Unable to logon after playing with ldap configuration.

[i.zemliansky]

Hi to all!

After configuring ldap (http://wiki.openkm.com/index.php/LDAP_a ... r_examples) i got totally useless system. The old login/password pair do not allow me to enter the site with 'Authentication error' message. When i try to enter the site with new AD (i have windows 2008 ad) accounts i receive this 403 page:

Code: Select all

HTTP Status 403 - Access to the requested resource has been denied

type Status report

message Access to the requested resource has been denied

description Access to the specified resource (Access to the requested resource has been denied) has been forbidden.

JBossWeb/2.0.1.GA

And there is nothing in server.log file that would show me on the error. Restoring of the original login-config.xml file did not help (i assume this is because the rest of the configuration is in internal DB). Is it possible to change authentication scheme to the default state?

Thank you in advance!

[jllort]

Basically you should start working with login-config.xml ( that configuration should allow to login and do not get 403 error ). I think your problem is that your login configuration is not getting users by role. Then you pass login page because you get user/ password correct but in your roles there's no UserRole or AdminRole assigned to your ldap user or if you get assigned is not correctly defined how is getting user by role in login-config.xml configuration.

[i.zemliansky]

jllort, you was right - replacing the file helped me to logon. When i announced the file is replaced my OS actually asked "Do you really would like to replace A with B?". I did not notice that and decided that file is replaced.

So, now i am investigating why ldap integration does not work...

Thank you!

[jllort]

Take a look here http://wiki.openkm.com/index.php/Debugging_OpenKM that will help you to debug your configuration with ldap. Add the class org.jboss.security and you'll see the roles captured etc ....

[i.zemliansky]

Ok, now I am totally exhausted after the battle with Openkm(v.5)-vs-MS-AD-LDAP

First of all I can not understand relation between login-config.xml and settings that are configured via Administrative menu in OpenKM app?

Please have a look at my configuration files and my log files...

Here is the sample of my LDAP configuration (we use MS Windows AD LDAP):

Code: Select all

    All accounts are in: OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com
       For example:
       CN=OpenKM,OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com or
       CN=ur-test,OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com

    All AD groups are in: OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com
       For example:
       CN=AdminRole,OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com or
       CN=UserRole,OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com

    More details on accounts:
       CN=ur-test,OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com (note hyphen in CN)
       objectClass: organizationalPerson
       objectClass: person
       objectClass: top
       objectClass: user
       cn: ukr test (note that cn does not have hyphen)
       instanceType: 4
       objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=prockm,DC=com
       displayName: ukr test
       distinguishedName: CN=ukr test,OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com
       givenName: ukr
       logonCount: 0
       mDBUseDefaults: TRUE
       memberOf: CN=UserRole,OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com
       name: ukr test
       primaryGroupID: 513
       sAMAccountName: ukr-test
       sAMAccountType: 805306368
       sn: test
       userAccountControl: 66048
       userPrincipalName: ukr-test@eeu.prockm.com
       
    More details on AD groups:
       CN=UserRole,OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com
       objectClass: group
       objectClass: top
       groupType: -2147483646
       instanceType: 4
       objectCategory: CN=Group,CN=Schema,CN=Configuration,DC=prockm,DC=com
       cn: UserRole
       description: [19.09.2012] - This is test group for OpenKM
       distinguishedName: CN=UserRole,OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com
       member: CN=ukr test,OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com
       member: CN=Zemlianskiy\, Igor,OU=Accounts Users,OU=UKR,DC=eeu,DC=prockm,DC=com
       name: UserRole
       sAMAccountName: UserRole
       sAMAccountType: 268435456

Here is the part of my login-config.xml:

Code: Select all

    <!-- OpenKM -->
<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
         <module-option name="java.naming.provider.url">ldap://wkuwbpeeudc02.eeu.prockm.com:389</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="bindDN">CN=OpenKM,OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com</module-option>
         <module-option name="bindCredential">qwerty-123</module-option>
         <module-option name="baseCtxDN">OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com</module-option>
         <module-option name="baseFilter">(samaccountname={0})</module-option>
         <module-option name="rolesCtxDN">OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com</module-option>
    <!-- <module-option name="roleFilter">(memberUid={0})</module-option> -->
         <module-option name="roleFilter">(member={0})</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false</module-option>
         <module-option name="roleRecursion">-1</module-option>
         <module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
    <!-- <module-option name="defaultRole">UserRole</module-option> -->
    </login-module>
    </authentication>
</application-policy>

When I trying to login with the real MS AD account I get an error (that I attached to this message). In the same time I get the next piece of log in jboss.security.log file:

Code: Select all

21:25:23,755 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
21:25:23,819 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
21:25:23,822 TRACE [org.jboss.security.SecurityAssociation] pushRunAsIdentity, runAs=null
21:25:23,822 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
21:25:23,858 TRACE [org.jboss.security.SecurityAssociation] popRunAsIdentity, runAs=null
21:25:23,869 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
21:25:29,954 TRACE [org.jboss.security.plugins.JaasSecurityManager] Constructing
21:25:29,954 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@2602c9f6
21:25:29,954 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@11948f9
21:25:29,955 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CachePolicy set to: org.jboss.util.TimedCachePolicy@2305d3ff
21:25:29,956 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@2305d3ff
21:25:29,956 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added OpenKM, org.jboss.security.plugins.SecurityDomainContext@53a11c4f to map
21:25:29,956 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] Begin isValid, principal:ukr-test, cache info: null
21:25:29,956 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] defaultLogin, principal=ukr-test
21:25:29,956 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] Begin getAppConfigurationEntry(OpenKM), size=9
21:25:29,956 TRACE [org.jboss.security.auth.login.XMLLoginConfigImpl] End getAppConfigurationEntry(OpenKM), authInfo=AppConfigurationEntry[]:
[0]
LoginModule Class: org.jboss.security.auth.spi.LdapExtLoginModule
ControlFlag: LoginModuleControlFlag: required
Options:name=baseFilter, value=(samaccountname={0})
name=bindDN, value=CN=OpenKM,OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com
name=rolesCtxDN, value=OU=Groups,OU=UKR,DC=eeu,DC=prockm,DC=com
name=baseCtxDN, value=OU=Test,OU=UKR,DC=eeu,DC=prockm,DC=com
name=roleRecursion, value=-1
name=java.naming.security.authentication, value=simple
name=roleFilter, value=(member={0})
name=allowEmptyPasswords, value=false
name=java.naming.provider.url, value=ldap://wkuwbpeeudc02.eeu.prockm.com:389
name=bindCredential, value=qwerty-123
name=roleAttributeIsDN, value=false
name=searchScope, value=SUBTREE_SCOPE
name=roleAttributeID, value=cn

21:25:29,962 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] initialize, instance=@1442358158
21:25:29,962 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] Security domain: OpenKM
21:25:29,962 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] login
21:25:30,175 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] User 'ukr-test' authenticated, loginOk=true
21:25:30,175 TRACE [org.jboss.security.auth.spi.LdapExtLoginModule] commit, loginOk=true
21:25:30,176 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] defaultLogin, lc=javax.security.auth.login.LoginContext@19933923, subject=Subject(277624307).principals=org.jboss.security.SimplePrincipal@1424875934(ukr-test)org.jboss.security.SimpleGroup@1697246465(Roles(members))
21:25:30,177 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] updateCache, inputSubject=Subject(277624307).principals=org.jboss.security.SimplePrincipal@1424875934(ukr-test)org.jboss.security.SimpleGroup@1697246465(Roles(members)), cacheSubject=Subject(596054154).principals=org.jboss.security.SimplePrincipal@1424875934(ukr-test)org.jboss.security.SimpleGroup@1697246465(Roles(members))
21:25:30,177 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] Inserted cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@784ee63e[Subject(596054154).principals=org.jboss.security.SimplePrincipal@1424875934(ukr-test)org.jboss.security.SimpleGroup@1697246465(Roles(members)),credential.class=java.lang.String@848649429,expirationTime=1349895329955]
21:25:30,177 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] End isValid, true
21:25:30,179 TRACE [org.jboss.security.SecurityAssociation] pushSubjectContext, subject=Subject:
        Principal: ukr-test
        Principal: Roles(members)
, sc=org.jboss.security.SecurityAssociation$SubjectContext@2ecca280{principal=ukr-test,subject=2092996992}
21:25:30,179 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] getPrincipal, cache info: org.jboss.security.plugins.JaasSecurityManager$DomainInfo@784ee63e[Subject(596054154).principals=org.jboss.security.SimplePrincipal@1424875934(ukr-test)org.jboss.security.SimpleGroup@1697246465(Roles(members)),credential.class=java.lang.String@848649429,expirationTime=1349895329955]
21:25:30,180 TRACE [org.jboss.security.SecurityAssociation] getSubject, sc=org.jboss.security.SecurityAssociation$SubjectContext@2ecca280{principal=ukr-test,subject=2092996992}
21:25:30,180 TRACE [org.jboss.security.plugins.JaasSecurityManager.OpenKM] getUserRoles, subject: Subject:
        Principal: ukr-test
        Principal: Roles(members)

21:25:30,182 TRACE [org.jboss.security.SecurityAssociation] clear, server=true
21:25:30,185 TRACE [org.jboss.security.SecurityAssociation] clear, server=true

I really don't understand what is my problem and why OpenKM does not let me login with AD account. As i can see the log says that "User 'ukr-test' authenticated, loginOk=true". Does it means that I have to configure groups? How to debug groups related error?

I would like to mention that I am running OpenKM-64 5.1.0 (build 7564) on
22:01:05,024 INFO [ServerInfo] Java version: 1.6.0_32,Sun Microsystems Inc.
22:01:05,024 INFO [ServerInfo] Java VM: Java HotSpot(TM) 64-Bit Server VM 20.7-b02,Sun Microsystems Inc.
22:01:05,024 INFO [ServerInfo] OS-System: Linux 2.6.32-279.el6.x86_64,amd64

Thank you in advance.

[jllort]

that I think should be

Code: Select all

<module-option name="roleFilter">(member={1})</module-option>

login-config.xml is which really authenticates users and which load user roles ( it's was is used to evaluate security )
configuration parameters are only to fill list etc... nothing else