file
okm.authentication.config=file:/home/openkm/tomcat-8.5.69/openkm.xml

Apply changes in the openkm.xml file (refer to Configuring openkm.xml documentation section for more information).

  <!-- LDAP authentication -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <beans:constructor-arg value="ldap://192.168.0.6:389"/>
    <beans:property name="userDn" value="CN=Administrator,cn=users,dc=company,dc=local"/>
    <beans:property name="password" value="password"/>
    <beans:property name="baseEnvironmentProperties">
       <beans:map>
          <beans:entry>
             <beans:key>
              <beans:value>java.naming.referral</beans:value>
            </beans:key>
            <beans:value>follow</beans:value>
          </beans:entry>
        </beans:map>
     </beans:property>
  </beans:bean>

  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:property name="userSearch" ref="userSearch"/>
      </beans:bean>
    </beans:constructor-arg>
    <beans:constructor-arg name="authoritiesPopulator" ref="databaseAuthoritiesPopulator"/>
  </beans:bean>

  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="dc=company,dc=local" />
    <beans:constructor-arg index="1" value="(sAMAccountName={0})" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

  <beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
    <beans:constructor-arg ref="userSearch"/>
    <beans:constructor-arg ref="databaseAuthoritiesPopulator"/>
  </beans:bean>

  <!-- Get roles from database -->
  <beans:bean id="databaseAuthoritiesPopulator" class="com.openkm.principal.DatabaseAuthoritiesPopulator">
    <beans:constructor-arg ref="dataSource"/>
    <beans:constructor-arg value="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
  </beans:bean>

After making the changes in the previous files, you must restart the OpenKM service for them to take effect.

© OpenKM kcenter v.1.0.0 (build: d51a7b0). All Rights Reserved. Documentation license