LDAP auth Issue

[yuhaijunll]

I have a OpenKM version 5.1.7 installed on CentOS 5 server edition and an Active Directory on Windows server 2003. I cannot login with AD account.
And I config the server by this guide: http://forum.openkm.com/viewtopic.php?f=4&t=5146
Can anyone help me?

Below is my info:


My AD structure is::

Code: Select all

dc=com
   |_dc=aca
        |_OU=company
        |    |_OU=Dept. 1
        |    |   |_user1
        |    |   |_user2
        |    |_OU=Dept. 2
        |    |   |_user3
        |    |   |_user4
        |    |_OU=Dept. 3
        |        |_OU=Group 1
        |             |_user5
        |             |_user6
        |_OU=OpenKM
        |    |_Group OpenKMusers (members: user1, user2, user3, user4, user5)
        |    |_Group OpenKMadmins (members: user1)
        |    |_Group OpenKMroles (members: OpenKMusers, OpenKMadmins, OpenKMrole1, OpenKMrole2)
        |    |_Group OpenKMrole1 (members: user1, user2, user3)
        |    |_Group OpenKMrole2 (members: user4, user5)

Administrator - Configuration with LDAP:

Code: Select all

default.user.role String OpenKMadmins  
default.user.role String OpenKMusers  
principal.adapter String com.openkm.principal.LdapPrincipalAdapter       
principal.database.filter.inactive.users Boolean        
principal.ldap.mail.attribute String mail       
principal.ldap.mail.search.base String dc=aca,dc=com       
principal.ldap.mail.search.filter String (&(objectclass=person)(sAMAccountName={0}))       
principal.ldap.role.attribute String sAMAccountName       
principal.ldap.role.search.base String dc=aca,dc=com       
principal.ldap.role.search.filter String (&(objectclass=group)(memberOf=cn=OpenKMroles,ou=OpenKM,dc=aca,dc=com))       
principal.ldap.roles.by.user.attribute String memberOf       
principal.ldap.roles.by.user.search.base String dc=aca,dc=com       
principal.ldap.roles.by.user.search.filter String (sAMAccountName={0})       
principal.ldap.security.credentials String mypassword       
principal.ldap.security.principal String cn=user1,ou=Dept.1,ou=company,dc=aca,dc=com       
principal.ldap.server String ldap://ad_server_ip       
principal.ldap.user.attribute String sAMAccountName       
principal.ldap.user.search.base String dc=aca,dc=com       
principal.ldap.user.search.filter String (&(objectclass=user)(memberOf=cn=OpenKMusers,ou=OpenKM,dc=aca,dc=com))       
principal.ldap.users.by.role.attribute String member       
principal.ldap.users.by.role.search.base String ou=OpenKM,dc=aca,dc=com       
principal.ldap.users.by.role.search.filter String (sAMAccountName={0})       

Full login-config.xml File:

Code: Select all

<!-- OpenKM -->
<application-policy name = "OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://ad_server_ip</module-option>
<module-option name="bindDN">cn=user1,ou=Dept.1,ou=company,dc=aca,dc=com</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="java.naming.referral">follow</module-option>
<module-option name="bindCredential">mypassword</module-option>
<module-option name="baseCtxDN">dc=aca,dc=com</module-option>
<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OpenKMusers,OU=OpenKM,dc=aca,dc=com))</module-option>
<module-option name="rolesCtxDN">dc=aca,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">sAMAccountName</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
</application-policy>

I got the following error info when I boot the jboss:

Code: Select all

14:31:58,963 INFO  [TomcatDeployer] deploy, ctxPath=/jmx-console, warUrl=.../deploy/jmx-console.war/
14:31:59,016 ERROR [URLDeploymentScanner] Incomplete Deployment listing:

--- MBeans waiting for other MBeans ---
ObjectName: jboss:service=KeyGeneratorFactory,type=HiLo
  State: FAILED
  Reason: java.lang.SecurityException: Invalid authentication attempt, principal=null
  I Depend On:
    jboss:service=TransactionManager
    jboss.jca:service=DataSourceBinding,name=DefaultDS

ObjectName: jboss.mq:service=PersistenceManager
  State: FAILED
  Reason: org.jboss.mq.SpyJMSException: Could not resolve uncommited transactions.  Message recovery may not be accurate; - nested throwable: (java.lang.SecurityException: Invalid authentication attempt, principal=null)
  I Depend On:
    jboss.jca:service=DataSourceBinding,name=DefaultDS
  Depends On Me:
    jboss.mq:service=DestinationManager

--- MBEANS THAT ARE THE ROOT CAUSE OF THE PROBLEM ---
ObjectName: jboss.mq:service=PersistenceManager
  State: FAILED
  Reason: org.jboss.mq.SpyJMSException: Could not resolve uncommited transactions.  Message recovery may not be accurate; - nested throwable: (java.lang.SecurityException: Invalid authentication attempt, principal=null)
  I Depend On:
    jboss.jca:service=DataSourceBinding,name=DefaultDS
  Depends On Me:
    jboss.mq:service=DestinationManager

ObjectName: jboss:service=KeyGeneratorFactory,type=HiLo
  State: FAILED
  Reason: java.lang.SecurityException: Invalid authentication attempt, principal=null
  I Depend On:
    jboss:service=TransactionManager
    jboss.jca:service=DataSourceBinding,name=DefaultDS

14:31:59,103 INFO  [Http11Protocol] Starting Coyote HTTP/1.1 on http-0.0.0.0-8080
14:31:59,124 INFO  [AjpProtocol] Starting Coyote AJP/1.3 on ajp-0.0.0.0-8009
14:31:59,243 INFO  [Server] JBoss (MX MicroKernel) [4.2.3.GA (build: SVNTag=JBoss_4_2_3_GA date=200807181439)] Started in 22s:611ms

[yuhaijunll]

When I change the login-config.xml to default and default.admin.role From "OpenKMadmins" to "AdminRole".
I can login the openkm with okmAdmin local account. And can see the AD users in the users page.

1.jpg (61.8 KiB) Viewed 4246 times

2.jpg (61.45 KiB) Viewed 4246 times

3.jpg (16.55 KiB) Viewed 4246 times

[coldface]

Hello,anyone can give some advice?


Thanks

[jllort]

Concentrate only with login-config.xml ( first step must be login )

I sugges more general query to starting

Code: Select all

<module-option name="baseFilter">(sAMAccountName={0})</module-option>

Ensure with that user you can connect and browser from the server the ldap and the password is correct.

Code: Select all

cn=user1,ou=Dept.1,ou=company,dc=aca,dc=com

Change your log4j-jboss.xml ( I'm not totally sure if I written the file name correctly, but should be similar than I wrote ) file to debug this class org.jboss.security

UserRole and AdminRole are mandatory to login ( really you can add other admin role to configuration purpose, but application web.xml need one of this to login at the low level authentication, when change from configuration parameters AdminRole to other role, really only are indicating than will be used other role to accessing administration but this change has no effects on minimal grants to accessing application ( AdminRole and UserRole ), I think my explanation could not be totally clear ).

[yuhaijunll]

I have found my problem.
The login-config.xml filre was not correct.

Here is the full file:

Code: Select all

<?xml version='1.0'?>
<!DOCTYPE policy PUBLIC
      "-//JBoss//DTD JBOSS Security Config 3.0//EN"
      "http://www.jboss.org/j2ee/dtd/security_config.dtd">

<!-- The XML based JAAS login configuration read by the
org.jboss.security.auth.login.XMLLoginConfig mbean. Add
an application-policy element for each security domain.

The outline of the application-policy is:
<application-policy name="security-domain-name">
  <authentication>
    <login-module code="login.module1.class.name" flag="control_flag">
      <module-option name = "option1-name">option1-value</module-option>
      <module-option name = "option2-name">option2-value</module-option>
      ...
    </login-module>

    <login-module code="login.module2.class.name" flag="control_flag">
      ...
    </login-module>
    ...
  </authentication>
</application-policy>

$Revision: 64598 $
-->

<policy>
    <!-- Used by clients within the application server VM such as
    mbeans and servlets that access EJBs.
    -->
    <application-policy name = "client-login">
       <authentication>
          <login-module code = "org.jboss.security.ClientLoginModule"
             flag = "required">
             <!-- Any existing security context will be restored on logout -->
             <module-option name="restore-login-identity">true</module-option>
          </login-module>
       </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ -->
    <application-policy name = "jbossmq">
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.DatabaseServerLoginModule"
             flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
             <module-option name = "dsJndiName">java:/DefaultDS</module-option>
             <module-option name = "principalsQuery">SELECT PASSWD FROM JMS_USERS WHERE USERID=?</module-option>
             <module-option name = "rolesQuery">SELECT ROLEID, 'Roles' FROM JMS_ROLES WHERE USERID=?</module-option>
          </login-module>
       </authentication>
    </application-policy>

    <!-- Security domain for JBossMQ when using file-state-service.xml
    <application-policy name = "jbossmq">
       <authentication>
          <login-module code = "org.jboss.mq.sm.file.DynamicLoginModule"
             flag = "required">
             <module-option name = "unauthenticatedIdentity">guest</module-option>
             <module-option name = "sm.objectname">jboss.mq:service=StateManager</module-option>
          </login-module>
       </authentication>
    </application-policy>
    -->

    <!-- Security domains for testing new jca framework -->
    <application-policy name = "HsqlDbRealm">
       <authentication>
          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">sa</module-option>
             <module-option name = "userName">sa</module-option>
             <module-option name = "password"></module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=LocalTxCM,name=DefaultDS</module-option>
          </login-module>
       </authentication>
    </application-policy>

    <application-policy name = "JmsXARealm">
       <authentication>
          <login-module code = "org.jboss.resource.security.ConfiguredIdentityLoginModule"
             flag = "required">
             <module-option name = "principal">guest</module-option>
             <module-option name = "userName">guest</module-option>
             <module-option name = "password">guest</module-option>
             <module-option name = "managedConnectionFactoryName">jboss.jca:service=TxCM,name=JmsXA</module-option>
          </login-module>
       </authentication>
    </application-policy>

    <!-- A template configuration for the jmx-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "jmx-console">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
           <module-option name="usersProperties">props/jmx-console-users.properties</module-option>
           <module-option name="rolesProperties">props/jmx-console-roles.properties</module-option>
          </login-module>
       </authentication>
    </application-policy>

    <!-- A template configuration for the web-console web application. This
      defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name = "web-console">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required">
             <module-option name="usersProperties">web-console-users.properties</module-option>
             <module-option name="rolesProperties">web-console-roles.properties</module-option>
          </login-module>
       </authentication>
    </application-policy>

    <!--
      A template configuration for the JBossWS security domain.
      This defaults to the UsersRolesLoginModule the same as other and should be
      changed to a stronger authentication mechanism as required.
    -->
    <application-policy name="JBossWS">
      <authentication>
        <login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule"
          flag="required">
          <module-option name="usersProperties">props/jbossws-users.properties</module-option>
          <module-option name="rolesProperties">props/jbossws-roles.properties</module-option>
          <module-option name="unauthenticatedIdentity">anonymous</module-option>
        </login-module>
      </authentication>
    </application-policy>

    <!-- OpenKM -->
    <application-policy name = "OpenKM">
    <authentication>
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
    <module-option name="java.naming.provider.url">ldap://ad_server_ip</module-option>
    <module-option name="bindDN">cn=user1,ou=Dept.1,ou=company,dc=aca,dc=com</module-option>
    <module-option name="java.naming.security.authentication">simple</module-option>
    <module-option name="bindCredential">mypassword</module-option>
    <module-option name="baseCtxDN">ou=company,dc=aca,dc=com</module-option>
    <module-option name="baseFilter">(sAMAccountName={0})</module-option>
    <module-option name="rolesCtxDN">dc=aca,dc=com</module-option>
    <module-option name="roleFilter">(member={1})</module-option>
    <module-option name="roleAttributeID">sAMAccountName</module-option>
    <module-option name="roleAttributeIsDN">false</module-option>
    <module-option name="roleRecursion">-1</module-option>
    <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
    <module-option name="defaultRole">UserRole</module-option>
    <module-option name="allowEmptyPasswords">false</module-option>
    </login-module>
    </authentication>
    </application-policy>   

    <!-- The default login configuration used by any security domain that
    does not have a application-policy entry with a matching name
    -->
    <application-policy name = "other">
       <!-- A simple server login module, which can be used when the number
       of users is relatively small. It uses two properties files:
       users.properties, which holds users (key) and their password (value).
       roles.properties, which holds users (key) and a comma-separated list of
       their roles (value).
       The unauthenticatedIdentity property defines the name of the principal
       that will be used when a null username and password are presented as is
       the case for an unuathenticated web client or MDB. If you want to
       allow such users to be authenticated add the property, e.g.,
       unauthenticatedIdentity="nobody"
       -->
       <authentication>
          <login-module code = "org.jboss.security.auth.spi.UsersRolesLoginModule"
             flag = "required" />
       </authentication>
    </application-policy>

</policy>

[jllort]

You solved it ?