Page 2 of 3
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Tue Sep 27, 2011 5:30 pm
by pavila
Sorry, the ZIP was protected. Fixed!
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Wed Sep 28, 2011 8:17 am
by sagar
Thanks I've used the tool to test my configuration and I've correct some configurations and all the queries getting the correct data now.
The problem when I use the same configuration on the application (using the administration tab) and try to login the user gets the defauTt role from login-config.xml regardless of the role he has on the AD.
The logs shows:
Principal: Roles(members:UserRole)
and if I comment the default role line on the login-config.xml
Principal: Roles(members:)
Which query is responsible for assigning the role to the user? is the UserRole mandatory for all users even admins?
Thanks & regards,
Sagar
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Fri Sep 30, 2011 6:36 am
by jllort
The query which assign roles to users is in login-config.xml, in wiki example asumes role is a node present in user.
This <module-option name="defaultRole">UserRole</module-option> must be removed because if not any used will have by default UserRole and it's better be assigned by ldap.
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Fri Sep 30, 2011 1:03 pm
by sagar
Hi,
this the login-confog.xml I'm using:
Code: Select all<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://***</module-option>
<module-option name="bindDN">CN=***,CN=Users,DC=***,DC=com</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">***</module-option>
<module-option name="baseCtxDN">CN=Users,dc=***,dc=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">CN=Users,dc=***,dc=com</module-option>
<module-option name="roleFilter">(cn={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
<!-- <module-option name="defaultRole">UserRole</module-option> -->
<module-option name="allowEmptyPasswords">false</module-option>
</login-module>
</authentication>
you can see I have commented the default role line and we login I get JBoss error 403 error page.
both the users and roles under the Users CN in AD, is there something I need to correct on this configuration ?
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Sun Oct 02, 2011 10:58 am
by sagar
Hi,
I got it to work I think I have missed some lines in the login-config.xml
Code: Select all <module-option name="java.naming.provider.url">ldap://***</module-option>
<module-option name="bindDN">CN=***,CN=Users,DC=***,DC=com</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">***</module-option>
<module-option name="baseCtxDN">CN=Users,dc=***,dc=com</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">CN=Users,dc=***,dc=com</module-option>
<module-option name="roleFilter">(member={1})</module-option>
<module-option name="roleAttributeID">cn</module-option>
<module-option name="roleAttributeIsDN">false</module-option>
<module-option name="roleRecursion">2</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<!-- <module-option name="defaultRole">UserRole</module-option> -->
<module-option name="allowEmptyPasswords">false</module-option>
Thank you all for your kind help especially pavila for the nice tool to test the configuration.
Regards,
Sagar
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Mon Oct 03, 2011 5:02 pm
by pavila
So, problem solved?
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Tue Oct 04, 2011 5:45 am
by sagar
yes
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Wed Oct 05, 2011 2:17 pm
by flekschas
Hello,
first of all: thanks for the LDAP Testtool! It's pretty nice.
Unfortunately I still have a strange problem. OpenKM doesn't find the roles of a specific user (getRolesByUser) even though I can find these roles with ldapsearch and exactly the same inputs:
Code: Select allteststorm:/srv/openkm5 # ldapsearch -x -D "cn=admin,dc=***,dc=***,dc=de" -W -h localhost -b "ou=bcrt,dc=***,dc=***,dc=de" "(&(objectClass=inetOrgPerson)(uid=test))" memberof
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base <ou=bcrt,dc=***,dc=***,dc=de> with scope subtree
# filter: (&(objectClass=inetOrgPerson)(uid=test))
# requesting: memberof
#
# test, external, research, bcrt, ***. ***.de
dn: uid=test,ou=external,ou=research,ou=bcrt,dc=***,dc=***,dc=de
memberOf: cn=UserRole,ou=Roles,ou=okm,dc=***,dc=***,dc=de
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
teststorm:/srv/openkm5 # java -jar ./testLdap.jar getRolesByUser test
===== CONFIGURATION =====
principal.ldap.mail.attribute = mail
principal.ldap.mail.search.base = ou=bcrt,dc=***,dc=***,dc=de
principal.ldap.mail.search.filter = (&(objectclass=inetOrgPerson)(uid={0}))
principal.ldap.role.attribute = cn
principal.ldap.role.search.base = ou=Roles,ou=okm,dc=***,dc=***,dc=de
principal.ldap.role.search.filter = (objectclass=groupOfNames)
principal.ldap.roles.by.user.attribute = memberOf
principal.ldap.roles.by.user.search.base = ou=bcrt,dc=***,dc=***,dc=de
principal.ldap.roles.by.user.search.filter = (&(objectClass=inetOrgPerson)(uid={0}))
principal.ldap.security.credentials = ***
principal.ldap.security.principal = cn=admin,dc=***,dc=***,dc=de
principal.ldap.server = ldap://localhost:389
principal.ldap.user.attribute = uid
principal.ldap.user.search.base = ou=bcrt,dc=***,dc=***,dc=de
principal.ldap.user.search.filter = (objectclass=inetOrgPerson)
principal.ldap.users.by.role.attribute = member
principal.ldap.users.by.role.search.base = ou=Roles,ou=okm,dc=***,dc=***,dc=de
principal.ldap.users.by.role.search.filter = (&(objectclass=groupOfNames)(cn={0}))
====== ===== ===== ======
DEBUG com.openkm.principal.LdapPrincipalAdapter - getRolesByUser(test)
DEBUG com.openkm.principal.LdapPrincipalAdapter - ldapSearch(ldap://localhost:389, cn=admin,dc=***,dc=***,dc=de, ***, ou=bcrt,dc=***,dc=***,dc=de, (&(objectClass=inetOrgPerson)(uid=test)), memberOf)
DEBUG com.openkm.principal.LdapPrincipalAdapter - Search Result Name: uid=test,ou=external,ou=research
DEBUG com.openkm.principal.LdapPrincipalAdapter - ldapSearch: []
DEBUG com.openkm.principal.LdapPrincipalAdapter - getRolesByUser: []
Do you guys have an idea why ldapsearch finds something and the ldapTestTool doesn't?
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Thu Oct 06, 2011 9:04 am
by flekschas
Just that you know. When I start OpenKM 5.1.7 with these LDAP settings I get the same "getUserWorkspace" error as posted in this thread.
Code: Select all2011-10-06 10:59:18,630 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/OpenKM]] Exception while dispatching incoming RPC call
com.google.gwt.user.server.rpc.UnexpectedException: Service method 'public abstract com.openkm.frontend.client.bean.GWTWorkspace com.openkm.frontend.client.service.OKMWorkspaceService.getUserWorkspace() throws com.openkm.frontend.client.OKMException' threw an unexpected exception: java.lang.NullPointerException
at com.google.gwt.user.server.rpc.RPC.encodeResponseForFailure(RPC.java:378)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:581)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:207)
at com.google.gwt.user.server.rpc.RemoteServiceServlet.processPost(RemoteServiceServlet.java:243)
at com.google.gwt.user.server.rpc.AbstractRemoteServiceServlet.doPost(AbstractRemoteServiceServlet.java:62)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:619)
Caused by: java.lang.NullPointerException
at com.openkm.servlet.frontend.WorkspaceServlet.getUserWorkspace(WorkspaceServlet.java:306)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:562)
... 24 more
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Thu Oct 06, 2011 2:16 pm
by sagar
Hi,
If you are sure all the queries getting the correct results when using the test tool then ensure you put the same configuration on login-config.xml and on the configuration table (on DB or using the Administration tab).
Regards,
Sagar
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Sun Oct 09, 2011 5:10 pm
by jllort
As said sagar, are you sure your ldap configuration in administration tab is right ? take a look on it, from version 5.1.x configuration is done in administration tab, OpenKM.cfg only is for first time initialization, then any change there has no effect on configuration ( except database configuration that must not be removed from there )
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Mon Oct 10, 2011 11:55 am
by flekschas
Sagar, I know that I have to update the login-config.xml that is not my problem. The actual problem is that the ldapsearch-function used by openkm does not find the "memberOf" attribute even though the command-line tool provided by openldap does. And I guess this is the actual problem for the "getUserWorkspace" error, cause OpenKM can't find the roles of a user.
I've googled a bit and found out that the "memberOf" property in openldap (2.4) is not a real attribute (it's called overlay) and this may be the reason that OpenKM can't find it. If anyone got this working with openldap I would really appreciate any kinds of tips
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Tue Oct 11, 2011 4:00 pm
by flekschas
Okay at least I think I know whats the problem.
The "memberOf" attribute which is provided as an overlay in openldap is an operational attribute and is saved in another tree in ldap. To retrieve this information you have to specifically look for this attribute via a parameter using the getAttribute(). For all the other "normal" attributes this is not required, so no parameter is defined in the ldapPrincipleAdapter.
When I have the time and get everything working i'll post my solution.
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Sat Oct 15, 2011 6:41 am
by jllort
You'll make new ldapPrincipalAdapter ?
Re: Error communicating with the server (getUserWorkspace)
PostPosted:Wed Oct 19, 2011 11:22 am
by flekschas
No I think I just have to adjust the current one a little bit. Actually as far as I understand the java docs I just have to pass the name of the specific attribute I'm looking for to the getAttribute() function (which is "memberOf" in my case) and that's it. I'll see if I get things working.