Trace: » openkm_configuration
Table of Contents

OpenKM Configuration

There are several files at $JBOSS_HOME:

  • CustomNodes.config: This file contains the OpenKM custom node definitions. It is needed when creating a repository, and afterwards it can be removed.
  • mime.types: It has the MIME types accepted by the application. This file should be always here.
  • OpenKM.cfg: This file stores the OpenKM configuration. Lines which begin with an # are comments. This file should be always here.
  • repository.xml: It has the repository description configuration. This file should be here all the time.

OpenKM configuration file

The OpenKM configuration file is located at $JBOSS_HOME:

  • repository.config:
repository.config=repository.xml
  • repository.home:
repository.home=repotest
  • default.user.role: Default user role.
default.user.role=UserRol
  • default.admin.role: Default admin role.
default.admin.role=AdminRol
  • principal.adapter: OpenKM can handle user access using the JBoss UsersRolesLoginModule login module by default. OpenKM needs an available method for reading users and roles. The class UsersRolesPrincipalAdapter does this job.
principal.adapter=es.git.openkm.core.UsersRolesPrincipalAdapter
  • max.file.size: The maximum file upload size permitted by the application (in megabytes)
max.file.size=5
  • max.search.results: This option limits the search results. 
max.search.results=25

Integration with JBoss loggin

OpenKM can log the user activity. JBoss is configured in the file $JBOSS_HOME/server/default/conf/loglog4j.xml. To log the user activity this appender has to be created: 

<appender name="OKM_LOG" class="org.jboss.logging.appender.DailyRollingFileAppender">
  <errorHandler class="org.jboss.logging.util.OnlyOnceErrorHandler"/>
  <param name="File" value="${jboss.home.dir}/OpenKM.log"/>
  <param name="Append" value="true"/>
  <param name="DatePattern" value="'.'yyyy-MM-dd"/>
  <layout class="org.apache.log4j.PatternLayout">
    <param name="ConversionPattern" value="%d %-5p %m%n"/>
  </layout>
</appender>

Given that the activity is logged with priority INFO this configuration should be also added: 

<category name="es.git.openkm.ActivityLog">
  <priority value="INFO" />
  <appender-ref ref="OKM_LOG"/>
</category>

This configuration creates a log file per day; therefore the action info can better be located. If you want an appender with the same name can be configured in order to store the log info in a database.

Integration with JBoss security

File based

This is the most simple security (and by default) configuration. It is archived using the JBoss UsersRolesLoginModule login module. “User” is stored in the file $JBOSS_HOME/server/default/conf/users.properties as follows: 

system=systempass
user1=pass1
user2=pass2
...

Note that the password is not encrypted.

The roles are in the file $JBOSS_HOME/server/default/conf/roles.properties as follows: 

System=AdminRol,UserRol
user1=UserRol,Rol1,Rol2,...
user1=UserRol,Rol1,Rol2,...
...

The JBoss security is configured in the file $JBOSS_HOME/server/default/conf/login-config.xml. This is the JBoss configuration for this method: 

<application-policy name = "OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">
      <module-option name="usersProperties">users.properties</module-option>
      <module-option name="rolesProperties">roles.properties</module-option>
    </login-module>
    <login-module code="org.jboss.security.ClientLoginModule" flag="required" />
  </authentication>
</application-policy>

More information can be found in the JBoss documentation.

Another option is the principal.adapter configuration. As it has previously been said, OpenKM uses UsersRolesLoginModule login module by default which uses the users.properties and roles.properties. OpenKM needs this information to create a list of users and roles being available in the changing permissions dialog. This is done by the UsersRolesPrincipalAdapter class. This is an implementation of the es.git.openkm.core.PrincipalAdapter interface: 

public interface PrincipalAdapter {
  /**
  * Method to retrieve all users from a authentication source.
  * 
  * @return A Collection with all the users.
  * @throws PrincipalAdapterException If any error occurs.
  */
  public Collection getUsers() throws PrincipalAdapterException;
  
  /**
  * Method to retrieve all roles from a authentication source.
  * 
  * @return A Collection with all the roles.
  * @throws PrincipalAdapterException If any error occurs.
  */
  public Collection getRoles() throws PrincipalAdapterException;
}

LDAP (and Active Directory) based

You can get LDAP integration through the LdapExtLoginModule login module. 

<application-policy name="OpenKM">
  <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://mycompany.com.br:389</module-option> 
<module-option name="bindDN">CN=My_adm_account,OU=Admin Accounts,DC=mycompany,DC=com,dc=br</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">My_adm_account_password</module-option>
      <module-option name="baseCtxDN">ou=Users Accounts,dc=mycompany,dc=com,dc=br</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">ou=Users Accounts,dc=mycompany,dc=com,dc=br</module-option>
      <module-option name="roleFilter">(sAMAccountName={0})</module-option>
      <module-option name="roleAttributeID">memberOf</module-option>
      <module-option name="roleAttributeIsDN">true</module-option>
      <module-option name="roleNameAttributeID">cn</module-option>
      <module-option name="roleRecursion">-1</module-option>
      <module-option name="searchScope">SUBTREE_SCOPE</module-option>
      <module-option name="defaultRole">UserRol</module-option>
    </login-module> 
  </authentication>
</application-policy>

Here are some configuration comments:

  • bindDN: This is some DN with read/search permissions on the baseCtxDN and rolesCtxDN
  • bindCredential: The password for the bindDN
  • baseCtxDN: The fixed DN of the context to start the user search from
  • rolesCtxDN: The fixed DN of the context to search for user roles

Only users having the “UserRol” set at <module-option name=”defaultRole”>UserRol</module-option> are allowed to access the OpenKM, therefore add this role to every authenticated user, because only users with that role are allowed to access OpenKM.

An admin user must be created to run OpenKM, at the moment administrator user name must be “system” and must have assigned “AdminRol” and “UserRol”. In future releases administrator name will be independent.

On order to make a full LDAP integration, you need to implement the PrincipalAdapter interface and provide into to access the list of users and roles defined in the LDAP installation.

Find out more information about the options at: http://wiki.jboss.org/wiki/Wiki.jsp?page=LdapExtLoginModule

 
/home/openkm/web/components/com_openwiki/data/pages/install/openkm_configuration.txt (10342 views) · Last modified: 2008/01/24 01:00
 
Recent changes RSS feed Creative Commons License Donate Valid XHTML 1.0 Valid CSS Driven by DokuWiki