Active Directory mixed configuration with LDAP synced
The objective of this kind of configuration is to authenticate against Active Directory but, on the other hand, obtain roles, usernames, and emails from the database. When this configuration is enabled, a cron job named "Sync LDAP users" periodically synchronizes the active directory users' data ( username, email ) in the OpenKM database and removes any database user that is not present in the active directory user list.
LDAP structure
dc=com
dc=company
cn=users
sAMAccountName=okmAdmin
cn=users,dc=company,dc=com
userPrincipalName=okmAdmin@mail.com
cn=OpenKM Administrator
sAMAccountName=user1
cn=users,dc=company,dc=com
userPrincipalName=user1@mail.com
cn=User Name 1
sAMAccountName=user2
cn=users,dc=company,dc=com
userPrincipalName=user2@mail.com
cn=User Name 3
The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from the LDAP. This list is cached during 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clean the cache from Administration> Tools > Cache stats. In the second step, configure login; this configuration always works in real-time.
Step 1 - configuration parameters
We suggest login into OpenKM with the admin URL ( for example, http://localhost:8080/openkm/admin/index ) because the next steps will be necessary to restart OpenKM service, and you do not want to lose administration access.
The first action should be to modify principal.adapter parameter value and restart the OpenKM service. Because the session ID is kept in the browser, you should not lose the login after the service resumes and can continue working in the Administration. After this change, the users and roles list will be empty from the Administration. Until success configuring the following parameters, these lists will be empty.
We suggest using "com.openkm.plugin.principal.DatabasePrincipalAdapter" in the principal.adapter configuration parameter value, either "com.openkm.plugin.principal.MixedLdapSyncedPrincipalAdapter" value shown in the table below.
If you use "DatabasePrincipalAdapter" the restrictions are:
- Before the user login, you must create all the user data in the database.
- The password you set in the database will not be applied; the login process works only with an AD connection.
- User members of ROLE_ADMIN or ROLE_USER are created into the database.
Go to Administration> Configuration parameters:
| Field / Property | Type | Description |
|---|---|---|
| principal.adapter | String |
The parameter is deprecated since version 8.1.12 com.openkm.plugin.principal.MixedLdapSyncedPrincipalAdapter |
| system.login.lowercase | String |
true |
| principal.ldap.server | String |
ldap://192.168.0.6:389 |
| principal.ldap.security.principal | String |
CN=Administrator,cn=users,dc=company,dc=local |
| principal.ldap.security.credentials | String |
password |
| principal.ldap.referral | String |
|
| principal.ldap.users.from.roles | Boolean |
false |
| principal.ldap.user.attribute | String |
sAMAccountName |
|
principal.ldap.user.search.base |
List |
dc=company,dc=local |
|
principal.ldap.user.search.filter |
String |
(objectclass=person) |
|
principal.ldap.username.attribute |
String |
cn |
|
principal.ldap.username.search.base |
String |
dc=company,dc=local |
|
principal.ldap.username.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
|
principal.ldap.mail.attribute |
String |
|
|
principal.ldap.mail.search.base |
String |
dc=company,dc=local |
|
principal.ldap.mail.search.filter |
String |
(&(objectClass=person)(sAMAccountName={0})) |
Step 2 - Simplified login
We suggest the following configuration for version 8.1.12 and later.
The following configuration only works starting from version 8.1.12.
#Authentication
okm.authentication.database=false
okm.authentication.ldap=true
#LDAP
ldap.server=ldap://192.168.0.13
ldap.manager.distinguished.name=CN=Administrator,CN=Users,DC=openkm,DC=local
ldap.manager.password=*secret*
ldap.base=DC=openkm,DC=local
ldap.user.search.filter=(sAMAccountName={0})Step 2 - configure login ( old configuration )
We suggest the following configuration for version 8.1.11 and earlier.
You must disable default OpenKM authentication to enable openkm.xml
You must set the location of the openkm.xml file
Apply changes in the openkm.properties file.
The parameter "okm.authentication.database" disables database login.
The parameter "okm.authentication.ldap" disables internal ldap login.
# Disable default OpenKM authentication
okm.authentication.database=false
okm.authentication.ldap=false
# Enable openkm.xml configuration file
okm.authentication.config=file:/home/openkm/tomcat-8.5.69/openkm.xmlApply changes in the openkm.xml file ( refer to Configuring openkm.xml documentation section for more information ).
It is mandatory for the XML to contain a bean named contextSource, otherwise, an error like the following will appear:
Parameter 1 of method ldapTemplate in org.springframework.boot.autoconfigure.ldap.LdapAutoConfiguration required a single bean
<!-- LDAP authentication -->
<security:authentication-manager alias="authenticationManager">
<security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
<beans:constructor-arg value="ldap://192.168.0.6:389"/>
<beans:property name="userDn" value="CN=Administrator,cn=users,dc=company,dc=local"/>
<beans:property name="password" value="password"/>
<beans:property name="baseEnvironmentProperties">
<beans:map>
<beans:entry>
<beans:key>
<beans:value>java.naming.referral</beans:value>
</beans:key>
<beans:value>follow</beans:value>
</beans:entry>
</beans:map>
</beans:property>
</beans:bean>
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
<beans:constructor-arg>
<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
<beans:constructor-arg ref="contextSource"/>
<beans:property name="userSearch" ref="userSearch"/>
</beans:bean>
</beans:constructor-arg>
<beans:constructor-arg name="authoritiesPopulator" ref="databaseAuthoritiesPopulator"/>
</beans:bean>
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="dc=company,dc=local" />
<beans:constructor-arg index="1" value="(sAMAccountName={0})" />
<beans:constructor-arg index="2" ref="contextSource" />
<beans:property name="searchSubtree" value="true" />
</beans:bean>
<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
</beans:bean>
<beans:bean id="databaseAuthoritiesPopulator" class="com.openkm.principal.DatabaseAuthoritiesPopulator">
</beans:bean>After the changes in the previous files must restart the openkm service to take effect.
For versions older than 8.1.12 should use the next definition for the databaseAuthoritiesPopulator and the userDetailService beans:
<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
<beans:constructor-arg ref="userSearch"/>
<beans:constructor-arg ref="databaseAuthoritiesPopulator"/>
</beans:bean>
<!-- Get roles from database -->
<beans:bean id="databaseAuthoritiesPopulator" class="com.openkm.principal.DatabaseAuthoritiesPopulator">
<beans:constructor-arg ref="dataSource"/>
<beans:constructor-arg value="select ur_user, ur_role from OKM_USER_ROLE where ur_user=?"/>
</beans:bean>
