OpenKM + Zimbra LDAP

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules
Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
Post Reply
jean
Fresh Boarder
Fresh Boarder
Posts: 3
Joined: Thu Apr 14, 2011 3:23 pm

OpenKM + Zimbra LDAP

Post by jean » Thu Apr 14, 2011 4:40 pm

Hi!
I am trying to set up three days openkm with zimbra but still have not found the correct filters, has anyone come across this problem?
I am forwarding my settings:

OpenKM.cgf

Code: Select all

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://XXX.XXX.XXX.XXX:389
principal.ldap.security.principal=uid=wiki,ou=people,dc=domain,dc=com,dc=br
principal.ldap.security.credentials=PaSSWoRD
principal.ldap.user.search.base=ou=people,dc=domain,dc=com,dc=br
principal.ldap.user.search.filter=(objectClass=zimbraAccount)
principal.ldap.user.attribute=uid
#principal.ldap.role.search.base=ou=groups,dc=domain,dc=com,dc=br     -----------> "groups" does not exist in ldap at this time
#principal.ldap.role.search.filter=(objectClass=posixGroup)    -----------> "posixGroup" does not exist in ldap at this time      
#principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.mail.search.filter=(objectClass=organizationalPerson)
principal.ldap.mail.atribute=zimbraMailDeliveryAddress
system.login.lowercase=on
default/conf/login.xml

Code: Select all

<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
       <authentication>
        <login-module code= "org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
        <module-option name= "java.naming.provider.url">ldap://XXX.XXX.XXX.XXX:389</module-option>
        <module-option name= "bindDN">uid=wiki,ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name= "bindCredential">PaSSwORD</module-option>
        <module-option name= "baseCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        </login-module>
       </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
       <authentication>
...
Got this in server/default/logs:

Code: Select all

2011-04-14 12:10:29,655 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added OpenKM, org.jboss.security.plugins.SecurityDomainContext@1e3f171 to map
2011-04-14 12:10:29,664 DEBUG [org.jboss.security.auth.spi.DatabaseServerLoginModule] Bad password for username=jean
In LDAP (From Zimbra):

Code: Select all

zimbra@cerberus:~$ ldapsearch -h XXX.XXX.XXX.XXX -W -x -LL -D uid=wiki,ou=people,dc=domain,dc=com,dc=br uid=jean    
Enter LDAP Password: 
version: 1

dn: uid=jean,ou=people,dc=domain,dc=com,dc=br
mail: jean@domain.com.br
mail: sioux@domain.com.br
uid: jean
objectClass: organizationalPerson
objectClass: zimbraAccount
objectClass: amavisAccount
objectClass: posixAccount
objectClass: sambaSamAccount
sn: Carlos Coelho
givenName: Jean
cn: Jean Carlos Coelho
displayName: Jean Carlos Coelho

zimbra@cerberus:~$


Any sugestions ?

Thank You! :)

jllort
Moderator
Moderator
Posts: 10868
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: OpenKM + Zimbra LDAP

Post by jllort » Fri Apr 15, 2011 10:46 pm

Ldap integration has two parts login and after if some OpenKM.cfg parameters that are used to getting some lists on UI, or mail when core sends mails to users.

Have you integrated successfully authentication login-config.xml ?

jean
Fresh Boarder
Fresh Boarder
Posts: 3
Joined: Thu Apr 14, 2011 3:23 pm

Re: OpenKM + Zimbra LDAP

Post by jean » Tue Apr 19, 2011 10:08 pm

Well after some days working on it... i found my partial solution... and there is:

Zimbra Version:
Release 6.0.7_GA_2473.DEBIAN5 DEBIAN5 FOSS edition.

OpenKM Version:
OpenKM-5.0.4_JBoss-4.2.3.GA

------------------------

OpenKM.cfg

Code: Select all

system.ghostscript.ps2pdf=/usr/bin/ps2pdf
system.openoffice.path=/usr/lib/openoffice
system.ocr=/usr/bin/tesseract
system.img2pdf=/usr/bin/convert
system.pdf2swf=/usr/bin/pdf2swf
system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
application.url=http://docs.domain.com.br/OpenKM/com.openkm.frontend.Main/index.jsp

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://XXX.XXX.XXX.XXX:389
principal.ldap.security.principal=uid=wiki,ou=people,dc=domain,dc=com,dc=br
principal.ldap.security.credentials=PaSSwoRD

principal.ldap.user.search.base=ou=people,dc=domain,dc=com,dc=br
principal.ldap.user.search.filter=(objectclass=organizationalPerson)
principal.ldap.user.attribute=uid

principal.ldap.mail.search.base=uid={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.mail.search.filter=(objectClass=organizationalPerson)
principal.ldap.mail.attribute=mail

principal.ldap.roles.by.user.search.base=uid={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.roles.by.user.search.filter=(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute=uid
login-config.xml

Code: Select all

  <!-- OpenKM -->
    <application-policy name = "OpenKM">
       <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
        <module-option name="java.naming.provider.url">ldap://XXX.XXX.XXX.XXX:389</module-option>
        <module-option name="bindDN">uid=wiki,ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">PaSSwORD</module-option>
        <module-option name="roleAttributeIsDN">false</module-option>
        <module-option name="roleRecursion">1</module-option>
        <module-option name="roleFilter">(memberUid={1})</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="rolesCtxDN">ou=groups,dc=domain,dc=com,dc=br</module-option>
        <module-option name="defaultRole">UserRole</module-option>
        <module-option name="baseCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="baseFilter">(uid={0})</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
        <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        </login-module>
      </authentication>
    </application-policy>
Well.. i can now login into the OpenKM, but get no UserRoles, and login with admin user.. has no admin functions (tab), if set defaultRole in login-config.xml to AdminRole, all my users are now Admin Users, in this scenario i can review all the configuration in web interface (all my users are admin users), and the configuration shows me username and emails.. OK with LDAP, but no ROLES, any clue? :)

The Error in Console when i'm logging in with some user is:

Code: Select all

2011-04-19 18:40:40,257 ERROR [STDERR] javax.naming.directory.InvalidSearchFilterException: Empty filter; remaining name ''
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.Filter.encodeFilterString(Filter.java:56)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapClient.search(LdapClient.java:538)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapCtx.doSearch(LdapCtx.java:1975)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1837)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1762)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:386)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:356)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:339)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:265)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.principal.LdapPrincipalAdapter.ldapSearch(LdapPrincipalAdapter.java:201)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.principal.LdapPrincipalAdapter.getRoles(LdapPrincipalAdapter.java:85)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.module.direct.DirectAuthModule.getRoles(DirectAuthModule.java:802)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.api.OKMAuth.getRoles(OKMAuth.java:143)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.openkm.frontend.server.OKMAuthServlet.getAllRoles(OKMAuthServlet.java:551)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at java.lang.reflect.Method.invoke(Method.java:616)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:188)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:224)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
2011-04-19 18:40:40,260 ERROR [STDERR] 	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)

Thanks!

pavila
Moderator
Moderator
Posts: 3079
Joined: Tue Dec 11, 2007 6:02 pm
Location: Alicante, Spain
Contact:

Re: OpenKM + Zimbra LDAP

Post by pavila » Wed Apr 20, 2011 7:22 am

Please, activate OpenKM debug log (http://wiki.openkm.com/index.php/Debugging_OpenKM) and post the log again. This is the required configuration:

Code: Select all

<category name="com.openkm.principal">
   <priority value="DEBUG" />
</category>

jean
Fresh Boarder
Fresh Boarder
Posts: 3
Joined: Thu Apr 14, 2011 3:23 pm

Re: OpenKM + Zimbra LDAP

Post by jean » Fri May 06, 2011 10:03 pm

Hello, after some time kicking the machine and trying a several configurations, i got it working.. but with some options disabled, here's my scenario:

1) got all ldap users able to login at the openkm webui, but no admin roles is set do the admin ldap user
2) then i set up login-config.xml to AdminRole and all users from ldap now have admin powers (ALL USERS)
3) then i created all my folders and subfolders and added all my users with theirs permissions (recursive or not to these folders)
4) i set some users to have a "fake admin power" in the configuration of level access in the folders (rwx)
5) reconfigure login-config.xml to UserRole and all users now are ordinary users
6) access and privileges is OK and only some users have powers to edit or delete folders

.. ok, now i got it working, and i'm testing again..

Here's the final configuration files ;)

== OpenKM.cfg ==

Code: Select all

postscript.ps2pdf=/usr/bin/ps2pdf
system.openoffice.path=/usr/lib/openoffice
system.ocr=/usr/bin/tesseract
system.img2pdf=/usr/bin/convert
system.pdf2swf=/usr/bin/pdf2swf
system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
application.url=http://docs.domain.com.br/OpenKM/com.openkm.frontend.Main/index.jsp

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://XXX.XXX.XXX.XXX:389
principal.ldap.security.principal=cn=config
principal.ldap.security.credentials=YOUR_LDAP_USER_PASSWORD

principal.ldap.user.search.base=ou=people,dc=domain,dc=com,dc=br
principal.ldap.user.search.filter=(objectclass=organizationalPerson)
principal.ldap.user.attribute=uid

principal.ldap.roles.by.user.search.base=ou=groups,dc=domain,dc=com,dc=br
principal.ldap.roles.by.user.search.filter=(objectClass=posixGroup)
principal.ldap.roles.by.user.attribute=cn

principal.ldap.mail.search.base=uid={0},ou=people,dc=domain,dc=com,dc=br
principal.ldap.mail.search.filter=(objectClass=organizationalPerson)
principal.ldap.mail.attribute=mail

chat.enabled=on
chat.autologin=on

default.user.role=UserRole
default.admin.role=AdminRole
== login-config.xml ==

Code: Select all

    <!-- OpenKM -->
    <application-policy name = "OpenKM">
       <authentication>
        <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
        <module-option name="java.naming.provider.url">ldap://XXX.XXX.XXX.XXX:389</module-option>
        <module-option name="bindDN">cn=config</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">YOUR_LDAP_USER_PASSWORD</module-option>
        <module-option name="roleAttributeIsDN">false</module-option>
        <module-option name="roleRecursion">1</module-option>
        <module-option name="roleFilter">(memberUid={1})</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="rolesCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="defaultRole">UserRole</module-option>
        <module-option name="baseCtxDN">ou=people,dc=domain,dc=com,dc=br</module-option>
        <module-option name="baseFilter">(uid={0})</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
        <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        </login-module>
       </authentication>
    </application-policy>
== Login Logs ==
with debug activated: server.log

Users:

Code: Select all

2011-05-06 18:56:32,967 DEBUG [com.openkm.principal.LdapPrincipalAdapter] getUsers()
2011-05-06 18:56:32,990 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch(ldap://XXX.XXX.XXX.XXX:389, cn=config, LDAP_PASSWORD, ou=people,dc=domain,dc=com,dc=br, (objectclass=organizationalPerson), uid)
2011-05-06 18:56:33,028 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch: [admin, user1,user2,user3,user4]
Groups:

Code: Select all

2011-05-06 18:56:33,060 DEBUG [com.openkm.principal.LdapPrincipalAdapter] getRolesByUser()
2011-05-06 18:56:33,089 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch(ldap://XXX.XXX.XXX.XXX:389, cn=config, LDAP_PASSWORD, ou=groups,dc=domain,dc=com,dc=br, (objectClass=posixGroup), cn)
2011-05-06 18:56:33,093 DEBUG [com.openkm.principal.LdapPrincipalAdapter] ldapSearch: [group1, group2, group3, group4]
2011-05-06 18:56:33,093 DEBUG [com.openkm.principal.LdapPrincipalAdapter] getRolesByUser: [group1,group2,group3,group4]

And here it is... not 100% but a working Integration of OpenKM and Zimbra Collaboration Suite. :)

jllort
Moderator
Moderator
Posts: 10868
Joined: Fri Dec 21, 2007 11:23 am
Location: Sineu - ( Illes Balears ) - Spain
Contact:

Re: OpenKM + Zimbra LDAP

Post by jllort » Sun May 08, 2011 10:24 am

I suggest remove <module-option name="defaultRole">UserRole</module-option> from your login-config.xml configuration because it forces every user have it roles and really if login-config.xml is well done configured roles are getting there without needed to force at least all users have it. If you've have this line any user in ldap althought has not UserRole on your ldap will be able to connect OpenKM.

For starting if good having it <module-option name="defaultRole">UserRole</module-option> in order first step configuring, but then might be removed and dedicate effors in the rest of ldap configuration in login-config.xml extract roles correctly too.

Tell me if this change of configuration is right.

When all be fine, I'll like to put configuration parameter in wiki. Tell me your zimbra version where you've tested it. That could be useful to other users

Post Reply