LDP Configuration Problem in OpenKM

[madhav]

Hi,

I configured ldap in my openkm application. Authentication is working perfectly. But I can't get the roles and users from the Apache directory studio.

Please help me.

[jllort]

which query are you using ? put here some screenshot to see better what you're doing

[madhav]

Here I am sending my login-config.xml , my schema and exception.

----------------------------------------Schema-------------------------------------------------------------------------

Code: Select all

o=sevenSeas

dn: ou=groups,o=sevenSeas
dn: ou=people,o=sevenSeas
dn: ou=roles,o=sevenSeas

dn: cn=guestrole,ou=roles,o=sevenSeas
dn: cn=AdminRole,ou=roles,o=sevenSeas
dn: cn=UserRole,ou=roles,o=sevenSeas

dn: cn=Fletcher Christian,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: Fletcher Christian
sn: Christian
description: Lieutenant Fletcher Christian
givenname: Fletcher
mail: fchristi@royalnavy.mod.uk
manager: cn=William Bligh,ou=people,o=sevenSeas
uid: fchristi
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

-----------------------------------------login-config.xml---------------------------------------------------------------

Code: Select all

<application-policy name="FAB66">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
         <module-option name="java.naming.provider.url">ldap://xx.xx.xx.xx:10389/</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="bindDN">uid=admin,ou=system</module-option>
         <module-option name="bindCredential">secret</module-option>
         <module-option name="baseCtxDN">ou=people,o=sevenSeas</module-option>
         <module-option name="baseFilter">(uid={0})</module-option>
         <module-option name="rolesCtxDN">ou=groups,o=sevenSeas</module-option>
         <module-option name="roleFilter">(uniqueMember={1})</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false</module-option>
         <module-option name="roleRecursion">-1</module-option>
         <module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
		 <module-option name="principal.ldap.referral">manual</module-option>
    <!-- <module-option name="defaultRole">UserRole</module-option> -->
    </login-module>
    </authentication>
</application-policy>

--------------------------------Exception--------------------------------------------------------------------------------

Code: Select all

 javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
 	at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
 	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
 	at javax.naming.InitialContext.init(Unknown Source)
 	at javax.naming.InitialContext.<init>(Unknown Source)
 	at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
 	at com.fab66.principal.LdapPrincipalAdapter.ldapSearch(LdapPrincipalAdapter.java:205)
 	at com.fab66.principal.LdapPrincipalAdapter.getRoles(LdapPrincipalAdapter.java:85)
 	at com.fab66.servlet.frontend.PendingTask_Number.doPost(PendingTask_Number.java:68)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Unknown Source)

[jllort]

Curios your application-policy name <application-policy name="FAB66"> should be name "OpenKM" are you sure you're really login with ldap ?

I'll asume all users are under ou=people,o=sevenSeas and all roles under ou=roles,o=sevenSeas ( otherside will need some changes )

You should go to OpenKM administration configuration -> configuration parameters http://wiki.openkm.com/index.php/Configuration_view

Then enable ldap principal adapter ( that is the only which need restarting openkm service )

principal.adapter=com.openkm.principal.LdapPrincipalAdapter

If your ldap is not case sensitive like microsoft active directory should force all id to be lowercase ( I think is not your case )

Code: Select all

system.login.lowercase=on

Then for example configure to get all users list in administration ( I'm not sure about your user search filter, the idea is get all nodes with some property, in active directoy is (objectclass=person) but in your ldap your ldap could be inetOrgPerson or organizationalPerson too.

Code: Select all

principal.ldap.user.search.base=ou=people,o=sevenSeas
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=uid

Then get roles ( I have not seen all grop properties in your post but normal filter is )

Code: Select all

principal.ldap.role.search.base=ou=roles,o=sevenSeas
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

That for getting mail

Code: Select all

principal.ldap.mail.search.base=ou=people,o=sevenSeas
principal.ldap.mail.search.filter=(&(objectclass=person)(uid={0}))
principal.ldap.mail.attribute=mail

Users by roles ( I'm not sure about member attribute you should take a look in your real ldap configuration )

Code: Select all

principal.ldap.users.by.role.search.base=cn={0},ou=roles,o=sevenSeas
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member

Other filter

Code: Select all

principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(uid={0}))

etc ..

I think with it you got the idea

[madhav]

I am getting the exception.
Exception is

Code: Select all

javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.fab66.principal.LdapPrincipalAdapter.ldapSearch(LdapPrincipalAdapter.java:205)
at com.fab66.principal.LdapPrincipalAdapter.getRoles(LdapPrincipalAdapter.java:85)
at com.fab66.servlet.frontend.PendingTask_Number.doPost(PendingTask_Number.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Unknown Source)

Here I am sending my ldap sample schema.

Code: Select all

version: 1

dn: o=sevenSeas
objectClass: top
objectClass: organization
o: sevenSeas

dn: ou=groups,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: groups
description: Contains entries which describe groups (crews, for instance)

dn: ou=people,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: people
description: Contains entries which describe persons (seamen)


dn: ou=roles,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: roles

dn: cn=AdminRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: AdminRole
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=okmAdmin,ou=people,o=sevenSeas
uniqueMember: cn=madhav,ou=people,o=sevenSeas
uniqueMember: cn=prasanna,ou=people,o=sevenSeas

dn: cn=guestrole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: guestrole
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=UserRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: UserRole
uniqueMember: cn=John Fryer,ou=people,o=sevenSeas
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=pratik,ou=people,o=sevenSeas
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=William Bligh,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bligh
sn: Bligh
description: Captain William Bligh
givenname: William
mail: wbligh@royalnavy.mod.uk
uid: wbligh
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

dn: cn=William Bush,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bush
sn: Bush
description: Lt. William Bush
givenname: William
mail: wbush@royalnavy.mod.uk
manager: cn=Horatio Hornblower,ou=people,o=sevenSeas
uid: wbush
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

My cfg file is

Code: Select all

system.login.lowercase=on
principal.adapter=com.fab66.principal.LdapPrincipalAdapter
 
principal.ldap.server=ldap://192.168.104.75:10389/
principal.ldap.security.principal=uid=admin,ou=system
principal.ldap.security.credentials=secret

principal.ldap.role.search.base=ou=roles,o=sevenSeas
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.user.search.base=ou=people,o=sevenSeas
principal.ldap.user.search.filter=(objectclass=inetOrgPerson)
principal.ldap.user.attribute=uid

principal.ldap.mail.search.base=ou=people,o=sevenSeas
principal.ldap.mail.search.filter=(&(objectclass=inetOrgPerson)(uid={0}))
principal.ldap.mail.attribute=mail

my login-config.xml

Code: Select all

<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
         <module-option name="java.naming.provider.url">ldap://192.xx.xx.xx:10389/</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="bindDN">uid=admin,ou=system</module-option>
         <module-option name="bindCredential">secret</module-option>
         <module-option name="baseCtxDN">ou=people,o=sevenSeas</module-option>
         <module-option name="baseFilter">(uid={0})</module-option>
	   
		 <module-option name="rolesCtxDN">ou=roles,o=sevenSeas</module-option>
         <module-option name="roleFilter">(uniqueMember={1})</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false</module-option>
         <module-option name="roleRecursion">-1</module-option>
         <module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
		 <module-option name="referral">follow</module-option>

    <!-- <module-option name="defaultRole">UserRole</module-option> -->
    </login-module>
    </authentication>
</application-policy>

[jllort]

You have logged into OpenKM ( and then get some error ) or really you have not passed login page ? First we should concentrate in login-config.xml that's phase to pass login page, after it concentrate in other parameters, now are not rellevant if we have not passed it.

Is it correct ? should not be something like cn=William Bush,ou=people,o=sevenSeas

Code: Select all

<module-option name="bindDN">uid=admin,ou=system</module-option>

[madhav]

There is no problem for the authentication purpose. After logged into OpenKM I am getting the roles from the database not from the ldap.

[michaeled]

There is no problem for the authentication purpose. After logged into OpenKM I am getting the roles from the database not from the ldap.

what makes you say that?
if you remove the user from a group, he can still access the resource limited to this group?

[madhav]

Previously I used the database values for the authentication purpose, the list of roles and users.

Instead of database now I am using the apache directory studio for the authentication purpose and getting the list of roles and users.
Authentication done.After logged into the OpenKM I am not getting ldap roles and users but I am wrongly getting the database roles and user. Tell me how could I get the Ldap roles and users from the ldap server in OpenKM.

[jllort]

I suggest you delete all values into OKM_USERS and OKM_ROLES ( I thinks should be removed some values in other tables ). Before doing it take a look at okmAdmin values to backup ( if you need to restore ).

If you apache studio queries are right simply you should copy in

Code: Select all

principal.ldap.role.search.base=ou=roles,o=sevenSeas
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

etc... there's no mistery on it

Ensure you have principal.adapter=com.fab66.principal.LdapPrincipalAdapter correctly and you have restarted application

[madhav]

I deleted okm_user,okm_role values from the database after that I restarted my application. I see no roles listed to filter my user list, and no roles listed when I go into the Roles link. I'm attaching screenshots that should make it clear what I'm describing.

[jllort]

Concentrate only in getting user list

Ensure you have correctly written this parameters:

Code: Select all

principal.ldap.referral=follow
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

This are parameters you need to get user list, only work on it.

Code: Select all

principal.ldap.server=ldap://192.168.104.75:10389/
principal.ldap.security.principal=uid=admin,ou=system
principal.ldap.security.credentials=secret
 
principal.ldap.user.search.base=
principal.ldap.user.search.filter=
principal.ldap.user.attribute=

[madhav]

Hi,

Iam getting the roles from the roles list from the active directory but I am not getting roles in the user list page.

Roles Problem in the User page...
roles_problem.JPG (74.55 KiB) Viewed 13307 times

Here I am sending the my ldif file also. Please give me solution.

Code: Select all

version: 1

dn: o=sevenSeas
objectClass: top
objectClass: organization
o: sevenSeas

dn: ou=groups,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: groups
description: Contains entries which describe groups (crews, for instance)

dn: ou=people,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: people
description: Contains entries which describe persons (seamen)


dn: ou=roles,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: roles

dn: cn=AdminRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: AdminRole
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=okmAdmin,ou=people,o=sevenSeas
uniqueMember: cn=madhav,ou=people,o=sevenSeas
uniqueMember: cn=prasanna,ou=people,o=sevenSeas

dn: cn=guestrole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: guestrole
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=UserRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: UserRole
uniqueMember: cn=John Fryer,ou=people,o=sevenSeas
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=pratik,ou=people,o=sevenSeas
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=William Bligh,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bligh
sn: Bligh
description: Captain William Bligh
givenname: William
mail: wbligh@royalnavy.mod.uk
uid: wbligh
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

dn: cn=William Bush,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bush
sn: Bush
description: Lt. William Bush
givenname: William
mail: wbush@royalnavy.mod.uk
manager: cn=Horatio Hornblower,ou=people,o=sevenSeas
uid: wbush
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

[jllort]

Now you should concentrate on get roles.by.user:
principal.ldap.roles.by.user.search.base=o=sevenSeas
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf