OpenLDAP example with URL base at login

Since version 8.1.12, the OpenLDAP integration has changed:

  • The configuration parameters and login procedure remains the same.
  • User data and roles are now managed in OpenKM administration and stored in database.
  • There is a cron job called "Sync LDAP users" which synchronizes user data from LDAP to database.
  • The current configuration can be found at Active Directory mixed configuration with LDAP synced.

LDAP Structure

dc=com
    dc=some
        ou=organization
            cn=ROLE_ADMIN
                memberUid=okmAdmin
                memberUid=user1
                memberUid=user2
            cn=ROLE_USER
                memberUid=user3
                memberUid=user4
                ...
        ou=organization
            uid=user1
                mail=user@mail.com
                cn=User Name 1
            uid=user2
                mail=user2@mail.com
                cn=User Name 3
            uid=user3
                mail=user3@mail.com
                cn=User Name 3
            uid=user4
                mail=user4@mail.com
                cn=User Name 4

Valid roles:

  • cn=ROLE_X,ou=roles,dc=some,dc=com
  • cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
  • cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com

Invalid roles:

  • cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )

Valid users:

  • uid=USER_X,ou=organization,dc=some,dc=com
  • uid=USER_Y,ou=dept id,ou=organization,dc=some,dc=com
  • uid=USER_Z,ou=dept administrator,ou=organization,dc=some,dc=com

Invalid users:

  • uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )

The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from the LDAP. This list is cached during 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clean the cache from Administration > Tools > Cache stats. In the second step configure login, this configuration works always in real time.

Step 1 - configuration parameters

We suggest login in OpenKM with the admin URL ( for example http://localhost:8080/openkm/admin/index ) because in the next steps will be necessary to restart OpenKM service and you do not want to lose administration access.

The first action should be to modify principal.adapter parameter value and restart OpenKM service. Because session ID is kept in the browser you should not lose the login after the service restarted and can continue working in the administration. After this change, the users and roles list will be empty from the administration. Until success configuring the next parameters these lists will be empty.

Go to Administration > Configuration parameters:

Field / PropertyTypeDescription
principal.adapter String

The parameter is deprecated since version 8.1.12

com.openkm.principal.LdapPrincipalAdapter

system.login.lowercase String

false

principal.ldap.server String

ldap://192.168.xxx.xxx:389

principal.ldap.security.principal String

cn=Manager,dc=some,dc=com

principal.ldap.security.credentials String

password

principal.ldap.referral String

 

principal.ldap.users.from.roles Boolean

false

principal.ldap.user.attribute String

uid

principal.ldap.user.search.base

List

ou=users,dc=some,dc=com

principal.ldap.user.search.filter

String

(objectClass=inetOrgPerson)

principal.ldap.username.attribute

String

cn

principal.ldap.username.search.base

String

ou=users,dc=some,dc=com

principal.ldap.username.search.filter

String

(uid={0})

principal.ldap.mail.attribute String

mail

principal.ldap.mail.search.base String

dc=some,dc=com

principal.ldap.mail.search.filter String

(uid={0})

principal.ldap.role.attribute

String

cn

principal.ldap.role.search.base

List

ou=roles,dc=some,dc=com

principal.ldap.role.search.filter

String

(objectClass=posixGroup)

principal.ldap.roles.by.user.attribute

String

cn

principal.ldap.roles.by.user.search.base

String

ou=roles,dc=some,dc=com

principal.ldap.roles.by.user.search.filter

String

(memberUid={0})

principal.ldap.users.by.role.attribute

String

memberUid

principal.ldap.users.by.role.search.base

String

ou=roles,dc=some,dc=com

principal.ldap.users.by.role.search.filter

String

(&(objectClass=posixGroup)(cn={0}))

Step 2 - configure login

  • Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
  • Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. ou=roles"/> really points to ou=roles,dc=some,dc=com"/>
  • Users filter base is ou=organization ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. to
  • User filter is uid={0}
  • Finally take in consideration the value 1 at memberUid={1}"/>

Apply changes in the openkm.properties file.

The parameter "okm.authentication.database" is used to disable database login.

The parameter "okm.authentication.ldap" is used to enable ldap login.

#Authentication
okm.authentication.database=false
okm.authentication.ldap=true

#LDAP
ldap.server=ldap://192.168.0.13
ldap.manager.distinguished.name=CN=Administrator,CN=Users,DC=openkm,DC=local
ldap.manager.password=*secret*
ldap.base=DC=openkm,DC=local
ldap.role.attribute=cn
ldap.user.search.filter=uuid={0}
ldap.role.search.filter=memberUid={1}

After the update of the openkm.properties file must restart the openkm service to take effect.

Another option to configure login

In some cases might be interested to set configuration in file openkm.xml please refer to Configuring openkm.xml documentation section for more information.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
		<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
  	<beans:property name="password" value="******"/>
  </beans:bean>
 
	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:property name="userSearch" ref="userSearch"></beans:property>
			</beans:bean>
		</beans:constructor-arg>
		<beans:constructor-arg name="authoritiesPopulator" ref="defaultLdapAuthoritiesPopulator"/>
  </beans:bean>
 
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=organization" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  
  <beans:bean id="defaultLdapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		<beans:constructor-arg ref="contextSource"/>
		<beans:constructor-arg value="ou=roles"/>
		<beans:property name="groupSearchFilter" value="memberUid={1}"/>
		<beans:property name="groupRoleAttribute" value="cn"/>
		<beans:property name="searchSubtree" value="true" />
		<beans:property name="convertToUpperCase" value="true" />
		<beans:property name="rolePrefix" value="" /> 
	</beans:bean>
  
  <!--Needed for remember-me services -->
	<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<beans:constructor-arg ref="userSearch"/>
		<beans:constructor-arg ref="defaultLdapAuthoritiesPopulator"/>
	</beans:bean>
 
</beans:beans>