LDAP not working correctly in 6.2

[Catscratch]

I tryed all your suggestions.

Sill getting the error:

Code: Select all

2013-01-21 16:25:46,014 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: okmstudent
2013-01-21 16:25:46,015 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'okmstudent', with user search [ searchFilter: 'sAMAccountName={0}', searchBase: 'ou=MMTOpenUsers,dc=mmtopen,dc=de', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-01-21 16:25:46,098 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN '', base = 'ou=MMTOpenUsers,dc=mmtopen,dc=de', filter = 'sAMAccountName={0}'
2013-01-21 16:25:46,129 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-21 16:25:46,140 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-21 16:25:46,140 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-21 16:25:46,155 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2013-01-21 16:25:46,160 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-21 16:25:46,160 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'okmstudent', DN = 'cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de', with filter member={0} in search base 'cn=Users,dc=mmtopen,dc=de'
2013-01-21 16:25:46,160 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: member=cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-21 16:25:46,164 [http-bio-0.0.0.0-8080-exec-1] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-01-21 16:25:46,223 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [OpenKMAllUsers, OpenKMStudenten]
2013-01-21 16:25:46,224 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de

Code: Select all

2013-01-21 16:25:46,434 [http-bio-0.0.0.0-8080-exec-3] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/okmstudent
2013-01-21 16:25:46,449 [http-bio-0.0.0.0-8080-exec-3] ERROR com.openkm.module.db.DbAuthModule - 1c5586aa-6d25-4e1f-a345-0cf721d8e304 : /okm:trash
com.openkm.core.PathNotFoundException: 1c5586aa-6d25-4e1f-a345-0cf721d8e304 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:106)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:102)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:443)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:406)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:82)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)

User is found right. Also all the regarding groups are found correctly. The filters seems ok.
So what is wrong with this exception?

OKM creates the right folder (Create okm:trash/okmstudent) but than looking for a folder (1c5586aa-6d25-4e1f-a345-0cf721d8e304 : /okm:trash) which was never created?!?! I don't understand this step. What is okm doing there? And where did this strange ID comes from?

Thanks guys!

[dejanfc]

Looks like you got everything working, the only thing left is to set read permissions on every node in repository (okm:root, okm:categories, okm:personal, etc) for your new User role.

[Catscratch]

I did it, but the error remains.

I also changed the default admin role to my ldap group. So I can login with okmAdmin (I created this user in the ldap) and see the Administration Panel. Also my login name is "red" which indicates the system identified me as admin. But if I click on the admin panel I get "Unauthorized access".

And what does the dbAuthModule does? This module is throwing the strange exception. So what does the DbAuthModule tries when a user login and the okmTrash/USERNAME is created. Where did this long ID comes from?

[dejanfc]

To bypass the admin filter, change the attribute value on "/admin/**" url from "ROLE_ADMIN" to something else, ie, "IS_FULLY_AUTHENTICATED" (the app will still check for roles though, so users shouldn't be able to even see the admin tab).

Unfortunately I can't help you with dbAuthModule, but it's possible you have some leftover data in your database that's tied to repository. If you don't need any documents from the repository (assuming this is a test installation), you could just delete the local repository folder and drop the database tables then recreate the config you use now (you can export it before doing this).

[Catscratch]

So.

I kept the OpenKM.xml configuration. I cleared the database and removed the repository. Then started up okm again with setting hibernate.hbm2ddl=create.

After startup, the database was filled up again by openkm. Ok.
I logged in with ldap okmAdmin and everything was working fine. Instead of the admin panel, because the admin role was at standard again (ROLE_ADMIN).

Then I tryed to login with an user accout and I got the same error message:
com.openkm.core.RepositoryException: PathNotFoundException: bdaa0d87-eb89-4477-a4d9-c763e0751fea : /okm:trash

So whats wrong here?
Interessting is, that every normal user gets the same error message. Means, the same ID ( bdaa0d87-eb89-4477-a4d9-c763e0751fea ).
What is this ID? Should this be the ID of the repository? Because if I login with an admin account I can see the repository ID and it is another one.

I don't know whats going wrong, but it seems like this is a strange bug of openkm itself.

[dejanfc]

After reinstall, did you give your new user role read permissions on repository?

[Catscratch]

Yes.

But I can't set the permission for the okm:trash node. Maybe that's the problem. So no user got read access to the okm:trash node and that could result in the given exception. On every other tab (taxonomy, E-Mail, ...) I can see the permission "Update" button. But not on trash.

E.g. taxonomy


E.g. Trash


Ideas?

[dejanfc]

You can't update security on okm:trash node, it should work by default. What happens if you set Read permission on entire repository for a specific non-admin user and then try to log in with his credentials? Does that go through?

[Catscratch]

No success.

But I wonder. If I try to login the logfile tells me:

Code: Select all

2013-01-22 15:26:24,589 [http-bio-0.0.0.0-8080-exec-1] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/okmstudent

But when I look into the repository with an admin there is no such folder.


And yes. The user okmstudent gots read, write, delete permissions on the okm:root node in taxonomy.

[Catscratch]

Ok, short feedback.

I checked out the okm sources and started debugging on this problem.

The problem definitly is in com.openkm.module.db.stuff.SecurityHelper.java.
In the method checkProperties.

There you try to check the user permissions for a node.
In my case, the user has the role "OpenKMAllUsers" and the node to check is "okm:trash".

Code: Select all

Integer rolePerms = rolesPerms.get(role);
			
if (rolePerms != null && (perms & rolePerms) != 0) {
	log.debug("checkProperties: {}", true);
	return true;
}

There "rolesPerms" is null because no permission for role "OpenKMAllUsers" could be found.

But I can't get any role for the node okm:trash. Only the standard role "ROLE_USER". For every other node (like taxonomy, email, ...), I can set user permission. So my question is, how to I set read permission for another role than ROLE_USER to the whole repository? That would solve the problem.

[Catscratch]

Ok, I solved it.

From my point of view, it is a bug of openkm. Please fix it in the next update!

I manually modified the permissions of the okm:trash node and all other nodes in the database and set them to my ldap user group. Now users can login. I would say it is a bug of the database creation template. You set everything to ROLE_ADMIN and ROLE_USER by default, but noone is using these roles in an active directory.

[jllort]

It's not a bug it's a bad configuration and for what you said you continue have it configured uncorrectly. all users should be members of ROLE_USER or ROLE_ADMIN and for what I understood or you have not assigned to ROLE_USER in your AD to the users ( create new group called ROLE_USER and assign to users to login to OpenKM ).

I'm sure is not a bug because during last year I have done several AD integration ( active directory , openldap etc... ) and there's no problem on it. Simply configuration is not correct on your OpenKM.xml or in your AD. If you made the changes I suggest I supect the problem is in your AD. Sincerally there's nothing to be correct on it OpenKM AD integration source code.

Note: About the change suggest dejanfc is not correct too, because you're changing /admin security restriction to ROLE_ADMIN to any logged user ( user with any credential to access OpenKM ).

[Catscratch]

ROLE_USER and ROLE_ADMIN is a standard AD role that should be changed in an AD when using it in productivity systems. For test ADs it is ok. But in ADs used in praxis I never found this role, because companies got their own roles regarding the company structure.

But however, I think it is borderline to force users to use hard coded roles in their AD. The generic way would be to let the user specify the standard roles. But it is ok. Now it is working for me. And the "fix" from dejanfc works, too. Authenticated users can't access the admin tab unless they belong to an administrator role.

So thanks for your help. It helped me to get a better understanding on how the ldap integration in tomcat in openkm works!

[jllort]

ROLE_USER and ROLE_ADMIN are connection grant to OpenKM. If you want to see as company roles because there's some policy on your company to create groups, obviously you're on truth. Normally these scenarios are in a great size companies with a lot of centralized applications. Anyway we suggest to use default roles because AD is difficult configuration, we suggest do default and then if you wan to try this kind of changes try later. All at same time is difficult.

Can you try any authenticated user ( without ROLE_ADMIN or what you used for it ) with your ip:/OpenKM/admin ? because one thing is that as a normal user you can not see and other you get access.

[Catscratch]

Authenticated users can't see the admin tab. If they try to access the admin folder directly, they get the message: "Only admin users allowed".

So it seems you got some other security checks in okm that prohibit this access for non admin users.
And this is good. Hehe.