Online demo
Download
Contact

Because information matters

  • Problem with LDAP in OpenKM 6.2

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
It is currently Sun Apr 19, 2026 7:55 pm

Problem with LDAP in OpenKM 6.2

OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

Problem with LDAP in OpenKM 6.2

 #19145  by gimla
 
Hello
I have a two problem with LDAP in OpenKM 6.2:
1)with administrator accounts. I can log in, and can see a administrator bookmark, but when I click on it, I get page with text: "Unauthorized access".
2) I use non adminitrator accounts, so when loggin i got a message:
com.openkm.core.RepositoryException: PathNotFoundException: 0a45bcad-3485-41d7-b0d0-df300b64d505 : /okm:trash

and from log file:
Code: Select all
INFO  org.dozer.DozerBeanMapper - Initializing a new instance of dozer bean mapper.
2012-11-05 13:09:37,851 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Using the following xml files to load custom mappings for the bean mapper instance: [dozerBeanMapping.xml]
2012-11-05 13:09:37,851 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Trying to find xml mapping file: dozerBeanMapping.xml
2012-11-05 13:09:37,860 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Using URL [file:/opt/tomcat-7.0.27/webapps/OpenKM/WEB-INF/classes/dozerBeanMapping.xml] to load custom xml mappings
2012-11-05 13:09:37,930 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Successfully loaded custom xml mappings from URL: [file:/opt/tomcat-7.0.27/webapps/OpenKM/WEB-INF/classes/dozerBeanMapping.xml]
2012-11-05 13:09:42,216 [http-bio-8443-exec-8] WARN  com.openkm.util.DocConverter - system.openoffice.path not configured
2012-11-05 13:17:45,330 [http-bio-8443-exec-4] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-11-05 13:17:45,490 [http-bio-8443-exec-8] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/koc245
2012-11-05 13:17:45,519 [http-bio-8443-exec-8] ERROR com.openkm.module.db.DbAuthModule - 0a45bcad-3485-41d7-b0d0-df300b64d505 : /okm:trash
com.openkm.core.PathNotFoundException: 0a45bcad-3485-41d7-b0d0-df300b64d505 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:106)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:101)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:437)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:400)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:81)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
When I use standard log in without LDAP, I can see(from LDAP) users, roles - > everything looks alright.

I will be glad for any help.

Ldap config:
Code: Select all
principal.ldap.mail.attribute = mail       
principal.ldap.mail.search.base = ou=users,o=cz       
principal.ldap.mail.search.filter = (&(objectClass=inetOrgPerson)(cn={0}))       
principal.ldap.referral = follow       
principal.ldap.role.attribute = cn       
principal.ldap.role.search.base = ou=groups,o=cz       
principal.ldap.role.search.filter = (cn=ZAM_*)       
principal.ldap.roles.by.user.attribute = groupMembership       
principal.ldap.roles.by.user.search.base = ou=users,o=cz       
principal.ldap.roles.by.user.search.filter = (&(objectClass=inetOrgPerson)(cn={0}))       
principal.ldap.security.credentials =       
principal.ldap.security.principal =       
principal.ldap.server = ldaps://ldap.xxx:636       
principal.ldap.user.attribute = cn       
principal.ldap.user.search.base = ou=users,o=cz       
principal.ldap.user.search.filter = (groupMembership=cn=ZAM_xxx,ou=xxx,ou=groups,o=cz)       
principal.ldap.username.attribute = fullName       
principal.ldap.username.search.base = ou=users,o=cz       
principal.ldap.username.search.filter = (&(objectClass=inetOrgPerson)(cn={0}))       
principal.ldap.users.by.role.attribute = member       
principal.ldap.users.by.role.search.base = ou=groups,o=cz       
principal.ldap.users.by.role.search.filter = (&(objectClass=posixGroup)(cn={0}))       
principal.ldap.users.from.roles = false 
system.login.lowercase=true
OpenKM.xml:
Code: Select all
<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
 
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldaps://ldap.xxx:636/"/>
  <beans:property name="userDn" value=""/>
  <beans:property name="password" value=""/>
  <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
  </beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="ou=groups,o=cz"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="true" />
      <beans:property name="rolePrefix" value="" /> 
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>
 
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="ou=users,o=cz"/>
  <beans:constructor-arg index="1" value="cn={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
  </beans:bean>

Re: Problem with LDAP in OpenKM 6.2

 #19155  by gimla
 
I enable this logging.

I forgot write this change in my configuration:
Code: Select all
default.admin.role = A_AAA
default.user.role =B_AAA
I don't have role with names =ROLE_ADMIN, ROLE_USER

this is result from logging:
Code: Select all
2012-11-06 11:14:47,315 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: USER1
2012-11-06 11:14:47,316 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'USER1', with user search [ searchFilter: 'cn={0}', searchBase: 'ou=users,o=cz', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2012-11-06 11:14:47,533 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN '', base = 'ou=users,o=cz', filter = 'cn={0}'
2012-11-06 11:14:47,560 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,570 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,571 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,629 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2012-11-06 11:14:47,638 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,638 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'USER1', DN = 'cn=USER1,ou=users,o=cz', with filter member={0} in search base 'ou=groups,o=cz'
2012-11-06 11:14:47,639 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: member=cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,641 [http-bio-8443-exec-2] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-11-06 11:14:47,737 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [A_AAA, B_AAA,  C_AAA, D_AAA, E_AAA, F_AAA, G_AAA]
2012-11-06 11:14:47,738 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,743 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Invalidating session with Id 'F750B2CC15C2934D6B3373373485AAAE' and migrating attributes.
2012-11-06 11:14:47,747 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Started new session: C894B207F976A4C3020D7B3EFFEA93D6
2012-11-06 11:14:47,747 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc1dec9e: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2b85fcad: Dn: cn=USER1,ou=users,o=cz; Username: USER1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: A_AAA,B_AAA, C_AAA, D_AAA, E_AAA,F_AAA,G_AAA; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: XXX.XXX.XXX.XXX; SessionId: F750B2CC15C2934D6B3373373485AAAE; Granted Authorities: A_AAA,B_AAA, C_AAA, D_AAA, E_AAA,F_AAA,G_AAA
2012-11-06 11:14:47,748 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: https://localhost.cz:8443/OpenKM/frontend/index.jsp
2012-11-06 11:14:47,748 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'https://localhost:8443/OpenKM/frontend/index.jsp'
2012-11-06 11:16:08,085 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /admin/index.jsp; Attributes: [ROLE_ADMIN]
2012-11-06 11:16:08,086 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc1dec9e: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2b85fcad: Dn: cn=USER1,ou=users,o=cz; Username: USER1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: A_AAA, B_AAA, C_AAA, D_AAA, E_AAA, F_AAA, G_AAA,  ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: XXX.XXX.XXX.XXX; SessionId: F750B2CC15C2934D6B3373373485AAAE; Granted Authorities: A_AAA, B_AAA, C_AAA, D_AAA, E_AAA, F_AAA, G_AAA
2012-11-06 11:16:08,086 [http-bio-8443-exec-8] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@7bff88c3, returned: -1
2012-11-06 11:16:08,086 [http-bio-8443-exec-8] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@456bf9ce, returned: 0
2012-11-06 11:16:08,087 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
2012-11-06 11:16:08,095 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
Last edited by gimla on Tue Nov 06, 2012 3:14 pm, edited 2 times in total.

Re: Problem with LDAP in OpenKM 6.2

 #19163  by ashley_420
 
I do not understand this
Code: Select all
2012-11-06 11:14:47,638 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=USER1,ou=users,o=cz
Code: Select all
2012-11-06 11:14:47,738 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: cn=USER1,ou=users,o=vsb
In first o=cz and in later o=vsb? Is there a typo somewhere in your configs? I guess you are not using MS AD.

Re: Problem with LDAP in OpenKM 6.2

 #19164  by gimla
 
I must change information about our structure in LDAP, I fix this result.

And yes we don't use MS AD

Is necessary that all roles has a prefix "ROLE_"?

Re: Problem with LDAP in OpenKM 6.2

 #19186  by ashley_420
 
I am not sure about prefix "ROLE_" but in the logs it is looking for the same when you try to access the Admin Tab.
Code: Select all
org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /admin/index.jsp; Attributes: [ROLE_ADMIN]
Maybe jllort can confirm this.

Re: Problem with LDAP in OpenKM 6.2

 #19205  by gimla
 
I do some test and if I create groups in LDAP : ROLE_ADMIN and ROLE_USER (and assign users in this roles), then everything work fine. Exists some way, how work without this roles?

Re: Problem with LDAP in OpenKM 6.2

 #19224  by jllort
 
No, are mandatory. Are used to pass login page ( and only used for it )

Re: Problem with LDAP in OpenKM 6.2

 #19235  by ashley_420
 
Hi,

I was going through the documentation and it suggests that it is possible to change the default roles (ROLE_ADMIN and ROLE_USER) to a desired one.

To change ROLE_USER read this
http://wiki.openkm.com/index.php/Applic ... ction_role

and to change ROLE_ADMIN, read this
http://wiki.openkm.com/index.php/Applic ... admin_role

This refers to JBOSS but I guess this should work for Tomcat also. You can try the same and let us know if this solves your problem.

Re: Problem with LDAP in OpenKM 6.2

 #19456  by gimla
 
Finally, i decide to create groups ROLE_ADMIN and ROLE_USER. It's work.

But now I have different problem with Security. (I can see users, roles and all this information-> user by role and roles by user)

When i change Security on the folders, only users access work. I can add roles in security, but users in this role can't see or work with this folder.

Thank you for any help

Re: Problem with LDAP in OpenKM 6.2

 #19483  by jllort
 
Could be a problem getting roles from active directory. To test it:

1- login with user with ADMIN_ROLE and Other role:
2- go to administration tab -> scripting and execute it to get principals ( roles associated to users ):
Code: Select all
import com.openkm.spring.PrincipalUtils;
import java.util.*;
 
HashSet roles = PrincipalUtils.getRoles();
for (Iterator it = roles.iterator(); it.hasNext();) {
    String role = (String) it.next();
    print("{"+role+"}<br/>");
}
 
print(PrincipalUtils.getRoles());
You'll see which roles are really assigned to this user when login

Re: Problem with LDAP in OpenKM 6.2

 #20615  by Catscratch
 
Hi,

I got the same problem. But I can't solve them. Seems some problem with finding roles by the username.

But I don't know what is exactly wrong.
I think there is an error in the OpenKM.xml config. What exactly should the group-search-* contain?
Also I got a working okm 5.1 as reference for the settings.

But first of all, some logs and so on.

Logfile:
Code: Select all
...
2013-01-07 14:01:02,372 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2013-01-07 14:01:02,372 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: okmstudent
2013-01-07 14:01:02,377 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'okmstudent', with user search [ searchFilter: '(&(sAMAccountName={0})(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))', searchBase: 'ou=MMTOpenUsers,dc=mmtopen,dc=de', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-01-07 14:01:02,387 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN '', base = 'ou=MMTOpenUsers,dc=mmtopen,dc=de', filter = '(&(sAMAccountName={0})(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))'
2013-01-07 14:01:02,389 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,392 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,392 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,398 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2013-01-07 14:01:02,405 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,409 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'okmstudent', DN = 'cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de', with filter (member={1}) in search base 'cn=Users,dc=mmtopen,dc=de'
2013-01-07 14:01:02,412 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (member=okmstudent)
2013-01-07 14:01:02,412 [http-bio-0.0.0.0-8080-exec-3] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-01-07 14:01:02,414 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: []
2013-01-07 14:01:02,415 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de

...

2013-01-07 14:01:02,469 [http-bio-0.0.0.0-8080-exec-1] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/okmstudent
2013-01-07 14:01:02,476 [http-bio-0.0.0.0-8080-exec-1] ERROR com.openkm.module.db.DbAuthModule - 6b5ca2f3-a901-4caa-878a-402eea293d42 : /okm:trash
com.openkm.core.PathNotFoundException: 6b5ca2f3-a901-4caa-878a-402eea293d42 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:106)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:102)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:437)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:400)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:81)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
OpenKM.xml
Code: Select all
<security:ldap-server id="ldapServer"
    url="ldap://<MY SERVER>:389"
    manager-dn="cn=<USER>,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de"
    manager-password="<PASSWORD>"/>
 
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="ou=MMTOpenUsers,dc=mmtopen,dc=de"
      user-search-filter="(&(sAMAccountName={0})(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))"
      group-search-base="cn=Users,dc=mmtopen,dc=de"
      group-search-filter="(member={1})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>
OpenKM Konfiguration in the database (put from working 5.1 copy):
Code: Select all
	default.user.role	UserRole
	default.admin.role	OpenKMAdmins

	principal.adapter	com.openkm.principal.DatabasePrincipalAdapter
			
	principal.ldap.server	ldap://<MYSERVER>:389
	principal.ldap.security.principal	CN=<USER>,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.security.credentials	<PASSWORD>
	principal.ldap.referral	
	principal.ldap.users.from.roles	false
	principal.ldap.user.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.user.search.filter	(&(objectClass=person)(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))
	principal.ldap.user.attribute	cn
	principal.ldap.role.search.base	cn=Users,dc=mmtopen,dc=de
	principal.ldap.role.search.filter	(&(objectClass=group)(memberOf=cn=OpenKMGroups,cn=Users,dc=mmtopen,dc=de))
	principal.ldap.role.attribute	cn
	principal.ldap.username.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.username.search.filter	(&(objectClass=person)(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de)(sAMAccountName={0}))
	principal.ldap.username.attribute	cn
	principal.ldap.mail.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.mail.search.filter	(&(objectClass=person)(sAMAccountName={0}))
	principal.ldap.mail.attribute	mail
	principal.ldap.users.by.role.search.base	cn={0},cn=Users,dc=mmtopen,dc=de
	principal.ldap.users.by.role.search.filter	(objectClass=group)
	principal.ldap.users.by.role.attribute	member
	principal.ldap.roles.by.user.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.roles.by.user.search.filter	(&(objectClass=person)(cn={0}))
	principal.ldap.roles.by.user.attribute	memberOf
Some advice?

Thanks!

Re: Problem with LDAP in OpenKM 6.2

 #20631  by jllort
 
Please Catscratch open other post for it, otherside it becomes enormeus and we're talking of differents problems on same post ( that can generate confusion to the reader )
 Reply
 Return to “Configuration”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -