LDAP not working correctly in 6.2

[dejanfc]

This happens when the roles in OpenKM configuration and the ones the user that's trying to login has in ldap do not match.

For example, if you have default.user.role set to OpenKMAllusers, and user1 is in that group on the ldap, he'll be able to log in, but user2, who is not in the OpenKMAllusers on ldap, will get a path not found exception error.

In your earlier posts you pasted this configuration for your OpenKM:

default.user.role UserRole
default.admin.role OpenKMAdmins

Is that still true or did you change it? One quick way to test is to add UserRole to your ldap groups and put user rf2 in it. If that doesn't work, you can connect to the embeded database and check the config table for the roles:

OK , I think you need to first connect to the Hypersonic of OpenKM , export Tables and import them in MySQL
After change parameter of OpenKM connection , adapt tables
I searching to understand how backup the Hypersonic server, because I do not have to run the ver 6.2 version with My SQL
source : http://hsqldb.org/doc/guide/ch01.html#N100B7
To run the DatabaseManager go to the opt/openkm-6.2.0-community/tomcat/lib folder
and run

Code: Select all

java -cp hsqldb.jar org.hsqldb.util.DatabaseManager

For connection information user name is sa and no password
For URL I take the info in /opt/openkm-6.2.0-community/tomcat/conf/server.xml

Code: Select all

   username="sa" password="" driverClassName="org.hsqldb.jdbcDriver"
            url="jdbc:hsqldb:${catalina.base}/repository/okmdb"/>

catalina.base is path of OpenKM (Ex: opt/openkm-6.2.0-community/tomcat)
okmdb is the name of database and all these files

so url must be jdbc:hsqldb:file:/opt/openkm-6.2.0-community/tomcat/okmdb
I had to stop catalina.sh stop because fil was lock , I think if we can use connection direct instead by files we should connect to database without stopping OpenKM

Please leave to us your feedback , it will be very apprecied

Some more info for connection URL http://hsqldb.org/doc/2.0/guide/dbproperties-chapt.html

[Catscratch]

default.user.role UserRole
default.admin.role OpenKMAdmins

Is that still true or did you change it?

I changed already changed it to default.user.role OpenKMAllUsers

One quick way to test is to add UserRole to your ldap groups and put user rf2 in it.

With default as OpenKMAllUsers this step should be obsolete.

If that doesn't work, you can connect to the embeded database and check the config table for the roles:

But I'm using mysql as database, not the embedded one.

And the filter in mysql are the following:

Code: Select all

	principal.ldap.role.search.base	= cn=Users,dc=mmtopen,dc=de
	principal.ldap.role.search.filter	= (&(objectClass=group)(memberOf=cn=OpenKMGroups,cn=Users,dc=mmtopen,dc=de))
	principal.ldap.role.attribute	= cn

[dejanfc]

I suggest you save your OpenKM.xml somewhere, revert back to original file (with basic auth), drop the tables from okmdb, edit the OpenKM.cfg hibernate property to "create" and restart tomcat to re-populate the database. After that, log in with okmAdmin/admin, and first set up your ldap configuration on the Config tab (do not change the default admin role until you confirm that regular users can log in!) and see if you can list users and their respective roles on the User tab (tomcat requires restart if you change the connection adapter). After you can list users/roles properly, edit the default user role and copy back the OpenKM.xml with your ldap configuration. Restart tomcat again and see if users can log in.

[jllort]

only for your consideration if you set change to create you will lose all your data ! to restore okmAdmin password the value at database should be '21232f297a57a5a743894a0e4a801fc3'

[Catscratch]

I tried a little bit. But I got a problem left.

If I go to administration tab -> users I see all users correctly.

Like this:

Code: Select all

# - Id - Name - Mail - Roles
1 - userlogin1 - Hans Meier - Hans@online.de - Role1 Role2
2 - userlogin2 - Betty Meier - Betty@online.de - Role1, Role2, Role4
3 - userlogin3 - Uli Pinkert - Uli@online.de - Role3

But if I choose a role from the dropdown list (e.g. Role1) I get something like this:

Code: Select all

# - Id - Name - Mail - Roles
1 - Hans Meier - Hans Meier - Hans@online.de - 
2 - Betty Meier - Betty Meier - Betty@online.de - 

So, I get the correct users, but the IDs are wrong and no roles are shown anymore.

Hm, so what is the right filter for this?

[dejanfc]

Try the same one you use in your ldap bean configuration.

[Catscratch]

OK, I get the old error again.

He's not finding any roles on login.

Code: Select all

2013-01-16 13:20:13,740 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-16 13:20:13,740 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'okmstudent', DN = 'cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de', with filter (&(objectClass=group)(memberOf=cn=OpenKMGroups,cn=User,dc=mmtopen,dc=de)) in search base ''
2013-01-16 13:20:13,740 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (&(objectClass=group)(memberOf=cn=OpenKMGroups,cn=User,dc=mmtopen,dc=de))
2013-01-16 13:20:13,743 [http-bio-0.0.0.0-8080-exec-9] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-01-16 13:20:13,749 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: []

Code: Select all

<!-- BEAN CONFIGURATION -->
	<security:authentication-manager alias="authenticationManager">
	  <security:authentication-provider ref="ldapAuthProvider" />
	</security:authentication-manager>
 
	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
	  <beans:constructor-arg value="ldap://<MYSERVER>/ou=MMTOpenUsers/dc=mmtopen,dc=de"/>
	  <beans:property name="userDn" value="cn=<MYUSER>,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de"/>
	  <beans:property name="password" value="<MYPASSWORD>"/>
	</beans:bean>
 
	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	  <beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
		  <beans:constructor-arg ref="contextSource"/>
		  <beans:property name="userSearch" ref="userSearch"/>
		</beans:bean>
	  </beans:constructor-arg>
	  <beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		  <beans:constructor-arg ref="contextSource"/>
		  <beans:constructor-arg value=""/>
		  <beans:property name="groupSearchFilter" value="(&(objectClass=group)(memberOf=cn=OpenKMGroups,cn=User,dc=mmtopen,dc=de))"/>
		  <beans:property name="groupRoleAttribute" value="cn"/>
		  <beans:property name="searchSubtree" value="true" />
		  <beans:property name="convertToUpperCase" value="false" />
		  <beans:property name="rolePrefix" value="" /> 
		</beans:bean>
	  </beans:constructor-arg>
	</beans:bean>
 
	<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
	  <beans:constructor-arg index="0" value="" />
	  <beans:constructor-arg index="1" value="sAMAccountName={0}" />
	  <beans:constructor-arg index="2" ref="contextSource" />
	  <beans:property name="searchSubtree" value="true" />
	</beans:bean>

Here is the regarding configuration of the OKM integration.


There must be something wrong with the roles filter...

Is there a way to test the filter expressions? E.g. with Apache Directory Studio?

[dejanfc]

You left the role search base empty when you went to bean configuration:

(in ldapauthoritiespopulator)

<beans:constructor-arg value=""/>

Should be something like

<beans:constructor-arg value="cn=Users,dc=company,dc=name"/>

And make sure that repository is readable by the new user role you've selected.

[Catscratch]

Thanks for reply. I'm making progress.

I get:

Code: Select all

2013-01-16 15:04:06,866 [http-bio-0.0.0.0-8080-exec-4] ERROR org.apache.catalina.core.ContainerBase.[Catalina].[localhost].[/OpenKM].[default] - Servlet.service() for servlet [default] in context with path [/OpenKM] threw exception
org.springframework.ldap.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'OU=MMTOpenUsers,DC=mmtopen,DC=de'
]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'OU=MMTOpenUsers,DC=mmtopen,DC=de'
]; remaining name 'cn=Users,dc=mmtopen,dc=de'
	at org.springframework.ldap.support.LdapUtils.convertLdapException(LdapUtils.java:174)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:306)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:259)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:606)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:524)
	at org.springframework.security.ldap.SpringSecurityLdapTemplate.searchForSingleAttributeValues(SpringSecurityLdapTemplate.java:173)
	at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGroupMembershipRoles(DefaultLdapAuthoritiesPopulator.java:215)
	at org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator.getGrantedAuthorities(DefaultLdapAuthoritiesPopulator.java:185)
	at org.springframework.security.ldap.authentication.LdapAuthenticationProvider.loadUserAuthorities(LdapAuthenticationProvider.java:197)
	at org.springframework.security.ldap.authentication.AbstractLdapAuthenticationProvider.authenticate(AbstractLdapAuthenticationProvider.java:63)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:156)
	at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:174)
	at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:94)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:194)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
Caused by: javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001E4, problem 2001 (NO_OBJECT), data 0, best match of:
	'OU=MMTOpenUsers,DC=mmtopen,DC=de'
]; remaining name 'cn=Users,dc=mmtopen,dc=de'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3066)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2987)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2794)
	at com.sun.jndi.ldap.LdapCtx.searchAux(LdapCtx.java:1826)
	at com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1749)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(ComponentDirContext.java:368)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:338)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(PartialCompositeDirContext.java:321)
	at javax.naming.directory.InitialDirContext.search(InitialDirContext.java:248)
	at org.springframework.ldap.core.LdapTemplate$4.executeSearch(LdapTemplate.java:253)
	at org.springframework.ldap.core.LdapTemplate.search(LdapTemplate.java:293)
	... 34 more

I defined the base for groups as

Code: Select all

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	  ...
	  <beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		  <beans:constructor-arg ref="contextSource"/>
		  <beans:constructor-arg value="cn=Users,dc=mmtopen,dc=de"/>
		...

Our Users are defined in ou=MMTOpenUsers,dc=mmtopen,dc=de.
And our Groups/Roles are defined in cn=Users,dc=mmtopen,dc=de.

So from my point of view, it looks good?!

Just for completeness. Here is the whole config again:

Code: Select all

<!-- BEAN CONFIGURATION -->
	<security:authentication-manager alias="authenticationManager">
	  <security:authentication-provider ref="ldapAuthProvider" />
	</security:authentication-manager>
 
	<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
	  <beans:constructor-arg value="ldap://<SERVER>/ou=MMTOpenUsers,dc=mmtopen,dc=de"/>
	  <beans:property name="userDn" value="cn=<ADMINUSER>,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de"/>
	  <beans:property name="password" value="<ADMINPW>"/>
	</beans:bean>
 
	<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
	  <beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
		  <beans:constructor-arg ref="contextSource"/>
		  <beans:property name="userSearch" ref="userSearch"/>
		</beans:bean>
	  </beans:constructor-arg>
	  <beans:constructor-arg>
		<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
		  <beans:constructor-arg ref="contextSource"/>
		  <beans:constructor-arg value="cn=Users,dc=mmtopen,dc=de"/>
		  <beans:property name="groupSearchFilter" value="(&(member={0})(objectClass=group))"/>
		  <beans:property name="groupRoleAttribute" value="cn"/>
		  <beans:property name="searchSubtree" value="true" />
		  <beans:property name="convertToUpperCase" value="false" />
		  <beans:property name="rolePrefix" value="" /> 
		</beans:bean>
	  </beans:constructor-arg>
	</beans:bean>
 
	<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
	  <beans:constructor-arg index="0" value="" />
	  <beans:constructor-arg index="1" value="sAMAccountName={0}" />
	  <beans:constructor-arg index="2" ref="contextSource" />
	  <beans:property name="searchSubtree" value="true" />
	</beans:bean>

[dejanfc]

Are you sure you're logging in as valid user? If yes, then you could set context source one level up, ie instead of ou=mttopenuser,dc=company,dc=name just dc=company,dc=name and then set the search filters on bind and authorities authenticators more strict.

[Catscratch]

Yes. The user is valid.

If I use wrong credentials I get an authentication error.
LDAP: error code 49

If I set the context source one level up, the same error occurs.

And how more strict should I set the filters. If I use the filters openkm logs at runtime and try them in e.g. Windows, I get the correct groups.

[dejanfc]

I don't see why a windows install would work with same settings . You had a working setup on the previous page (with namespace config, where you were getting the correct roles), I suggest you go back to that. Also note that repository has to have read permissions for the new user role (by default it's set to ROLE_USER only).

If you can still access the admin tab, first update your role filters so that you can see them via Users tab. When that is done, set read permissions for all repository nodes for the new user role (click on each node, go to Security, click Update and add the roles). Then use the namespace config for ldap auth manager that was working for you.

[Catscratch]

No, I did not tryed a windows okm installation. I meant, if I use the filters from the console in the windows server active directory explorer, I get the right results.

But I don't know, why the NameNotFoundException: [LDAP: error code 32] should be correlated to some wrong user rights. The okm repository is still clear and contains no data. It is just a fresh installation.

It would be interesting what is happening at this point where the NameNotFoundException is thrown.

... I hate ldap ...

[dejanfc]

NameNotFound exception is shown when the search base isn't set right. I just noticed you also have an empty search base in your UserSearch bean (missed this one before, sorry ).

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="" />

Change to (I used the info you provided in a post above)

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
<beans:constructor-arg index="0" value="ou=MMTOpenUsers,dc=mmtopen,dc=de" />

[jllort]

Better if you connect as

Code: Select all

<beans:constructor-arg value="ldap://<MYSERVER>/"/>

Without ou=MMTOpenUsers/dc=mmtopen,dc=de otherside each filter path you put is concatenated with ou=MMTOpenUsers/dc=mmtopen,dc=de

On groups I suggest something like:

Code: Select all

<beans:constructor-arg value="dc=mmtopen,dc=de"/>
<beans:property name="groupSearchFilter" value="member={0}"/>

And in users:

Code: Select all

<beans:constructor-arg index="0" value="dc=mmtopen,dc=de" />
<beans:constructor-arg index="1" value="sAMAccountName={0}" />

Each value indicates the node base which starts searching in this case the same for users and roles ( after you get it correctly you can play with more filtered configuration ).