Active Directory - OpenKM 4.1

From OpenKM Documentation
Revision as of 19:36, 1 December 2012 by Pavila (talk | contribs) (moved Active Directory OpenKM 4.1 to Active Directory - OpenKM 4.1)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

To configure Active Directory we must make some changes in OpenKM.cfg configuration file and in login-config.xml file that can be found at $JBOSS_HOME/server/default/conf. For both changes you need to restart JBoss server.

OpenKM.cfg file example ( you must change, Administrador, password and weyler values to your active directory values )



In case of Active directory ( windows ) it's important that all users login be in lower case, for it purpose we enable


property in OpenKM.cfg. The reason is so simply, Windows not makes any difference between upper or lower case validating user name credentials.

login-config.xml file example ( you must change, Administrador, password and weyler values to your active directory values )

<application-policy name="OpenKM">
    <login-module code="" flag="required" > 
      <module-option name="java.naming.provider.url">ldap://</module-option> 
      <module-option name="bindDN">CN=Administrador,cn=users,dc=weyler,dc=local</module-option>
      <module-option name="">simple</module-option>
      <module-option name="bindCredential">password</module-option>
      <module-option name="baseCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=users,dc=weyler,dc=local</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="defaultRole">UserRole</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>

Nota clasica.png Take care if your ldap server is configured under ssl then you should use ldaps://

If you want to restrict the user who can log into OpenKM, you should change these two property in OpenKM.cfg:,CN=users,DC=weyler,DC=local)),CN=users,DC=weyler,DC=local))

This means that only users within the UserRole groups will be shown as valid OpenKM users, and only roles which are included in the OpenKM group will be shown in OpenKM.

Also add this option one in login-config.xml:

<module-option name="baseFilter">(&amp;(sAMAccountName={0})(memberOf=CN=UserRole,CN=users,DC=weyler,DC=local))</module-option>

And remove this one:

<module-option name="defaultRole">UserRole</module-option>

All this means that only users member of the UserRole groups are able to log into OpenKM.

Nota clasica.png If you see an exception like this:
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'cn=users,dc=weyler,dc=local'

read these articles: