Error communicating with the server (getUserWorkspace)

[pavila]

Sorry, the ZIP was protected. Fixed!

[sagar]

Thanks I've used the tool to test my configuration and I've correct some configurations and all the queries getting the correct data now.

The problem when I use the same configuration on the application (using the administration tab) and try to login the user gets the defauTt role from login-config.xml regardless of the role he has on the AD.
The logs shows:
Principal: Roles(members:UserRole)
and if I comment the default role line on the login-config.xml
Principal: Roles(members:)


Which query is responsible for assigning the role to the user? is the UserRole mandatory for all users even admins?

Thanks & regards,
Sagar

[jllort]

The query which assign roles to users is in login-config.xml, in wiki example asumes role is a node present in user.

This <module-option name="defaultRole">UserRole</module-option> must be removed because if not any used will have by default UserRole and it's better be assigned by ldap.

[sagar]

Hi,

this the login-confog.xml I'm using:

Code: Select all

<authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://***</module-option>
      <module-option name="bindDN">CN=***,CN=Users,DC=***,DC=com</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">***</module-option>
      <module-option name="baseCtxDN">CN=Users,dc=***,dc=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">CN=Users,dc=***,dc=com</module-option>
      <module-option name="roleFilter">(cn={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<!--      <module-option name="defaultRole">UserRole</module-option>  -->
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module> 
  </authentication>

you can see I have commented the default role line and we login I get JBoss error 403 error page.

both the users and roles under the Users CN in AD, is there something I need to correct on this configuration ?

[sagar]

Hi,

I got it to work I think I have missed some lines in the login-config.xml

Code: Select all

     <module-option name="java.naming.provider.url">ldap://***</module-option>
      <module-option name="bindDN">CN=***,CN=Users,DC=***,DC=com</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">***</module-option>
      <module-option name="baseCtxDN">CN=Users,dc=***,dc=com</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">CN=Users,dc=***,dc=com</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">SUBTREE_SCOPE</module-option>
<!--      <module-option name="defaultRole">UserRole</module-option> -->
      <module-option name="allowEmptyPasswords">false</module-option>

Thank you all for your kind help especially pavila for the nice tool to test the configuration.

Regards,
Sagar

[pavila]

So, problem solved?

[sagar]

yes

[flekschas]

Hello,
first of all: thanks for the LDAP Testtool! It's pretty nice.
Unfortunately I still have a strange problem. OpenKM doesn't find the roles of a specific user (getRolesByUser) even though I can find these roles with ldapsearch and exactly the same inputs:

Code: Select all

teststorm:/srv/openkm5 # ldapsearch -x -D "cn=admin,dc=***,dc=***,dc=de" -W -h localhost -b "ou=bcrt,dc=***,dc=***,dc=de" "(&(objectClass=inetOrgPerson)(uid=test))" memberof
Enter LDAP Password: 
# extended LDIF
#
# LDAPv3
# base <ou=bcrt,dc=***,dc=***,dc=de> with scope subtree
# filter: (&(objectClass=inetOrgPerson)(uid=test))
# requesting: memberof 
#

# test, external, research, bcrt, ***. ***.de
dn: uid=test,ou=external,ou=research,ou=bcrt,dc=***,dc=***,dc=de
memberOf: cn=UserRole,ou=Roles,ou=okm,dc=***,dc=***,dc=de

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1
teststorm:/srv/openkm5 # java -jar ./testLdap.jar getRolesByUser test
===== CONFIGURATION =====
principal.ldap.mail.attribute = mail
principal.ldap.mail.search.base = ou=bcrt,dc=***,dc=***,dc=de
principal.ldap.mail.search.filter = (&(objectclass=inetOrgPerson)(uid={0}))
principal.ldap.role.attribute = cn
principal.ldap.role.search.base = ou=Roles,ou=okm,dc=***,dc=***,dc=de
principal.ldap.role.search.filter = (objectclass=groupOfNames)
principal.ldap.roles.by.user.attribute = memberOf
principal.ldap.roles.by.user.search.base = ou=bcrt,dc=***,dc=***,dc=de
principal.ldap.roles.by.user.search.filter = (&(objectClass=inetOrgPerson)(uid={0}))
principal.ldap.security.credentials = ***
principal.ldap.security.principal = cn=admin,dc=***,dc=***,dc=de
principal.ldap.server = ldap://localhost:389
principal.ldap.user.attribute = uid
principal.ldap.user.search.base = ou=bcrt,dc=***,dc=***,dc=de
principal.ldap.user.search.filter = (objectclass=inetOrgPerson)
principal.ldap.users.by.role.attribute = member
principal.ldap.users.by.role.search.base = ou=Roles,ou=okm,dc=***,dc=***,dc=de
principal.ldap.users.by.role.search.filter = (&(objectclass=groupOfNames)(cn={0}))
====== ===== ===== ======
DEBUG com.openkm.principal.LdapPrincipalAdapter - getRolesByUser(test) 
DEBUG com.openkm.principal.LdapPrincipalAdapter - ldapSearch(ldap://localhost:389, cn=admin,dc=***,dc=***,dc=de, ***, ou=bcrt,dc=***,dc=***,dc=de, (&(objectClass=inetOrgPerson)(uid=test)), memberOf) 
DEBUG com.openkm.principal.LdapPrincipalAdapter - Search Result Name: uid=test,ou=external,ou=research 
DEBUG com.openkm.principal.LdapPrincipalAdapter - ldapSearch: [] 
DEBUG com.openkm.principal.LdapPrincipalAdapter - getRolesByUser: [] 

Do you guys have an idea why ldapsearch finds something and the ldapTestTool doesn't?

[flekschas]

Just that you know. When I start OpenKM 5.1.7 with these LDAP settings I get the same "getUserWorkspace" error as posted in this thread.

Code: Select all

2011-10-06 10:59:18,630 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/OpenKM]] Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.openkm.frontend.client.bean.GWTWorkspace com.openkm.frontend.client.service.OKMWorkspaceService.getUserWorkspace() throws com.openkm.frontend.client.OKMException' threw an unexpected exception: java.lang.NullPointerException
	at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:378)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:581)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:207)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:243)
	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.NullPointerException
	at com.openkm.servlet.frontend.WorkspaceServlet.getUserWorkspace(WorkspaceServlet.java:306)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562)
	... 24 more

[sagar]

Hi,

If you are sure all the queries getting the correct results when using the test tool then ensure you put the same configuration on login-config.xml and on the configuration table (on DB or using the Administration tab).

Regards,
Sagar

[jllort]

As said sagar, are you sure your ldap configuration in administration tab is right ? take a look on it, from version 5.1.x configuration is done in administration tab, OpenKM.cfg only is for first time initialization, then any change there has no effect on configuration ( except database configuration that must not be removed from there )

[flekschas]

Sagar, I know that I have to update the login-config.xml that is not my problem. The actual problem is that the ldapsearch-function used by openkm does not find the "memberOf" attribute even though the command-line tool provided by openldap does. And I guess this is the actual problem for the "getUserWorkspace" error, cause OpenKM can't find the roles of a user.
I've googled a bit and found out that the "memberOf" property in openldap (2.4) is not a real attribute (it's called overlay) and this may be the reason that OpenKM can't find it. If anyone got this working with openldap I would really appreciate any kinds of tips

[flekschas]

Okay at least I think I know whats the problem.

The "memberOf" attribute which is provided as an overlay in openldap is an operational attribute and is saved in another tree in ldap. To retrieve this information you have to specifically look for this attribute via a parameter using the getAttribute(). For all the other "normal" attributes this is not required, so no parameter is defined in the ldapPrincipleAdapter.

When I have the time and get everything working i'll post my solution.

[jllort]

You'll make new ldapPrincipalAdapter ?

[flekschas]

No I think I just have to adjust the current one a little bit. Actually as far as I understand the java docs I just have to pass the name of the specific attribute I'm looking for to the getAttribute() function (which is "memberOf" in my case) and that's it. I'll see if I get things working.