1. Home
  2. OpenKM 8.1
  3. Setup
  4. LDAP configuration
  5. OpenLDAP example with URL base at login
  1.  

OpenKM 8.1
Hardware and software requirements
Installation
Setup
Antivirus configuration
Cleaning older activity log data
Configuring Apache HTTP Reverse-Proxy
Configuring Apache HTTPS Reverse-Proxy
Configuring Nginx HTTP Reverse-Proxy
Configuring Apache HTTP to rewrite old OpenKM URL
Configuring Lucene Analyzer
Configuring CADViewer
Configuring OCR engine
Configuring OpenSSL
Configuring mail
Configuring Tomcat memory utilization
Configuring Tomcat port
Configuring Tomcat session timeout
Configuring Tomcat timezone
Configuring openkm.xml
Configuring jBPM
Configuring ONLYOFFICE
Configuring Collabora Online
Configuring safe trash purge
Configuring search highlighter
Configuring Tomcat to work behind an Internet proxy
Configuring VidSigner
Change repository home
Change default role names
Enable extensions
LDAP configuration
OpenLDAP example with URL base at login
Active Directory example with referral enabled
Active Directory example with login based on filtering users by roles
Active Directory basic configuration
Active Directory advanced configuration
Active Directory mixed configuration
Active Directory mixed configuration with LDAP synced
LDAP best practices for filtering users and roles
ClearOS LDAP configuration
LDAP troubleshooting
Log configuration
LibreOffice configuration
Security configuration
Configuring Two Factor Authentication
Configuring document expiration
Configuring CIFS
Cache configuration
Configuring email digital signature
Configuring anonymous user
Prometheus configuration
Troubleshooting
Administration guide
User guide
Migration guide
Development

OpenLDAP example with URL base at login

Since version 8.1.12, the OpenLDAP integration has changed:

  • The configuration parameters and login procedure remains the same.
  • User data and roles are now managed in OpenKM administration and stored in database.
  • There is a cron job called "Sync LDAP users" which synchronizes user data from LDAP to database.
  • The current configuration can be found at Active Directory mixed configuration with LDAP synced.

LDAP Structure

dc=com
    dc=some
        ou=organization
            cn=ROLE_ADMIN
                memberUid=okmAdmin
                memberUid=user1
                memberUid=user2
            cn=ROLE_USER
                memberUid=user3
                memberUid=user4
                ...
        ou=organization
            uid=user1
                mail=user@mail.com
                cn=User Name 1
            uid=user2
                mail=user2@mail.com
                cn=User Name 3
            uid=user3
                mail=user3@mail.com
                cn=User Name 3
            uid=user4
                mail=user4@mail.com
                cn=User Name 4

Valid roles:

  • cn=ROLE_X,ou=roles,dc=some,dc=com
  • cn=ROLE_Y,ou=dept marketing,ou=roles,dc=some,dc=com
  • cn=ROLE_Z,ou=dept sales,ou=roles,dc=some,dc=com

Invalid roles:

  • cn=ROLE_INVALID,ou=dept,dc=some,dc=com ( any distinguished name not included in ou=roles,dc=some,dc=com )

Valid users:

  • uid=USER_X,ou=organization,dc=some,dc=com
  • uid=USER_Y,ou=dept id,ou=organization,dc=some,dc=com
  • uid=USER_Z,ou=dept administrator,ou=organization,dc=some,dc=com

Invalid users:

  • uid=USER_INVALID,ou=house,dc=some,dc=com ( any distinguished name not included in ou=organization,dc=some,dc=com )

The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from the LDAP. This list is cached during 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clean the cache from Administration > Tools > Cache stats. In the second step configure login, this configuration works always in real time.

Step 1 - configuration parameters

We suggest login in OpenKM with the admin URL ( for example http://localhost:8080/openkm/admin/index ) because in the next steps will be necessary to restart OpenKM service and you do not want to lose administration access.

The first action should be to modify principal.adapter parameter value and restart OpenKM service. Because session ID is kept in the browser you should not lose the login after the service restarted and can continue working in the administration. After this change, the users and roles list will be empty from the administration. Until success configuring the next parameters these lists will be empty.

Go to Administration > Configuration parameters:

Field / PropertyTypeDescription
principal.adapter String

The parameter is deprecated since version 8.1.12

com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase String

false
principal.ldap.server String

ldap://192.168.xxx.xxx:389
principal.ldap.security.principal String

cn=Manager,dc=some,dc=com
principal.ldap.security.credentials String

password
principal.ldap.referral String

 
principal.ldap.users.from.roles Boolean

false
principal.ldap.user.attribute String

uid

principal.ldap.user.search.base

 List

ou=users,dc=some,dc=com

principal.ldap.user.search.filter

 String

(objectClass=inetOrgPerson)

principal.ldap.username.attribute

 String

cn

principal.ldap.username.search.base

 String

ou=users,dc=some,dc=com

principal.ldap.username.search.filter

 String

(uid={0})
principal.ldap.mail.attribute String

mail
principal.ldap.mail.search.base String

dc=some,dc=com
principal.ldap.mail.search.filter String

(uid={0})

principal.ldap.role.attribute

 String

cn

principal.ldap.role.search.base

 List

ou=roles,dc=some,dc=com

principal.ldap.role.search.filter

 String

(objectClass=posixGroup)

principal.ldap.roles.by.user.attribute

 String

cn

principal.ldap.roles.by.user.search.base

 String

ou=roles,dc=some,dc=com

principal.ldap.roles.by.user.search.filter

 String

(memberUid={0})

principal.ldap.users.by.role.attribute

 String

memberUid

principal.ldap.users.by.role.search.base

 String

ou=roles,dc=some,dc=com

principal.ldap.users.by.role.search.filter

 String

(&(objectClass=posixGroup)(cn={0}))

Step 2 - configure login

  • Important login (ldap://192.168.0.13:389/dc=some,dc=com) sets default filter base queries at dc=some,dc=com with is concatenated by default in all filter queries .
  • Roles ( groups ) filter base is ou=roles ( real distinguised name is ou=roles,dc=some,dc=com ). Any valid roles should have it as parent. ou=roles"/> really points to ou=roles,dc=some,dc=com"/>
  • Users filter base is ou=organization ( real distinguised name is ou=organization,dc=some,dc=com ). Any valid user should have it as parent. to
  • User filter is uid={0}
  • Finally take in consideration the value 1 at memberUid={1}"/>

Apply changes in the openkm.properties file.

The parameter "okm.authentication.database" is used to disable database login.

The parameter "okm.authentication.ldap" is used to enable ldap login.

#Authentication
okm.authentication.database=false
okm.authentication.ldap=true

#LDAP
ldap.server=ldap://192.168.0.13
ldap.manager.distinguished.name=CN=Administrator,CN=Users,DC=openkm,DC=local
ldap.manager.password=*secret*
ldap.base=DC=openkm,DC=local
ldap.role.attribute=cn
ldap.user.search.filter=uuid={0}
ldap.role.search.filter=memberUid={1}

After the update of the openkm.properties file must restart the openkm service to take effect.

Another option to configure login

In some cases might be interested to set configuration in file openkm.xml please refer to Configuring openkm.xml documentation section for more information.

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">
 
  <security:authentication-manager alias="authenticationManager">
  	<security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>
 
  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  	<beans:constructor-arg value="ldap://192.168.0.13:389/dc=some,dc=com"/>
		<beans:property name="userDn" value="cn=Manager,dc=some,dc=com"/>
  	<beans:property name="password" value="******"/>
  </beans:bean>
 
	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
		<beans:constructor-arg>
			<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
				<beans:constructor-arg ref="contextSource"/>
				<beans:property name="userSearch" ref="userSearch"></beans:property>
			</beans:bean>
		</beans:constructor-arg>
		<beans:constructor-arg name="authoritiesPopulator" ref="defaultLdapAuthoritiesPopulator"/>
  </beans:bean>
 
   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="ou=organization" />
    <beans:constructor-arg index="1" value="uid={0}" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>
  
  <beans:bean id="defaultLdapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		<beans:constructor-arg ref="contextSource"/>
		<beans:constructor-arg value="ou=roles"/>
		<beans:property name="groupSearchFilter" value="memberUid={1}"/>
		<beans:property name="groupRoleAttribute" value="cn"/>
		<beans:property name="searchSubtree" value="true" />
		<beans:property name="convertToUpperCase" value="true" />
		<beans:property name="rolePrefix" value="" /> 
	</beans:bean>
  
  <!--Needed for remember-me services -->
	<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<beans:constructor-arg ref="userSearch"/>
		<beans:constructor-arg ref="defaultLdapAuthoritiesPopulator"/>
	</beans:bean>
 
</beans:beans>

 

 

© OpenKM kcenter v.1.0.0 (build: d51a7b0). All Rights Reserved. Documentation license