Help with understanding the LDAP/AD intergration

[svrbjgu]

Hi,
I have read about 5-10 post on how to implement a AD/LDAP sync with OpenKM.
But i have so far not bin able to sync up to my ad.

First i have added the Ldap lines in /opt/jboss-4.2.3.GA/OpenKM.cfg
Then i have added/changed the /opt/jboss-4.2.3.GA/server/default/conf/login-config.xml so it inclueds the LDAP values.
I have also added :

Code: Select all

<category name="org.jboss.security">
      <priority value="DEBUG" />
   </category>

To /opt/jboss-4.2.3.GA/server/default/conf/jboss-log4j.xml but i can't find any logs. And i see no attempt on binding to my domain.
I run a "tail -f /opt/jboss-4.2.3.GA/server/default/log/server.log" during my login attempt but nothing new is written during.

I know that the correct way seams to be to pay 30€ to get in to the wiki and get the "how to" but right now we are just setting this up to see if it works in over environment and if it dose we will buy support and the hole shit.

OpenKM.cfg

Code: Select all

principal.adapter=com.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://DC.DOMAIN.local
principal.ldap.security.principal=CN=Sync,OU=Sync Users,OU=Users,DC=DOMAIN,DC=local
principal.ldap.security.credentials=Password

principal.ldap.user.search.base=ou=Users,dc=DOMAIN,dc=local
principal.ldap.user.search.filter=(objectclass=inetOrgPerson)
principal.ldap.user.attribute=uid
principal.ldap.role.search.base=ou=Users,dc=DOMAIN,dc=local
principal.ldap.role.search.filter=(&(objectClass=inetOrgPerson)(uid={0}))
principal.ldap.role.attribute=cn
principal.ldap.roles.by.user.search.filter=(&(objectClass=groupOfNames)(cn={0}))
principal.ldap.users.by.role.search.filter=(&(objectClass=inetOrgPerson)(uid={0}))

login-config.xml

Code: Select all

        <!-- OpenKM -->
   <application-policy name = "OpenKM">
      <authentication>
         <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
            <module-option name="java.naming.provider.url">ldap://DC.DOMAIN.local</module-option>
            <module-option name="bindDN">CN=Sync,OU=Sync Users,OU=Users,DC=DOMAIN,DC=local</module-option>
            <module-option name="java.naming.security.authentication">simple</module-option>
            <module-option name="bindCredential">Ldap77%</module-option>
            <module-option name="baseCtxDN">OU=Users,DC=DOMAIN,DC=local</module-option>
            <module-option name="baseFilter">(sAMAccountName={0})</module-option>
            <module-option name="rolesCtxDN">CN=Test Users,OU=Distribution Groups,OU=Users,DC=DOMAIN,DC=local</module-option>
            <module-option name="roleFilter">(member={1})</module-option>
            <module-option name="roleAttributeIsDN">false</module-option>
            <module-option name="roleAttributeID">cn</module-option>
            <module-option name="roleRecursion">2</module-option>-->
            <module-option name="searchTimeLimit">5000</module-option>
            <module-option name="searchScope">SUBTREE_SCOPE</module-option>
            <module-option name="defaultRole">UserRole</module-option>
         </login-module>
      </authentication>
   </application-policy>

Any pointers would be great full!

Edit:
The error we get is "Authentication error" when we try to login with AD credentials.

Cheers,
Björn

[Catscratch]

What's the problem?

Can you login? Or what error message do you get at 1) startup of the server, 2) at the login website?

[svrbjgu]

I Edited the first thread with my error.

But it i am starting to think that it might be the "hibernate.hbm2ddl=none" line that is generating that error.

[Catscratch]

At the first login you have to use hibernate=create and login with okmadmin:admin credentials.

If this was successful you have to set hibernate=none and configure ldap.

Authentication error normally means that your login credentials are wrong. Maybe the user.search path is wrong. Or your principal.ldap.security.principal is wrong. CN should be the name (first name, last name) of the login user. NOT the login!

You may test it with this tool: http://technet.microsoft.com/en-us/sysi ... 63907.aspx

[svrbjgu]

All my AD paths are taken directly with "Apache Directory Studio" so they should be correct.

Starting form scratch now.

Just so that i have it right.
Remove the old files.
Unzip new.

Fist login with the okmAdmin user and then stop the service and configure the ldap setting in .cfg? (and change the hibernate.hbm2ddl to none)
Then edit the .xml with the same ldap settings.
And start the Service again.

Then u should be able to login with ad credentials?
What log should i be looking at?
Right now i cant even see the bind to the DC.

(BTW the Sync user has displaname=Sync cn=Sync mailNickname=Sync name=Sync sAMAccontName=Sync)

And thanks for the help!

[Catscratch]

If you get the message "Authentication failed" or something like this take a look in the server log file.
ROOT/server/default/log/server.log

Search for "ldap".

[svrbjgu]

I have a tail -f running while i am doing the login and there is no output with LDAP or ldap on it :/

Just so i am not in the wrong file there is two "login-config.xml" one in /server/default/conf/login-config.xml and the other is in /server/all/conf/login-config.xml.
Should i change in both or just one and if one witch ?

Again thanks for the great and fast help!

[Catscratch]

The right one is /server/default/conf/login-config.xml

Also check the jboss-log4j.xml for:

<category name="com.openkm.principal.LdapPrincipalAdapter">
<priority value="WARN" />
</category>

[svrbjgu]

I have read that it should be "Debug" and not "Warn".
But i will try warn hope it works

[svrbjgu]

did:
cat /opt/jboss-4.2.3.GA/server/default/log/server.log | grep ldap
cat /opt/jboss-4.2.3.GA/server/default/log/server.log | grep LDAP
cat /opt/jboss-4.2.3.GA/server/default/log/server.log | grep error

And found none :/

[Catscratch]

Try to search for "Authentication". But it's strange.

Do you run the server as root?

[svrbjgu]

"grep Authentication" gives me nothing :/

The service is started in a root console.
And i can see lots of writing to the server.log when it starts.
But when i try to login there is nothing being written to the server.log. (tail -f running on it)

[Catscratch]

Sorry, than I don't have an idea. I'm only a user as you.
I think you have to wait for a moderator.

[svrbjgu]

Thanks so much so far.

I will leave it alone for a while and get back to it and see if i can spot anything.

Feels like it should be something simple.

[jllort]

If you've got problems on login, must concentrate first on login-config.xml file.

Remove

Code: Select all

<module-option name="defaultRole">UserRole</module-option>

Add on jboss-log4j.xml

Code: Select all

<category name="org.jboss.security">
      <priority value="DEBUG" />
   </category>

Which error appears on log