nullpointerexception with ldap login module

[kraken]

i've added a new login module for ldap, but everytime i login i get

Code: Select all

14:17:03,561 ERROR [[/OpenKM]] Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract es.git.openkm.frontend.client.bean.GWTWorkspace es.git.openkm.frontend.client.service.OKMWorkspaceService.getUserWorkspace() throws es.git.openkm.frontend.client.OKMException' threw an unexpected exception: java.lang.NullPointerException
	at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:360)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:546)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:164)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.doPost(RemoteServiceServlet.java:86)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.NullPointerException
	at es.git.openkm.frontend.server.OKMWorkspaceServlet.getUserWorkspace(OKMWorkspaceServlet.java:74)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:527)
	... 23 more

any chance to know how to fix this ?

[jllort]

AS you can see in log, when OpenKM tries to get the logged user, obtains a "null" I think it's clear.

It's needed more information to understanding what's happening.
1- With which ldap you're integrating ( microsoft or other ).
2- Except this error, the OpenKM logins well ?
3- When you says "new ldap login module" you've made a new class ? really it's not needed in major cases, with OpenKM 4.0 ldap is configured in OpenKM.cfg by parameters

[kraken]

i've this as login-config-xml as i need to allow login for multiple domains. this works ok in any version of OpenKM less than 4.0:

Code: Select all

    <application-policy name="OpenKM">
    <authentication>
      <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag="sufficient">
        <module-option name="dsJndiName">java:/OKMAuthDS</module-option>
        <module-option name="principalsQuery">select usr_pass as PASSWD from users where usr_id=? and usr_active='true'</module-option>
        <module-option name="rolesQuery">select ur_role as ROLEID, 'Roles' from user_role where ur_user=?</module-option>
      </login-module>

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient"> 
        <module-option name="java.naming.provider.url">ldap://192.168.10.11:389</module-option>
        <module-option name="bindDN">CN=_xxxxx,CN=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">xxxxx</module-option>
        <module-option name="baseCtxDN">OU=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="roleFilter">(sAMAccountName={0})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="roleRecursion">-1</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
        <module-option name="defaultRole">AdminRol</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
      </login-module> 

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient" > 
        <module-option name="java.naming.provider.url">ldap://192.168.10.11:389</module-option>
        <module-option name="bindDN">CN=_xxxxx,CN=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">xxxxx</module-option>
        <module-option name="baseCtxDN">OU=xxxxx,OU=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=xxxxx,OU=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="roleFilter">(sAMAccountName={0})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="roleRecursion">-1</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
        <module-option name="defaultRole">UserRol</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
      </login-module> 

      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="sufficient" > 
        <module-option name="java.naming.provider.url">ldap://192.168.10.14:389</module-option>
        <module-option name="bindDN">CN=_xxxxx,CN=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="java.naming.security.authentication">simple</module-option>
        <module-option name="bindCredential">xxxxx</module-option>
        <module-option name="baseCtxDN">OU=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="baseFilter">(sAMAccountName={0})</module-option>
        <module-option name="rolesCtxDN">OU=xxxxx,DC=xxxxx,DC=xxxxx</module-option>
        <module-option name="roleFilter">(sAMAccountName={0})</module-option>
        <module-option name="roleAttributeID">memberOf</module-option>
        <module-option name="roleAttributeIsDN">true</module-option>
        <module-option name="roleNameAttributeID">cn</module-option>
        <module-option name="roleRecursion">-1</module-option>
        <module-option name="searchScope">SUBTREE_SCOPE</module-option>
        <module-option name="defaultRole">UserRol</module-option>
        <module-option name="allowEmptyPasswords">false</module-option>
      </login-module> 
   </authentication>
   </application-policy>   

[jllort]

You know we've changed UserRol to UserRole and AdminRol to AdminRole I think this could be the problem.

[kraken]

I remember i've tried both. But tomorrow i'll make some more tests on this... if i discover the same problem i will report you... thanx !

[jllort]

In your xml there's some UserRol and AdminRol ( you must change there and in your ldap ) to become compatible with version 4.0

[akorn]

Hi,

I have a similar problem. This is a new installation of OpenKM 4.1 RC1. For a little while, to experiment, we used it with the default configuration; then I changed login-config.xml so the auth part now reads as follows:

Code: Select all

<!-- OpenKM -->
<!-- default OKMAuthDS commented out -->

    <application-policy name="OpenKM">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
            <module-option name="java.naming.provider.url">ldap://ldap.mydomain.net:389</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="baseCtxDN">ou=People,dc=mydomain,dc=net</module-option>
            <module-option name="baseFilter">(uid={0})</module-option>
            <module-option name="rolesCtxDN">ou=Group,dc=mydomain,dc=net</module-option>
            <module-option name="roleFilter">(member={1})</module-option>
            <module-option name="roleAttributeID">memberOf</module-option>
            <module-option name="roleAttributeIsDN">true</module-option>
            <module-option name="roleRecursion">2</module-option>
            <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
            <module-option name="defaultRole">UserRole</module-option>
            <module-option name="allowEmptyPasswords">False</module-option>
          </login-module>
       </authentication>
    </application-policy>

OpenKM.cfg contains the following LDAP related settings:

Code: Select all

principal.ldap.server=ldap://ldap.mydomain.net
principal.ldap.search=dc=mydomain,dc=net
principal.ldap.user.search.base=ou=People,dc=mydomain,dc=net
principal.ldap.user.search.filter=(objectClass=inetOrgPerson)
principal.ldap.role.search.base=ou=Group,dc=mydomain,dc=net
principal.ldap.role.search.filter=(objectclass=groupOfNames)
principal.ldap.role.atribute=cn
principal.ldap.user.atribute=uid
principal.ldap.mail.search.base=uid={0},ou=People,dc=mydomain,dc=net
principal.ldap.mail.search.filter=(objectclass=inetOrgperson)
principal.ldap.mail.atribute=mail

I can log in, but when I do, the web GUI says "Error when communicating with server (getUserWorkspace)".

In the server log I see:

Code: Select all

21:18:38,149 ERROR [[/OpenKM]] Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract es.git.openkm.frontend.client.bean.GWTWorkspace es.git.openkm.frontend.client.service.OKMWorkspaceService.getUserWorkspace() throws es.git.openkm.frontend.client.OKMException' threw an unexpected exception: java.lang.NullPointerException
        at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:360)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:546)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:164)
        at com.google.gwt.user.server.rpc.RemoteServiceServlet.doPost(RemoteServiceServlet.java:86)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
        at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
        at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
        at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
        at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
        at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
        at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
        at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
        at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
        at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
        at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
        at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
        at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
        at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
        at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
        at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
        at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.NullPointerException
        at es.git.openkm.frontend.server.OKMWorkspaceServlet.getUserWorkspace(OKMWorkspaceServlet.java:77)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:597)
        at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:527)
        ... 23 more

I have no idea why this happens (or even what it means, other than that a "workspace" for the user wasn't "found" - but I don't know where or how it's supposed to be found). Any help would be appreciated.

[akorn]

I have no idea why this happens (or even what it means, other than that a "workspace" for the user wasn't "found" - but I don't know where or how it's supposed to be found). Any help would be appreciated.

I still don't understand what happened, but it works now; see http://forum.openkm.com/viewtopic.php?f=4&t=3714.

[jllort]

Sometimes jboss cache could be the origin of the problem. It not bad idea after stoping to clean tmp folder content to prevent problems ( but in this configuration change might not be the reason ).

[akorn]

Thanks; however, I'm still curious what the "workspace" is (preferably in non-Java-developer terms :), and in what constitutes "finding" it.

I come from the Unix world, so my intuitive reading of the error message was that some analogue of the home directory of the user wasn't found.

So, what is the workspace? Where and how does OpenKM look for it, and how does it know that it's been found?

Thanks!

[jllort]

We'll looking more your stacktrace:

Line 77 of WorkspaceServlet is:

Code: Select all

    workspace.setEmail(user.getEmail());

For some reason this user has no mail and when is set null then it occurs the error.

Have you been migrating something between versions or something similiar, any reason why some user has no mail address ?

[akorn]

It was probably caused by the not-quite-correct LDAP configuration; maybe the user wasn't looked up properly or something. I'm basically just whining about the lack of clarity in the error message here. :) (A stacktrace is not an error message, and it doesn't substitute an error message either, I think.)