OpenKM Active Directory Errors

[Khris]

I'm slowly making some progress with getting OpenKM authenticating through our Active Directory server, but am now getting an error msg and I'm not sure which way I need to go or where I need to look.

OpenKM.cfg

Code: Select all

#system.ocr=/usr/bin/tesseract
system.openoffice.path=C:\\Program Files\\OpenOffice.org 3
system.openoffice.port=8100
system.img2pdf=C:\\ImageMagick-6.6.9-Q16\\convert.exe
system.pdf2swf=C:\\SWFTools\\pdf2swf.exe
#system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
application.url=http://s6bdoc01/OpenKM/com.openkm.frontend.Main/index.jsp

principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.200.31
principal.ldap.security.principal=LDAP@***.net
principal.ldap.security.credentials=***************
principal.ldap.user.search.base=dc=***,dc=net
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.atribute=cn
principal.ldap.role.search.base=OU=OpenKM,dc=***,dc=net
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.atribute=cn
principal.ldap.mail.search.base=cn={0},dc=***,dc=net
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.atribute=mail

login-config.xml

Code: Select all

<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" > 
        <module-option name="java.naming.provider.url">ldap://192.168.200.31</module-option> 
        <module-option name="bindDN">LDAP@***.net</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">***************</module-option>
        <module-option name="baseCtxDN">dc=***,dc=net</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=OpenKM,dc=***,dc=net</module-option>
        <module-option name="roleFilter">(member={1})</module-option>
        <module-option name="roleAttributeID">cn</module-option>
        <module-option name="roleAttributeIsDN">false</module-option>
        <module-option name="roleRecursion">2</module-option>
        <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
        <module-option name="defaultRole">UserRole</module-option>
      </login-module> 
     </authentication>
   </application-policy>

</policy>

For now, I have both UserRole and AdminRole groups created in AD which my login a member of the AdminRole group.

I get the following error when I login. None of the menu items show up and I can't do anything at all.

OpenKMError.png (9.38 KiB) Viewed 9748 times

Any suggestions, or something I missed?

Thanks
Chris

[jllort]

Remove it from login-con.xml, you're not interesting in setting all users the UserRole.

Code: Select all

<module-option name="defaultRole">UserRole</module-option>

Confirm if after removing it you can continue login ?

[Khris]

I removed the line as you said from login-con.xml, however I still get the same error that comes up after logging in. (I did restart jboss after making the change) My credentials are being accepted, but that's as far as I can get.

Here is a screenshot to show everything. Notice, none of the controls are showing up either.

[jllort]

The principal adapter name is wrong

Code: Select all

principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter

must be

Code: Select all

principal.adapter=com.openkm.principal.LdapPrincipalAdapter

[Khris]

Thank you! I'm so close it hurts now! One last error.

server.log

Code: Select all

2011-04-14 11:39:11,397 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/OpenKM]] Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.openkm.frontend.client.bean.GWTWorkspace com.openkm.frontend.client.service.OKMWorkspaceService.getUserWorkspace() throws com.openkm.frontend.client.OKMException' threw an unexpected exception: java.lang.NullPointerException
	at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:378)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:581)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:188)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:224)
	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Unknown Source)
Caused by: java.lang.NullPointerException
	at java.text.MessageFormat.applyPattern(Unknown Source)
	at java.text.MessageFormat.<init>(Unknown Source)
	at java.text.MessageFormat.format(Unknown Source)
	at com.openkm.principal.LdapPrincipalAdapter.getRolesByUser(LdapPrincipalAdapter.java:160)
	at com.openkm.module.direct.DirectAuthModule.getRolesByUser(DirectAuthModule.java:836)
	at com.openkm.api.OKMAuth.getRolesByUser(OKMAuth.java:161)
	at com.openkm.frontend.server.OKMWorkspaceServlet.getUserWorkspace(OKMWorkspaceServlet.java:301)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
	at java.lang.reflect.Method.invoke(Unknown Source)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562)

[jllort]

That's because in version 5.0.4 we've added new properties to get roles by user and users by roles

Starting with OpenKM 5.0.4 we added more "users by role" and "roles by user" configuration properties:

Code: Select all

principal.ldap.users.by.role.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
 
principal.ldap.roles.by.user.search.base=cn={0},cn=users,dc=weyler,dc=local
principal.ldap.roles.by.user.search.filter=(objectClass=person) 
principal.ldap.roles.by.user.attribute=memberOf

[Khris]

Thank you again. I've added those lines to my config file and can get logged in!

When I go into the Admin side and then into the user list, I get the following. Suggestions?

[jllort]

That's a very strange user name, seems something is wrong there must appearing the ldap account name

[Khris]

All of the usernames show up like that. Any ideas?

[Khris]

If I can't get this figured out, I'm going to have to look for another piece of software. I do think OpenKM is exactly what we're looking for, but if I can't get it working, it's useless to me.

[jllort]

The problem must be here:

Code: Select all

principal.ldap.user.search.base=dc=***,dc=net
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.atribute=cn

you could try changing cn to sAMAccountName on principal.ldap.user.atribute

Be sure, that ldap integration runs correctly, we've made several installations to our customers with ldap ( active directory ), some has been more easy than others.

[Khris]

Unfortunately that didn't make any difference, and I have to give up and find something that works.

Thank you for all of the help you've provided, it has been appreciated.

[pavila]

Here you have a little command line utility to test the LDAP configuration parameters. Is designed to work with the new OpenKM 5.1.x release, but the configuration parameters are the same, except some addition to improve the getUsersByRole and getRolesByUsers actions. See wiki for more info on this.

[Khris]

Ok, I'm giving this one more try because I truly feel that OpenKM is going to be the best solution out of all the ones I've tested.

Here is the output from the OpenKM-Ldap.jar file when trying to do a user search. I'm assuming the "null" settings are the problem, but not sure what I need to do to fix that.

Config output from OpenKM-Ldap

Code: Select all

===== CONFIGURATION =====
principal.ldap.mail.attribute = null
principal.ldap.mail.search.base = cn={0},dc=***,dc=net
principal.ldap.mail.search.filter = (objectclass=person)
principal.ldap.role.attribute = null
principal.ldap.role.search.base = OU=OpenKM,dc=***,dc=net
principal.ldap.role.search.filter = (objectclass=group)
principal.ldap.roles.by.user.attribute = memberOf
principal.ldap.roles.by.user.search.base = cn={0},dc=***,dc=net
principal.ldap.roles.by.user.search.filter = (objectClass=person)
principal.ldap.security.credentials = ******************
principal.ldap.security.principal = CN=LDAP,OU=OTRS,DC=***,DC=net
principal.ldap.server = ldap://192.168.100.31
principal.ldap.user.attribute = null
principal.ldap.user.search.base = dc=***,dc=net
principal.ldap.user.search.filter = (objectclass=person)
principal.ldap.users.by.role.attribute = member
principal.ldap.users.by.role.search.base = cn={0},dc=***,dc=net
principal.ldap.users.by.role.search.filter = (objectclass=group)
====== ===== ===== ======

OpenKM.cfg file

Code: Select all

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://192.168.100.31
principal.ldap.security.principal=CN=LDAP,OU=OTRS,DC=***,DC=net
principal.ldap.security.credentials=******************
principal.ldap.user.search.base=dc=***,dc=net
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.atribute=cn
principal.ldap.role.search.base=OU=OpenKM,dc=***,dc=net
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.atribute=cn
principal.ldap.mail.search.base=cn={0},dc=***,dc=net
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.atribute=mail

principal.ldap.users.by.role.search.base=cn={0},dc=***,dc=net
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=cn={0},dc=***,dc=net
principal.ldap.roles.by.user.search.filter=(objectClass=person)
principal.ldap.roles.by.user.attribute=memberOf

Suggestions anyone??

[Khris]

Ok.....so I've modeled my OpenKM.cfg and login-config.xml files after the user who made this post: http://forum.openkm.com/viewtopic.php?f=4&t=5146

I've also used the LDAP java test utility and this configuration fully works.

I can get past the first authentication screen (so I know that login-config.xml is working), but then as soon as I see "Loading User Values" in the "Loading OpenKM" window, I get another box that comes up says "Error when communicating with server (getUserWorkspace)".

*sigh*