Active Directory mixed configuration with LDAP synchronization
The objective of this kind of configuration is to authenticate against Active Directory and, at the same time, obtain roles, usernames, and email addresses from the database. When this configuration is enabled, a cron job named "Sync LDAP users" periodically synchronizes the Active Directory users' data (username, email addresses) in the OpenKM database and removes any database user that is not present in the Active Directory user list.
LDAP structure
dc=com
dc=company
cn=users
sAMAccountName=okmAdmin
cn=users,dc=company,dc=com
userPrincipalName=okmAdmin@mail.com
cn=OpenKM Administrator
sAMAccountName=user1
cn=users,dc=company,dc=com
userPrincipalName=user1@mail.com
cn=User Name 1
sAMAccountName=user2
cn=users,dc=company,dc=com
userPrincipalName=user2@mail.com
cn=User Name 3
The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from LDAP. This list is cached for 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clear the cache from Administration > Tools > Cache stats. In the second step, configure the login; this configuration always works in real time.
Step 1 - configuration parameters
We suggest logging into OpenKM with the admin URL (for example, http://localhost:8080/openkm/admin/index) because the next steps will require restarting the OpenKM service, and you do not want to lose administrative access.
The first action should be to modify the principal.adapter parameter value and restart the OpenKM service. Because the session ID is kept in the browser, you should not lose the login after the service restarts, and you can continue working in Administration. After this change, the users and roles lists will be empty in the Administration. Until the following parameters are configured successfully, these lists will remain empty.
We suggest using "com.openkm.plugin.principal.DatabasePrincipalAdapter" in the principal.adapter configuration parameter value, or the "com.openkm.plugin.principal.MixedLdapSyncedPrincipalAdapter" value shown in the table below.
If you use "DatabasePrincipalAdapter", the restrictions are:
- Before a user logs in, you must create all the user's data in the database.
- The password you set in the database will not be used; the login process works only with an AD connection.
- Users who are members of ROLE_ADMIN or ROLE_USER are created in the database.
Go to Administration > Configuration parameters:
| Field / Property | Type | Description |
|---|---|---|
| principal.adapter | String |
The parameter is deprecated since version 8.1.12 com.openkm.plugin.principal.MixedLdapSyncedPrincipalAdapter |
| system.login.lowercase | String |
true |
| principal.ldap.server | String |
ldap://192.168.0.6:389 |
| principal.ldap.security.principal | String |
CN=Administrator,cn=users,dc=company,dc=local |
| principal.ldap.security.credentials | String |
password |
| principal.ldap.referral | String |
|
| principal.ldap.users.from.roles | Boolean |
false |
| principal.ldap.user.attribute | String |
sAMAccountName |
|
principal.ldap.user.search.base |
List |
dc=company,dc=local |
|
principal.ldap.user.search.filter |
String |
(objectclass=person) |
|
principal.ldap.username.attribute |
String |
cn |
|
principal.ldap.username.search.base |
String |
dc=company,dc=local |
|
principal.ldap.username.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
|
principal.ldap.mail.attribute |
String |
|
|
principal.ldap.mail.search.base |
String |
dc=company,dc=local |
|
principal.ldap.mail.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
Step 2 - Simplified login
We suggest the following configuration for version 8.1.12 and later.
The following configuration only works starting from version 8.1.12.
#Authentication
okm.authentication.database=false
okm.authentication.ldap=true
#LDAP
ldap.server=ldap://192.168.0.13
ldap.manager.distinguished.name=CN=Administrator,CN=Users,DC=openkm,DC=local
ldap.manager.password=*secret*
ldap.base=DC=openkm,DC=local
ldap.user.search.filter=(sAMAccountName={0})Step 2 - Configure login (old configuration)
We suggest the following configuration for version 8.1.11 and earlier.
You must disable the default OpenKM authentication to enable openkm.xml.
You must set the location of the openkm.xml file.
Apply changes in the openkm.properties file.
The parameter "okm.authentication.database" disables database login.
The parameter "okm.authentication.ldap" disables internal LDAP login.
# Disable default OpenKM authentication
okm.authentication.database=false
okm.authentication.ldap=false
# Enable openkm.xml configuration file
okm.authentication.config=file:/home/openkm/tomcat-8.5.69/openkm.xmlApply changes in the openkm.xml file (refer to the Configuring openkm.xml documentation section for more information).
It is mandatory for the XML to contain a bean named contextSource, otherwise, an error like the following will appear:
Parameter 1 of method ldapTemplate in org.springframework.boot.autoconfigure.ldap.LdapAutoConfiguration required a single bean
<!-- LDAP authentication -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.0.6:389"/>
<beans:property name="userDn" value="CN=Administrator,cn=users,dc=company,dc=local"/>
<beans:property name="password" value="password"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg name="authoritiesPopulator" ref="databaseAuthoritiesPopulator"/>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="dc=company,dc=local" />
<beans:constructor-arg index="1" value="(sAMAccountName={0})" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
</beans:bean>
<beans:bean id="databaseAuthoritiesPopulator" class="com.openkm.principal.DatabaseAuthoritiesPopulator">
</beans:bean>After making the changes in the previous files, you must restart the OpenKM service for them to take effect.
For versions older than 8.1.12, use the following definition for the databaseAuthoritiesPopulator and the userDetailService beans:
<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg ref="userSearch"/>
<beans:constructor-arg ref="databaseAuthoritiesPopulator"/>
</beans:bean>
<!-- Get roles from database -->
<beans:bean id="databaseAuthoritiesPopulator" class="com.openkm.principal.DatabaseAuthoritiesPopulator">
<beans:constructor-arg ref="dataSource"/>
<beans:constructor-arg value="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</beans:bean>
