PathNotFoundException /okm:trash

[richbcph]

Code: Select all

com.openkm.core.RepositoryException: PathNotFoundException: ac98722e-3601-4438-90cb-1c7ead459122 : /okm:trash

MS AD Groups: Role_User & Role_Admin created and populated with users.

If I try to login with a user or admin I get the error above. If I intentionally enter password wrong I get red Authentication error. So I know it has to be authenticating to AD.

based on catalina log file its finding my name in AD, Groups assigned etc..

Then this entry in the log is generated:

Code: Select all

INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/<MY USER NAME>
2013-12-19 10:18:39,403 [http-bio-0.0.0.0-8080-exec-4] [b]ERROR com.openkm.module.db.DbAuthModule[/b] - ac98722e-3601-4438-90cb-1c7ead459122 : /okm:trash
com.openkm.core.PathNotFoundException: ac98722e-3601-4438-90cb-1c7ead459122 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:84)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:103)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:468)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:431)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:81)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:53)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:724)

This line ERROR com.openkm.module.db.DbAuthModule, shouldn't it be something like com.openkm.module.db.LDAPAuthModule

And seems like maybe the user accounts (admin or user) don't have ability to create the trash box for the user.

openkm.xml

Code: Select all

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider"/>
 </security:authentication-manager> 

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
     <beans:constructor-arg ref="ldapBindAuthenticator"/>
     <beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
 </beans:bean> 

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
     <!-- MS Active Directory -->
     <beans:constructor-arg value="ldap://<LDAP SERVER NAME NOT IP>:389/DC=XXX,DC=XXX,DC=XXX"/>
     <beans:property name="userDn" value="CN=OpenKM\, OpenKM,OU=Users,OU=<DEPARTMENT OU,DC=XXX,DC=XXX,DC=XXX"/>
     <beans:property name="password" value="<Password>"/>
     <beans:property name="baseEnvironmentProperties">
         <beans:map>
             <beans:entry key="java.naming.referral" value="follow" />
         </beans:map>
     </beans:property>
 </beans:bean>

<beans:bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
     <beans:constructor-arg ref="contextSource"/>
     <beans:property name="userSearch" ref="userSearch"/>
 </beans:bean> 

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
     <!-- MS Active Directory -->
     <!-- user-search-base; relative to base of configured context source -->
     <beans:constructor-arg index="0" value=""/>
     <!-- user-search-filter -->
     <beans:constructor-arg index="1" value="(sAMAccountName={0})"/>
     <beans:constructor-arg index="2" ref="contextSource"/>
 </beans:bean> 

<beans:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
     <beans:constructor-arg ref="contextSource" />
     <beans:constructor-arg value="" />
     <beans:property name="groupSearchFilter" value="(member={0})"/>
     <beans:property name="groupRoleAttribute" value="CN" />
     <beans:property name="rolePrefix" value=""/>
     <beans:property name="searchSubtree" value="true"/>
     <beans:property name="convertToUpperCase" value="false"/>
     <beans:property name="ignorePartialResultException" value="true"/>
 </beans:bean>

</beans:beans> 

I cannot login to the system at all, not with default okmAdmin nor AD. So I have yet to get to the point of changing the configuration in Admin tab for ldap. So I know my problem is with the openkm.xml file but I am not sure where?

Version: openkm-6.2.5-Community


Any help is greatly appreciated!

[jllort]

The problem is OpenKM.xml configuration file is wrong or you have not created in your AD ROLE_USER and assigned to the users. Without ROLE_USER, users can not get access to main nodes. ROLE_USER and ROLE_ADMIN are uppercase that's other important thing to take in consideration.

Did you take a look at ldap example in documentation:
http://wiki.openkm.com/index.php/LDAP_examples this is the most complete http://wiki.openkm.com/index.php/Ldap-example3 in your case I'm missing this part:

Code: Select all

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=company,DC=com"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

it's not strange you do not get roles.

[richbcph]

I will check this out first thing tomorrow morning and report back. Thanks for the help!

[richbcph]

OK here is the new error I am getting, I think this is forward movement though

Code: Select all

2013-12-21 20:52:45,194 [http-bio-0.0.0.0-8080-exec-1] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=xxx,DC=xxx,DC=xxx'

Thoughts? Any help is appreciated very much

[jllort]

Withous seeing your OpenKM.xml and your AD is quite difficult give you some idea about the error you got. Seems the filter parameters you're using return no valid object in your ldap or object what not exists ( some filtering path that really not exists in your ldap ).

[richbcph]

MS AD Domain Structure:

AD.jpg (18.63 KiB) Viewed 13667 times

OpenKM is account and is part of the users group as well as the ROLE_USER/ADMIN groups


OK here is the complete openkm.xml file:
yyy = OU
xxx = domain

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
 <beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
      xmlns:security="http://www.springframework.org/schema/security"
     xmlns:task="http://www.springframework.org/schema/task"
      xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
     xsi:schemaLocation="http://www.springframework.org/schema/beans
          http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
         http://www.springframework.org/schema/security
          http://www.springframework.org/schema/security/spring-security-3.1.xsd
         http://www.springframework.org/schema/task
          http://www.springframework.org/schema/task/spring-task-3.1.xsd">

<!-- Tasks configuration -->
 <!--
<task:scheduler id="taskScheduler" pool-size="1"/>
  <task:scheduled-tasks scheduler="taskScheduler">
     <task:scheduled ref="textExtractorWorker" method="work" fixed-delay="60000"/>
 </task:scheduled-tasks>
  <beans:bean id="textExtractorWorker" class="com.openkm.extractor.TextExtractorWorker" />
 -->

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider"/>
  </security:authentication-manager> 

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
     <beans:constructor-arg ref="ldapBindAuthenticator"/>
      <beans:constructor-arg ref="ldapAuthoritiesPopulator"/>
 </beans:bean> 

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
      <!-- MS Active Directory -->
     <beans:constructor-arg value="ldap://10.10.10.10:389/DC=xxx,DC=xxx,DC=xxx"/>
      <beans:property name="userDn" value="CN=OpenKM\, OpenKM,OU=Users,OU=yyy,DC=xxx,DC=xxx,DC=xxx"/>
     <beans:property name="password" value="******"/>
      <beans:property name="baseEnvironmentProperties">
         <beans:map>
             <beans:entry key="java.naming.referral" value="follow" />
         </beans:map>
      </beans:property>
 </beans:bean>

<beans:bean id="ldapBindAuthenticator" class="org.springframework.security.ldap.authentication.BindAuthenticator">
     <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
 </beans:bean> 

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
   <beans:constructor-arg index="0" value="DC=xxx,DC=xxx,DC=xxx" />
  <beans:constructor-arg index="1" value="(&(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,OU=Groups,OU=YYY, DC=xxx,xxx,xxx)(memberOf=CN=ROLE_USER,OU=Groups,OU=YYY, DC=xxx,xxx,xxx)))" />
   <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
 </beans:bean> 

<beans:bean id="ldapAuthoritiesPopulator" class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource" />
     <beans:constructor-arg value="" />
     <beans:property name="groupSearchFilter" value="(member={0})"/>
      <beans:property name="groupRoleAttribute" value="CN" />
     <beans:property name="rolePrefix" value=""/>
     <beans:property name="searchSubtree" value="true"/>
      <beans:property name="convertToUpperCase" value="false"/>
     <beans:property name="ignorePartialResultException" value="true"/>
 </beans:bean>

</beans:beans> 

So with that posted what am I missing here?

[richbcph]

OK so it seems like the users or admins don't have read access to the trash folder and I cannot set permissions for the trash folder even to test.

Code: Select all

INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/<MYUserNameHere>
2013-12-26 09:27:54,800 [http-bio-0.0.0.0-8080-exec-9] ERROR com.openkm.module.db.DbAuthModule - ac98722e-3601-4438-90cb-1c7ead459122 : /okm:trash
com.openkm.core.PathNotFoundException: ac98722e-3601-4438-90cb-1c7ead459122 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:84)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:103)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:468)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:431)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:81)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:53)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
	at java.lang.Thread.run(Thread.java:724)

Thought on how to manually set this permissions?

[jllort]

ROLE_USER and ROLE_ADMIN is case sensitive, you have not written correctly.

[richbcph]

ROLE_USER and ROLE_ADMIN is case sensitive, you have not written correctly.

That was it! Working great now! Thanks for your help

[jllort]

Remember openkm is case sensitive I suggest enable in administration this option system.login.lowercase=on because Windows AD is not case sensitive and that will prevent login users what not be in lower case, othercase you can have logged user john, JOHN, jOhn etc... what really are the same user, but for openkm are distinct.

[iHarry]

Hi. A have the same error too. And I want to ask a question:
Do I HAVE TO create ROLE_USER and ROLE_ADMIN groups and assign users to it to get AD authentication working?
I don't want to do it, really. It is acceptable for me that all users have administrator rights.

Sorry for my english. Thank you.

[jllort]

All users must be members of ROLE_USER or ROLE_ADMIN, this role allows users to login openkm. If you do not want to assign in AD you can force in OpenKM.xml with the tag

Code: Select all

<beans:property name="defaultRole" value="ROLE_ADMIN" /> 

as you can see here:

Code: Select all

<beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value="DC=vompany,DC=local"/>
        <beans:property name="groupSearchFilter" value="member={0}"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" />
	<beans:property name="defaultRole" value="ROLE_ADMIN" />
      </beans:bean>

Please for future questions on same direction, create other post, do not merge with existing topics what are talking about other questions. That cause confusion to other readers, thanks.