NullPointerException with LDAP

[Catscratch]

Hi there,

I configured LDAP with Windows Active Directory.

Now I can login with my AD credentials, but I got an error after the login.

First, I show the ldap config files. Thereafter the error message.
Hopefully, someone can help.

OpenKM.cfg

Code: Select all

principa.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://MYIP:MYPORT
principal.ldap.security.principal=CN=ldap zugriff,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de
principal.ldap.security.credentials=USERPASSWORD
principal.ldap.user.search.base=ou=MMTOpenUsers,dc=mmtopen,dc=de
principal.ldap.user.search.filter=(objectClass=*)
principal.ldap.user.attribute=cn
principal.ldap.role.search.base=ou=MMTOpenUsers,dc=mmtopen,dc=de
principal.ldap.role.search.filter=(objectClass=*)
principal.ldap.role.attribute=cn

default.user.role=UserRole
default.admin.role=AdminRole

login-config.xml

Code: Select all

<!-- LDAP -->
	<authentication>
	<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
	 <module-option name="java.naming.provider.url">
	   ldap://MYIP:MYPORT</module-option>
	 <module-option name="java.naming.security.authentication">
	   simple</module-option>
	 <module-option name="bindDN">
	   cn=ldap zugriff,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de</module-option>
	 <module-option name="bindCredential">MYPASSWORD</module-option>
	 <module-option name="baseCtxDN">ou=MMTOpenUsers,dc=mmtopen,dc=de</module-option>
	 <module-option name="baseFilter">(sAMAccountName={0})</module-option>
	 <module-option name="rolesCtxDN">ou=MMTOpenUsers,dc=mmtopen,dc=de</module-option>
       	 <module-option name="roleFilter">(member={1})</module-option>
	 <module-option name="roleAttributeIsDN">false</module-option>
	 <module-option name="roleAttributeID">cn</module-option>
	 <module-option name="roleRecursion">2</module-option>
	 <module-option name="searchTimeLimit">5000</module-option>
	 <module-option name="searchScope">SUBTREE_SCOPE</module-option>
	 <module-option name="defaultRole">UserRole</module-option>
	</login-module>
	</authentication>

And the error message:

Code: Select all

13:42:44,023 ERROR [[/OpenKM]] Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.openkm.frontend.client.bean.GWTWorkspace com.openkm.frontend.client.service.OKMWorkspaceService.getUserWorkspace() throws com.openkm.frontend.client.OKMException' threw an unexpected exception: java.lang.NullPointerException
	at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:378)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:581)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:188)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:224)
	at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Thread.java:636)
Caused by: java.lang.NullPointerException
	at com.openkm.frontend.server.OKMWorkspaceServlet.getUserWorkspace(OKMWorkspaceServlet.java:284)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:616)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562)
	... 24 more

The UI shows:


Does someone have an idea?

Thank you!

[jllort]

login-config.xml is right concentrate in OpenKM.cfg

sure it's your search base ?

Code: Select all

principal.ldap.user.search.base=ou=MMTOpenUsers,dc=mmtopen,dc=de

might not be

Code: Select all

principal.ldap.user.search.base=ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de

I think search filter is wrong

Code: Select all

principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.role.search.filter=(objectclass=group)

That's it's well explained http://wiki.openkm.com/index.php/Active_Directory

[Catscratch]

Thanks for your reply. I tried it in different combinations, without success.

The error still is the same.

Our structure is like the following:

MMTOpenUsers
- LMMT
- GroupA
- - SubGroupAA
- - SubGroupAB
- GroupB
... and so on.

I need access for all users in GroupA, SubGroupAA, SubGroupAB and GroupB.

Do you have any hint left?
Thanks.

[Catscratch]

I found something out.

The error:

Code: Select all

Caused by: java.lang.NullPointerException
   at com.openkm.frontend.server.OKMWorkspaceServlet.getUserWorkspace(OKMWorkspaceServlet.java:284)

...was thrown by the OKMWorkspaceServlet.java.
So I downloaded the source code. And at line 284 is the following:

Code: Select all

workspace.setEmail(user.getEmail());

So I think user.getEmail() returns null. Is there a workaround? Or how may I fix it?
I looked in the Active Directory. Our users there normally don't have an email adress. So I entered one for the test user and tried to login. But the error remains.

Thanks.

[jllort]

Probably in that scenario it might be needed to implement a specific LdapPrincipalAdapter.java

[Catscratch]

Hi again.

I'm able to modify the AD to match for openKM. So there has to be another solution than implementing an own adapter?
What's the problem above? May you help me to understand it please?

Thank you and best regards.

[jllort]

ldap configuration parameters are based on with one query can be get all related record. Here could happen two things, or your query is not right or it's not possible getting all records with only one query (normally because you've got users in several separated nodes etc...) then must be implemented a specific adapter.

[Catscratch]

All users are in the same LDAP group. Not all, but this ones who will login to OpenKM.

Is there a howto or something like this? Or are there some other adapters I may use?

[jllort]

do you put these params in your OpenKM.cfg configuration because in your first post I've not seen it

Code: Select all

principal.ldap.mail.search.base=
principal.ldap.mail.search.filter=
principal.ldap.mail.attribute=mail

[Catscratch]

Thanks for the hint, but the error remains. But I also don't know exactly whats the right configuration of all this parameters in the OpenKM.cfg.

Now the cfg looks like the following. MMTOpenUsers is the group where all users are in there.

Code: Select all

#new
principa.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://MYSERVER.IP
principal.ldap.security.principal=CN=ldap zugriff,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de
principal.ldap.security.credentials=**********
principal.ldap.user.search.base=ou=MMTOpenUsers,dc=mmtopen,dc=de
principal.ldap.user.search.filter=(objectClass=person)
principal.ldap.user.attribute=cn
principal.ldap.role.search.base=ou=MMTOpenUsers,dc=mmtopen,dc=de
principal.ldap.role.search.filter=(objectClass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=ou=MMTOpenUsers,dc=mmtopen,dc=de
principal.ldap.mail.search.filter=(objectClass=person)
principal.ldap.mail.attribute=mail

default.user.role=UserRole
default.admin.role=AdminRole

In MMTOpenUsers there are no users directly.
Instead there are subgroups.
MMTOpenUsers
-> LMMT
-> Mitarbeiter
And so on.

But the search.base should be MMTOpenUsers, right? And subgroups should be searched automatically, or not?

Thanks.

[jllort]

Here is explained with some full example http://wiki.openkm.com/index.php/Active_Directory but it's closed only to OpenKM Network users, because we considering this kind of integration is on more professional environment.

Better if you put

Code: Select all

principal.ldap.mail.search.base=cn={0},ou=MMTOpenUsers,dc=mmtopen,dc=de

[Catscratch]

Thanks for your reply.

I can't access the secured documentation yet. We transfered the money to you and now are waiting for the access data. Until than I have to try it without this examples. But I'm wondering, that it still do not work for us and I don't know whats the problem.

I modified the config file like you described it, but the error remains. I don't know what I could do anymore. Maybe the documentation wiki helps, but I don't really think so.

Best regards.

[jllort]

Configuring LDAP is not easy. Ensure all is like - similar - wiki documentation, that sure runs. But runs on most - normal - ldap structure, depending how you've done changes etc... could be some differences, here we only can help connecting to your system and taking a look on it.

I suggest use this application to browser directly ldap and take a look at ldap properties etc... http://technet.microsoft.com/en-us/sysi ... 63907.aspx because ldap application browser which come by default with windows not shows the exact ldap structure as is shown by this ldap browser application.

[Catscratch]

I checked the ldap path with this tool. Everthing seems to be fine.

But another question. OpenKM throws a nullpointer exception at this point when it tries to get the email address of the user for the user workspace. In the active directory I added an email address for the user which I want to use for the login. Does I have to add email addresses for all user? I think no. Usally OpenKM should only try to get the email address of this user who tries to login, shouldn't it?

Thanks for your reply.

Edit: The server shows on startup.

Code: Select all

INFO [DefaultWebAppDesciptorModifierImpl] Ignore servlet: com.openkm.frontend.server.OKMWorkspaceServlet

And the NullPointerExceptions was thrown by: com.openkm.frontend.server.OKMWorkspaceServlet.getUserWorkspace

Is this "INFO" a problem?

[jllort]

The idea is all users have mail address, if you see on OpenKM administration mail is mandatory field, Basically because OpenKM send messages to users ( notifications, subscriptions, etc... ) and for it reason users must have - mandatory - mail address. That's the idea. In our logic we not considering the case that some user could not have mail address.