LDAP - ActiveDirectory - OKM CE 6.2

[fergalom]

Can someone plase help with configuration of LDAP for AD (SBS 2011)

OKM CE 6.2 running on Ubuntu 12.10.

The administrator and users (e.g. fwuser) are in two different branches of the AD structure as follows:

Code: Select all

dc=fw,dc=local
|
|___
|     |
|     ou=MyBusiness
|           |
|           ou=Users
|                |
|               ou=SBSUsers
|                         |
|                        cn=fwuser
|
|___
      |
     CN=Users
           |
          CN=Administrator

My OpenKM.xml

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
  
<security:ldap-server id="ldapServer"
    url="ldap://10.10.1.2:389/DC=ldap,DC=fw,DC=local"
    manager-dn="CN=Administrator,CN=Users,DC=fw,DC=local"
    manager-password="pass1234"/>
 
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="cn=Users"
      user-search-filter="(sAMAccountName={0})"
      group-search-base="cn=Users"
      group-search-filter="(member={0})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>
  
</beans:beans>

And the config within OpenKM:

Code: Select all

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 
principal.ldap.server=ldap://10.10.1.2
principal.ldap.security.principal=CN=Administrator,cn=Users,dc=fw,dc=local
principal.ldap.security.credentials=pass1234
 
principal.ldap.user.search.base=cn=Users,dc=fw,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
 
principal.ldap.role.search.base=cn=Users,dc=fw,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
 
principal.ldap.mail.search.base=cn=Users,dc=fw,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
 
principal.ldap.username.search.base=cn=Users,dc=fw,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn
 
principal.ldap.users.by.role.search.base=cn={0},cn=Users,dc=fw,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
 
principal.ldap.roles.by.user.search.base=cn=users,dc=fw,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf

Catalina.log

Code: Select all

2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@625b99ed. A new one will be created.
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Request is to process authentication
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: administrator
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'administrator', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=fw,DC=local'
\00]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=fw,DC=local'
\00]; remaining name 'cn=Users'
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@331efc39
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - Redirecting to /login.jsp?error=1
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to '/OpenKM/login.jsp?error=1'
2013-02-14 14:07:01,412 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2013-02-14 14:07:01,412 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

Any pointers greatly appreciated

[dejanfc]

At first glance it looks like you're trying to log in as 'administrator', but your account starts with a capital A (Administrator).

[fergalom]

Thanks but from the wiki

Code: Select all

In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable
system.login.lowercase=on

Also if you look at OpenKM.xml and the config, it is using "Administrator"

The catalina log shows lowercase due to system.login.lowercase=on
I have tried system.login.lowercase=off also and same result

[dejanfc]

Try extending your user-search-base and group-search-base from

user-search-base="cn=Users"

to

user-search-base="cn=Users,dc=fw,dc=local"

[fergalom]

Thanks but that did not work unfortunately

[jllort]

Concentrate first in OpenKM.xml and try with advanced configuration there we can have more control http://wiki.openkm.com/index.php/Active ... OpenKM_6.2

[fergalom]

ok, with your suggestion, I get the following message now:
I believe from the logs that the user (both admin and a user) are getting authenticated but always get a screen with this messdage

Code: Select all

com.openkm.core.RepositoryException: PathNotFoundException: c8746fad-f424-4f70-9e45-733dad2aa035 : /okm:trash

Question: Do I need to setup ROLE_ADMIN and ROLE_USER as a new security group in my AD? (It's not clear from the documentation - sorry)

[dejanfc]

This was a problem discussed in another topic - you can't update the security permissions on trash folder (works on all others) through the interface, if you want custom roles you'll have to manually adjust it in the database (OKM_NODE_PERMISSION - NRP_PERMISSION field).