• Active Directory Issues

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #45402  by afurtado
 
All,

My first time configuring OpenKM, (before you read into this, yes I did try searching the forum for answers, but no cake here) I would appreciate the help. The error I receive is

********** ERROR /******
Code: Select all
2018-03-08 14:30:00,847 [Thread-16] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ] (Cache: com.openkm.cache.ldapPrincipalAdapter.general - Key: getUsers - Base: [DC=BDB,DC=local] - Filter: (&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=BDB,DC=local)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=BDB,DC=local))) - Attribute: sAMAccountName)
2018-03-08 14:30:00,847 [Thread-16] WARN  com.openkm.core.Cron - Crontab task mail address is empty: Return: null
********** EXTRA INFO
if I'm not Mistaken code 49 is a bind error, but I did a bind test with the LDP application on the domain controller and was able to bind it successfully and browse the users.

The windows server is also on the DOMAIN.

********** My Active Directory
Code: Select all
OU=OpenKM,DC=BDB,DC=local
(the user openkmldap is also in this OU)
(here I have 2 security groups for admin, and users)

My users are split into the following
Code: Select all
OU=Clinical Users,OU=OTDBC,DC=BDB,DC=local
OU=Non Clinical Users,OU=OTDBC,DC=BDB,DC=local

****** My current configuration
Code: Select all
Field / Property	Type	Description
principal.adapter	String	com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase	String	TRUE
principal.ldap.server	String	ldap://ReadOnlyDC:389
principal.ldap.security.principal	String	CN=openkmladp,OU=OPENKM,DC=BDB,DC=local
principal.ldap.security.credentials	String	[password]
principal.ldap.referral	String	follow
principal.ldap.users.from.roles    	Boolean	FALSE
principal.ldap.user.attribute	String	sAMAccountName
principal.ldap.user.search.base	List	DC=BDB,DC=local
principal.ldap.user.search.filter	String	(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=BDB,DC=local)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=BDB,DC=local)))
principal.ldap.username.attribute	String	cn
principal.ldap.username.search.base	String	DC=BDB,DC=local
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute	String	userPrincipalName
principal.ldap.mail.search.base	String	DC=BDB,DC=local
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.role.attribute	String	cn
principal.ldap.role.search.base	List	DC=BDB,DC=local
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf
principal.ldap.roles.by.user.search.base	String	DC=BDB,DC=local
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member
principal.ldap.users.by.role.search.base	String	OU=OpenKM,DC=BDB,DC=local
principal.ldap.users.by.role.search.filter	String	(&(objectClass=group)(cn={0}))

Andre
 #45410  by afurtado
 
So my LDAP connection is half working, it will load the users on the users button, but it will not allow them to log in.
 #45423  by jllort
 
I suggest first concentrate in OpenKM ldap parameters from administration -> retrieving users and roles list. When you success from there we can go for authentication. I suggest switch meanwhile autentication to database again.

You ldap is an open ldap ( basically the question, is not a Microsoft Active Directory ). In case is not MS AD the parameter system.login.lowercase should be false because openldap is case sensitive, otherwise is right.

Are you retrieving users and list ?

I suggest take a look at this ldap sample configuration https://docs.openkm.com/kcenter/view/ok ... login.html ( the issue with openldap is that you must set attributes in users and roles nodes to be able to retrieve in both direction the users from roles and roles from user). In case professional edition we have mixed configuration where roles are into openkm database and user in ldap what simplies the case, but the feature is still not available from community.
 #45427  by saleem55
 
I am getting this error

Application error
Class: org.springframework.ldap.PartialResultException
Message: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''
Date: Sun Mar 11 12:14:13 GST 2018

while I am longing using AD
 #45430  by saleem55
 
saleem55 wrote: Sun Mar 11, 2018 8:15 am I am getting this error

Application error
Class: org.springframework.ldap.PartialResultException
Message: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''
Date: Sun Mar 11 12:14:13 GST 2018

while I am longing using AD
Solved by adding
Code: Select all
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.