OpenKM Active Directory Errors

[pavila]

Note de "double t" in "attribute" -> principal.ldap.mail.attribute. In your OpenKM.cfg there is only a t.

Also a decent LDAP client may help you in the queries. The best one I have seen and also multi-platform is Apache Directory Studio.

[chungvoky]

Ok.....so I've modeled my OpenKM.cfg and login-config.xml files after the user who made this post: http://forum.openkm.com/viewtopic.php?f=4&t=5146

I've also used the LDAP java test utility and this configuration fully works.

I can get past the first authentication screen (so I know that login-config.xml is working), but then as soon as I see "Loading User Values" in the "Loading OpenKM" window, I get another box that comes up says "Error when communicating with server (getUserWorkspace)".

*sigh*

Because default permission of all okm:root, okm:categories and so on is UserRoles so if you login with normal user, you will see "Error when communicating with server (getUserWorkspace)" error. You must login with a admin user (as you defined in AdminRoles) and go to Repository view to edit permission of each okm:****.

[Khris]

I am logging in as someone that's been placed into the "OpenKMadmins" AD group when I get this error.

[pavila]

Every user in OpenKM should have UserRole or AdminRole because these are the only granted to access to OpenKM. Call them "connection roles" if you like. Additionally you can add more roles used to manage your repository permissions.

[Khris]

I'm still getting the GetUserWorkspace Error. Here are my current OpenKM.cfg and login-config.xml files.

OpenKM.cfg

Code: Select all

#system.ocr=/usr/bin/cuneiform
#system.openoffice.path=/usr/lib/openoffice
#system.imagemagick.convert=/usr/bin/convert
#system.swftools.pdf2swf=/usr/bin/pdf2swf
#system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
application.url=http://localhost/OpenKM/com.openkm.frontend.Main/index.jsp

#default.user.role=OpenKMusers
#default.admin.role=OpenKMadmins

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.100.31
principal.ldap.security.principal=cn=LDAP,ou=OTRS,dc=***,dc=net
principal.ldap.security.credentials=***

principal.ldap.user.search.base=dc=***,dc=net
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=cn=UserRole,ou=OpenKM,dc=***,dc=net))
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=dc=***,dc=net
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=cn=OpenKMroles,ou=OpenKM,dc=***,dc=net))
principal.ldap.role.attribute=sAMAccountName

principal.ldap.mail.search.base=dc=***,dc=net
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail

principal.ldap.users.by.role.search.base=ou=OpenKM,dc=***,dc=net
principal.ldap.users.by.role.search.filter=(sAMAccountName={0})
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=dc=***,dc=net
principal.ldap.roles.by.user.search.filter=(sAMAccountName={0})
principal.ldap.roles.by.user.attribute=memberOf

login-config.xml

Code: Select all

<!-- OpenKM -->
    <application-policy name = "OpenKM">
       <authentication>
          <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
             <module-option name="java.naming.provider.url">ldap://192.168.100.31</module-option>
             <module-option name="bindDN">cn=LDAP,ou=OTRS,dc=***,dc=net</module-option>
             <module-option name="java.naming.security.authentication">simple</module-option>
             <module-option name="java.naming.referral">follow</module-option>
             <module-option name="bindCredential">****</module-option>
             <module-option name="baseCtxDN">dc=***,dc=net</module-option>
             <module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=UserRole,OU=OpenKM,dc=***,dc=net))</module-option>
             <module-option name="rolesCtxDN">dc=***,dc=net</module-option>
             <module-option name="roleFilter">(member={1})</module-option>
             <module-option name="roleAttributeID">sAMAccountName</module-option>
             <module-option name="roleAttributeIsDN">false</module-option>
             <module-option name="roleRecursion">-1</module-option>
             <module-option name="searchScope">SUBTREE_SCOPE</module-option>
             <!--<module-option name="defaultRole">UserRole</module-option>-->
             <module-option name="allowEmptyPasswords">false</module-option>
          </login-module>
       </authentication>
    </application-policy>

[pavila]

Can you post the piece of log with the exception stack trace? Have you tried this configuration with the last OpenKM 5.1.3 ?

[Khris]

Yes, using this configuration with 5.1.3.

Attached are the complete boot and server logs and the steps taken to create them below.

-Deleted prior log files
-Started server with "sudo ./run.sh -b 0.0.0.0" command
-When server was fully up and running, logged into "http://localhost/OpenKM" with Active Directory credentials
-Ok'd server error windows and closed browser
-Shutdown server

[pavila]

This have no sense. This piece of code only is executed if the principal adapter is a DatabasePrincipalAdapter and you are using an LDAP. Which values has the "principal.adapter" configuration property? Look at administration.

[Khris]

Sorry, I'm not quite understanding what you're saying.

[jllort]

Post here your OpenKM.cfg

[Khris]

Code: Select all

#system.ocr=/usr/bin/cuneiform
#system.openoffice.path=/usr/lib/openoffice
#system.imagemagick.convert=/usr/bin/convert
#system.swftools.pdf2swf=/usr/bin/pdf2swf
#system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
application.url=http://localhost/OpenKM/com.openkm.frontend.Main/index.jsp

#default.user.role=OpenKMusers
#default.admin.role=OpenKMadmins

system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter

principal.ldap.server=ldap://192.168.100.31
principal.ldap.security.principal=cn=LDAP,ou=OTRS,dc=***,dc=net
principal.ldap.security.credentials=**********

principal.ldap.user.search.base=dc=psg,dc=net
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=cn=UserRole,ou=OpenKM,dc=***,dc=net))
principal.ldap.user.attribute=sAMAccountName

principal.ldap.role.search.base=dc=psg,dc=net
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=cn=OpenKMroles,ou=OpenKM,dc=***,dc=net))
principal.ldap.role.attribute=sAMAccountName

principal.ldap.mail.search.base=dc=***,dc=net
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail

principal.ldap.users.by.role.search.base=ou=OpenKM,dc=***,dc=net
principal.ldap.users.by.role.search.filter=(sAMAccountName={0})
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=dc=***,dc=net
principal.ldap.roles.by.user.search.filter=(sAMAccountName={0})
principal.ldap.roles.by.user.attribute=memberOf

[Khris]

I've followed the tip here (http://forum.openkm.com/viewtopic.php?f=4&t=5196#p11229), to add in the LDAP config through the Administration page and I'm now able to login and authenticate via Active Directory.

I am having the same problem however, where none of the roles or users are being listed. I am using the OpenKM.cfg data in the post above. Any suggestions on where I'm going wrong?

[Khris]

Code: Select all

principal.ldap.users.by.role.search.base=ou=OpenKM,dc=***,dc=net
principal.ldap.users.by.role.search.filter=(sAMAccountName={0})
principal.ldap.users.by.role.attribute=member

principal.ldap.roles.by.user.search.base=dc=***,dc=net
principal.ldap.roles.by.user.search.filter=(sAMAccountName={0})
principal.ldap.roles.by.user.attribute=memberOf

This is what I'm having issues with. Can anyone offer any assistance as to proper structure with Active Directory?

[jllort]

If you're not able to login to OpenKM must concentrate on login-config.xml ( any change made there needs restarting jboss )

[Khris]

I've already stated I could log in. The issue is with seeing users and groups from the Administrative area.