Sunday, 19 June 2011

OpenKM LDAP auth

Hello, after some time kicking the machine and trying a several configurations, i got it working..

NOTE: for the config options to be red from the file you must first delete the equivalent configs from the web user interface (those are stored in the DB and override the config file)

Checkout the relevant parts of the final configuration files after the break


== OpenKM.cfg ==
#system.ocr=/usr/bin/cuneiform
#system.openoffice.path=/usr/lib/openoffice
#system.imagemagick.convert=/usr/bin/convert
#system.swftools.pdf2swf=/usr/bin/pdf2swf
#system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
system.openoffice=on
system.swftools.pdf2swf=/usr/bin/pdf2swf
system.openoffice.path=/usr/lib/openoffice
system.ocr=/usr/local/bin/tesseract
restrict.file.extension=*~,*.bak,._*
system.ghostscript.ps2pdf=/usr/bin/ps2pdf
system.imagemagick.convert=/usr/bin/convert
#system.openoffice.server
system.webdav.server=on
#application.url=http://localhost:8080/OpenKM/com.openkm.frontend.Main/index.jspprincipal.adapter=com.openkm.principal.LdapPrincipalAdapter
#principal.adapter=com.openkm.principal.DatabasePrincipalAdapter
principal.ldap.server=ldap://server_address:389
principal.ldap.security.principal=cn=admin,dc=my_domain,dc=com
principal.ldap.security.credentials=my_password
principal.ldap.user.search.base=ou=people,dc=my_domain,dc=com
principal.ldap.user.search.filter=(&(accountstatus=active))
principal.ldap.user.attribute=uid
principal.ldap.role.search.base=ou=groups,dc=my_domain,dc=com
principal.ldap.role.search.filter=(&(objectclass=posixGroup)(!(description=Dynamic*)))
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=uuid={0},ou=people,dc=my_domain,dc=com
principal.ldap.mail.search.filter=(&(accountstatus=active))
principal.ldap.mail.attribute=mail
principal.ldap.users.by.role.search.base=ou=groups,dc=my_domain,dc=com
principal.ldap.users.by.role.search.filter=(&(objectclass=posixGroup)(!(description=Dynamic*))(cn=*{0}*))
principal.ldap.users.by.role.attribute=memberUid
principal.ldap.roles.by.user.search.base=ou=groups,dc=my_domain,dc=com
principal.ldap.roles.by.user.search.filter=(&(objectclass=posixGroup)(!(description=Dynamic*))(memberUid=*{0}*))
principal.ldap.roles.by.user.attribute=cn
chat.enabled=on
chat.autologin=on
system.login.lowercase=on
default.admin.role=sysadmin
default.user.role=accounting
#default.admin.role=AdminRole
#default.user.role=UserRole

== login-config.xml ==
<application-policy name = "client-login">
<authentication>
<login-module code= "org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
<module-option name= "java.naming.provider.url">ldap://10.39.10.23:389</module-option>
<module-option name= "bindDN">cn=admin,dc=domain,dc=com</module-option>
<module-option name= "bindCredential">adminpass</module-option>
<module-option name= "baseCtxDN">ou=people,dc=domain,dc=com</module-option>
</login-module>
</authentication>
</application-policy>
<!-- OpenKM -->
<application-policy name = "OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
<module-option name="java.naming.provider.url">ldap://server_address:389</module-option>
<module-option name="bindDN">cn=admin,dc=my_domain,dc=com</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="bindCredential">my_password</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="roleFilter">(memberUid={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="rolesCtxDN">ou=groups,dc=my_domain,dc=com</module-option>
<module-option name="defaultRole">UserRole</module-option>
<module-option name="baseCtxDN">ou=people,dc=my_domain,dc=com</module-option>
<module-option name="baseFilter">(uid={0})</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
</login-module>
</authentication>
</application-policy>

Possibly Related Posts

1 comment: