OpenKM+OpenLDAP - Error getting user workspace

[ldavim]

Hello, I'm currently evaluating multiple DMSs to use in my company.
OpenKM looks exactly like what I'm looking for but I can't get it to work with my LDAP server.
I've red several posts in this forums and looked in the wiki.

Here is my problem:
First my LDAP schema does not have a memberOf attribute in the users objects, I've worked around this problem reading this thread http://forum.openkm.com/viewtopic.php?f=4&t=4999 I think it is redundant to have config options to get roles by users and users by roles, I'm also testing Knowledgetree and it gets this information from my schema without any problems...
However the real problem is that after logging in with an LDAP user I get an error message saying "Error when communication with server (getUserWorkspace)"

I've been trying to solve this error for 2 days and I'm about to give up on OpenKM, witch is a shame since it looks very promising

I've also tested my LDAP configuration with the jar from this thread http://forum.openkm.com/viewtopic.php?f ... 8&start=15 and it seams to be working fine.

btw, Im using OpenKM-5.1.5_JBoss-4.2.3.GA on an Ubuntu 10.04.2 LTS.

I'm attaching to this post a screenshot of the error message, the trace of the error and my config files (OpenKM.cfg and /server/default/login-config.xml) in a zip file.

Any help will be appreciated
Best regards,
Luis Davim

[jllort]

The error is not in your login-config.xml the error is on OpenKM.cfg properties, you must configure it correctly.

The error in WorkspaceServlet line 315 is getting roles by user name
Caused by: java.lang.NullPointerException
at com.openkm.servlet.frontend.WorkspaceServlet.getUserWorkspace(WorkspaceServlet.java:315)

The error must be in some of these properties, concentrate on it ( now can be changed on fly in administration tab ... I supposed you're using version 5.1.x ? after first time loading from OpenKM.cfg are stored in dbms and will not return to be readed, you must change on administration view )

Code: Select all

principal.ldap.users.by.role.search.filter=(&(objectClass=group)(cn={0}))
principal.ldap.roles.by.user.search.filter=(&(objectClass=group)(cn={0}))

[ldavim]

Thank you for the reply.

This options are correct, I've tested them with a jar file I found in this forums.

Code: Select all

principal.ldap.users.by.role.search.base=ou=people,dc=mydomain,dc=com
principal.ldap.users.by.role.search.filter=(&(accountstatus=active))
principal.ldap.users.by.role.attribute=uid

principal.ldap.roles.by.user.search.base=ou=groups,dc=mydomain,dc=com
principal.ldap.roles.by.user.search.filter=(&(objectclass=posixGroup)(!(description=Dynamic*)))
principal.ldap.roles.by.user.attribute=cn

You are saying that the OpenKM.cfg is ony red once and then the confs are stored and red from the DB??
with my current configuration I do not have access to the administration tab...

and I find it much easier to configure from the conf files than from the web interface...

[ldavim]

I've got it working.

I had to reset my login-config.xml to the "factory" settings, login with the default administrator user account, configure the ldap settings in the administration tab (witch takes a lot more time than to configure in the cfg file), change back the login-config.xml to my settings and login with my LDAP user...

Now I have a problem, as I've mentioned before my LDAP schema does not have a memberOf attribute in the user object so I have to cheat the config of get.roles.by.user and get.users.by.role the problem is that, this way all of my users have the same roles...

Do you really need to have a roles-by-user and users-by-roles? Why not just use users-by-roles? I believe that only the MS AD schema has the memberOf attribute.

[ldavim]

I've finally found a fully working workaround for the memberOf issue, using LDAP queries:

Code: Select all

principal.ldap.users.by.role.search.filter=(&(objectclass=posixGroup)(!(description=Dynamic*))(cn=*{0}*))
principal.ldap.users.by.role.attribute=memberUid

principal.ldap.roles.by.user.search.filter=(&(objectclass=posixGroup)(!(description=Dynamic*))(memberUid=*{0}*))
principal.ldap.roles.by.user.attribute=cn

Now how do I make the members of the LDAP group "sysadmin" administrators of OpenKM?

If I change the default.admin.role to "sysadmin" when trying to login I get an error saying:

Code: Select all

HTTP Status 403 - Access to the requested resource has been denied

But before that I could list the users and roles and confirmed that my user was in that role.

[ldavim]

I found the solution, I had to force the default role in the login-config.xml:

Code: Select all

<module-option name="defaultRole">UserRole</module-option>

It seams that in the login phase the OpenKM cannot see my roles however, after logging in I get the correct roles and I'm seen as an Administrator (as I should)...

[jllort]

That's not good option, that indicates in your login-config.xml roles are not read correctly. If was reading UserRole or AdminRole assigned to your ldap users will be enought, with this configuration any user on ldap has by default grants to accessing OpenKM. I sugges concentrate in login-config.xml getting roles ... something is wrong there.