questions about Active dir integration

[peter]

Hi,

we have been using OpenKM in our company for the past 7 months now and i have not heard anything bad about it from the users so credits to the developers for creating a good and reliable (and Open) application!

i have been trying to connect OpenKM to our company windows 2000 active directory.
i have read the documentation and all the forum posts (special thanks to Google translator) but i am afraid that i know to little to understand it all.

i would appreciate some help in setting up OpenKM AND my AD to work together. i have very little experiance in using AD and ldap.

here\'s what i have done so far!

in \" server/default/conf \" i have modified login-config.xml. in that file i have placed this:

Code: Select all

<application-policy name=\"OpenKM\">
      <authentication>
        <login-module code=\"org.jboss.security.auth.spi.LdapExtLoginModule\" flag=\"required\" >
          <module-option name=\"java.naming.provider.url\">ldap://vabi-dc.vabi.nl:389</module-option>
          <module-option name=\"bindDN\">CN=beheer,DC=vabi,DC=nl</module-option>
          <module-option name=\"java.naming.security.authentication\">simple</module-option>
          <module-option name=\"bindCredential\">user beheer password</module-option>
          <module-option name=\"baseCtxDN\">DC=vabi,DC=nl</module-option>
          <module-option name=\"baseFilter\">(sAMAccountName={0})</module-option>
          <module-option name=\"rolesCtxDN\">DC=vabi,DC=nl</module-option>
          <module-option name=\"roleFilter\">(sAMAccountName={0})</module-option>
          <module-option name=\"roleAttributeID\">emmberOf</module-option>
          <module-option name=\"roleAttributeIsDN\">true</module-option>
          <module-option name=\"roleNameAttributeID\">cn</module-option>
          <module-option name=\"roleRecursion\">-1</module-option>
          <module-option name=\"searchScope\">SUBTREE_SCOPE</module-option>
          <module-option name=\"defaultRole\">UserRol</module-option>
        </login-module>
      </authentication>
    </application-policy>

i have also commented out this. (i believe this is the standard credentials config)

Code: Select all

 <!-- OpenKM --><!--
<application-policy name = \"OpenKM\">
<authentication>
<login-module code=\"org.jboss.security.auth.spi.UsersRolesLoginModule\" flag = \"required\">

<module-option name=\"usersProperties\">props/openkm-users.properties</module-option>
<module-option name=\"rolesProperties\">props/openkm-roles.properties</module-option>
</login-module>
<login-module code=\"org.jboss.security.ClientLoginModule\" flag=\"required\" />
</authentication>
</application-policy>-->

So Far So Good ?

in the OpenKM documentation i found this

Only users having the “UserRol” set at <module-option name=”defaultRole”>UserRol</module-option> are allowed to access the OpenKM, therefore add this role to every authenticated user, because only users with that role are allowed to access OpenKM.

so then in the AD i made a group called UserRol and made users that are going to be using OpenKM a member of this group ( do i have to do this?? )

also in the documentation i found this

An admin user must be created to run OpenKM, at the moment administrator user name must be “system” and must have assigned “AdminRol” and “UserRol”. In future releases administrator name will be independent.

does this mean i have to make a user in the AD calles \'system\' and also make a group named AdminRole and make system a member of AdminRole????

anyway there are many things that i am not sure about but these are the things i know for sure:

• 1/ i have a user called \'beheer\' who had admin rights in the AD
  2/ i know the password for the \'beheer\' account ;)
  3/ i have a AD called VABI-DC.vabi.nl

finaly i have here the output of the server log. i have added the complete logs as attachments

Code: Select all

2008-07-22 08:53:13,578 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=beheer
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name \'DC=vabi,DC=nl\'
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
	at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
	at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
	at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:424)
	at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:351)
	at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:232)
	at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:585)
	at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
	at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
	at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
	at java.security.AccessController.doPrivileged(Native Method)
	at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
	at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
	at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
	at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
	at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
	at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
	at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Thread.java:595)

please can/will anybody take the time to help me out! i would realy appreciate it.

Peter

[peter]

The log files!

[file name=logs.zip size=81086]http://www.openkm.com/images/fbfiles/files/logs.zip[/file]

[jllort]

On windows we\'ve found a bug integration on ldap on OpenKM, that system user is yet defined, for it we\'ve applied a patch, now only avaliable on cvs that changes \"system\" user to \"admin\" user this solves problem with actual system user created on Windows by default.

Seems the user that tries to connect to your ldap has no enought credential to connect to it, because the log error show the message : \"Bad password for username=beheer\" try for example with administrator user to solve if it\'s a login/grants problems to access to your ldap information repository. Seems the error is not a connection to vabi-dc.vabi.nl, becauses shows pwd message error

About UserRol -> seems you\'ve done well, all users must have this role.

[peter]

thanx for the reply.


i eventualy managed to get acces to OpenKM trough Active directery!
i found that the config error i made was in the:

baseCtxDN
rolesCtxDN

first of all i was not pointing to my users but to the root

wrong: dn=vabi,dn=nl
good: cn=users,dn=vabi,dn=nl

second i pointed the rolesbCTxDN to the group UO instead of where the users where

wrong: uo=groups,dn=vabi,dn=nl
good: cn=users,dn=vabi,dn=nl


the only problem now is that i have no groups in OpenKM???!!! so i can\'t put users into these groups and put permissions per folder per group!

anyway again thanx for the help and keep up the good work

[jllort]

I\'ve answered about roles on that post

Really now to get a full ldap integration needs some extra job :( on future we\'ll try to do it more automatic on configuration.

[pawarnitin.scoe]

Is there need to write Java code for integration of LDAP with OpenKM?

Or just need to change login-cfg and OpenKM.cfg files??

[pawarnitin.scoe]

could you please give me details about how i can configure openkm . so that when i login to LDAP same login automatically gets logged into open KM.
what is require to configure LDAP integration with open KM?..
plz reply me .with details for windows xp

[rrawal]

Hi Guys,

I am getting the same reference error. Can someone please guide on how to get rid of it.

Thanks.