Active Directory advanced configuration

Since version 8.1.12, the OpenLDAP integration has changed:

The configuration parameters and login procedure remains the same.
User data and roles are now managed in OpenKM administration and stored in database.
There is a cron job called "Sync LDAP users" which synchronizes user data from LDAP to database.
The current configuration can be found at Active Directory mixed configuration with LDAP synced.

LDAP structure

dc=com
    dc=company
        cn=users
            cn=ROLE_ADMIN
                member=okmAdmin
                member=user1
            cn=ROLE_USER
                member=user3
            cn=ROLE_XXXX
                member=user2
            cn=ROLE_YYYY
                member=user4
                ...
            sAMAccountName=okmAdmin
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=okmAdmin@mail.com
                cn=OpenKM Administrator
            sAMAccountName=user1
                memberOf=cn=ROLE_ADMIN,cn=users,dc=company,dc=com
                userPrincipalName=user1@mail.com
                cn=User Name 1
            sAMAccountName=user2
                memberOf=cn=ROLE_USER,cn=users,dc=company,dc=com
                userPrincipalName=user2@mail.com
                cn=User Name 3

The OpenKM integration with LDAP has two steps. In the first step, configure OpenKM to retrieve the list of users and roles from the LDAP. This list is cached during 30-45 minutes by OpenKM to prevent overloading the LDAP server. You can clean the cache from Administration > Tools > Cache stats . In the second step configure login, this configuration works always in real time.

Step 1 - configuration parameters

We suggest login in OpenKM with the admin URL ( for example http://localhost:8080/openkm/admin/index ) because in the next steps will be necessary to restart OpenKM service and you do not want to lose administration access.

The first action should be to modify principal.adapter parameter value and restart OpenKM service. Because session ID is kept in the browser you should not lose the login after the service restarted and can continue working in the administration. After this change, the users and roles list will be empty from the administration. Until success configuring the next parameters these lists will be empty.

User members of ROLE_ADMIN or ROLE_USER are created into users node ( these should be the distinguished names CN=ROLE_ADMIN,cn=users,DC=company,DC=com and CN=ROLE_USER,cn=users,DC=company,DC=com).
Groups can be created on any Active Directory node, because DC=company,DC=com is set as base filter, principal.ldap.role.search.base=DC=company,DC=com.
All Active Directory groups will be listed, because has not applied any filter restriction principal.ldap.role.search.filter=(objectclass=group).

Go to Administration > Configuration parameters:

Field / Property	Type	Description
principal.adapter	String	The parameter is deprecated since version 8.1.12 com.openkm.plugin.principal.LdapPrincipalAdapter
system.login.lowercase	String	true
principal.ldap.server	String	ldap://192.168.0.6:389
principal.ldap.security.principal	String	CN=Administrator,cn=users,dc=company,dc=local
principal.ldap.security.credentials	String	password
principal.ldap.referral	String
principal.ldap.users.from.roles	Boolean	false
principal.ldap.user.attribute	String	sAMAccountName
principal.ldap.user.search.base	List	dc=company,dc=local
principal.ldap.user.search.filter	String	(objectclass=person)
principal.ldap.username.attribute	String	cn
principal.ldap.username.search.base	String	dc=company,dc=local
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute	String	mail
principal.ldap.mail.search.base	String	dc=company,dc=local
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.role.attribute	String	cn
principal.ldap.role.search.base	List	dc=company,dc=local
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf
principal.ldap.roles.by.user.search.base	String	DC=company,DC=com
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member
principal.ldap.users.by.role.search.base	String	dc=company,dc=local
principal.ldap.users.by.role.search.filter	String	(&(objectClass=group)(cn={0}))

Step 2 - configure login

Apply changes in the openkm.properties file.

The parameter "okm.authentication.database" is used to disable database login.

The parameter "okm.authentication.ldap" is used to enable ldap login.

#Authentication
okm.authentication.database=false
okm.authentication.ldap=true

#LDAP
ldap.server=ldap://192.168.0.13
ldap.manager.distinguished.name=CN=Administrator,CN=Users,DC=openkm,DC=local
ldap.manager.password=*secret*
ldap.base=DC=openkm,DC=local
ldap.role.attribute=cn
ldap.user.search.filter=sAMAccountName={0}
ldap.role.search.filter=member={0}

After the update of the openkm.properties file must restart the openkm service to take effect.

Another option to configure login

In some cases might be interested to set configuration in file openkm.xml please refer to Configuring openkm.xml documentation section for more information.

<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
 
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldap://192.168.0.6:389/dc=company,dc=local"/>
  <beans:property name="userDn" value="CN=Administrator,cn=users,dc=company,dc=local"/>
  <beans:property name="password" value="password"/>
</beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg name="authoritiesPopulator" ref="defaultLdapAuthoritiesPopulator"/> 
</beans:bean>
 
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="" />
  <beans:constructor-arg index="1" value="sAMAccountName={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

 <beans:bean id="defaultLdapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		<beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value=""/>
      <beans:property name="groupSearchFilter" value="memberOf={1}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" /> 
	</beans:bean>

  <!--Needed for remember-me services -->
	<beans:bean id="userDetailService" class="org.springframework.security.ldap.userdetails.LdapUserDetailsService">
		<beans:constructor-arg ref="userSearch"/>
		<beans:constructor-arg ref="defaultLdapAuthoritiesPopulator"/>
	</beans:bean>

Table of contents [ Hide Show ]

LDAP structure
Step 1 - configuration parameters
Step 2 - configure login

Another option to configure login

OpenKM 8.1

Active Directory advanced configuration

LDAP structure

Step 1 - configuration parameters

Step 2 - configure login

Another option to configure login