Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Active Directory Issues

https://forum.openkm.com/viewtopic.php?t=21682

Page 1 of 1

Active Directory Issues

PostPosted:Thu Mar 08, 2018 7:49 pm
by afurtado
All,

My first time configuring OpenKM, (before you read into this, yes I did try searching the forum for answers, but no cake here) I would appreciate the help. The error I receive is

********** ERROR /******
Code: Select all
2018-03-08 14:30:00,847 [Thread-16] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C09042A, comment: AcceptSecurityContext error, data 52e, v3839 ] (Cache: com.openkm.cache.ldapPrincipalAdapter.general - Key: getUsers - Base: [DC=BDB,DC=local] - Filter: (&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=BDB,DC=local)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=BDB,DC=local))) - Attribute: sAMAccountName)
2018-03-08 14:30:00,847 [Thread-16] WARN  com.openkm.core.Cron - Crontab task mail address is empty: Return: null
********** EXTRA INFO
if I'm not Mistaken code 49 is a bind error, but I did a bind test with the LDP application on the domain controller and was able to bind it successfully and browse the users.

The windows server is also on the DOMAIN.

********** My Active Directory
Code: Select all
OU=OpenKM,DC=BDB,DC=local
(the user openkmldap is also in this OU)
(here I have 2 security groups for admin, and users)

My users are split into the following
Code: Select all
OU=Clinical Users,OU=OTDBC,DC=BDB,DC=local
OU=Non Clinical Users,OU=OTDBC,DC=BDB,DC=local

****** My current configuration
Code: Select all
Field / Property	Type	Description
principal.adapter	String	com.openkm.principal.LdapPrincipalAdapter
system.login.lowercase	String	TRUE
principal.ldap.server	String	ldap://ReadOnlyDC:389
principal.ldap.security.principal	String	CN=openkmladp,OU=OPENKM,DC=BDB,DC=local
principal.ldap.security.credentials	String	[password]
principal.ldap.referral	String	follow
principal.ldap.users.from.roles    	Boolean	FALSE
principal.ldap.user.attribute	String	sAMAccountName
principal.ldap.user.search.base	List	DC=BDB,DC=local
principal.ldap.user.search.filter	String	(&(objectclass=user)(|(memberOf=CN=ROLE_ADMIN,OU=OpenKM,DC=BDB,DC=local)(memberOf=CN=ROLE_USER,OU=OpenKM,DC=BDB,DC=local)))
principal.ldap.username.attribute	String	cn
principal.ldap.username.search.base	String	DC=BDB,DC=local
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute	String	userPrincipalName
principal.ldap.mail.search.base	String	DC=BDB,DC=local
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.role.attribute	String	cn
principal.ldap.role.search.base	List	DC=BDB,DC=local
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf
principal.ldap.roles.by.user.search.base	String	DC=BDB,DC=local
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member
principal.ldap.users.by.role.search.base	String	OU=OpenKM,DC=BDB,DC=local
principal.ldap.users.by.role.search.filter	String	(&(objectClass=group)(cn={0}))

Andre

Re: Active Directory Issues

PostPosted:Fri Mar 09, 2018 5:06 pm
by afurtado
So my LDAP connection is half working, it will load the users on the users button, but it will not allow them to log in.

Re: Active Directory Issues

PostPosted:Sat Mar 10, 2018 10:28 am
by jllort
I suggest first concentrate in OpenKM ldap parameters from administration -> retrieving users and roles list. When you success from there we can go for authentication. I suggest switch meanwhile autentication to database again.

You ldap is an open ldap ( basically the question, is not a Microsoft Active Directory ). In case is not MS AD the parameter system.login.lowercase should be false because openldap is case sensitive, otherwise is right.

Are you retrieving users and list ?

I suggest take a look at this ldap sample configuration https://docs.openkm.com/kcenter/view/ok ... login.html ( the issue with openldap is that you must set attributes in users and roles nodes to be able to retrieve in both direction the users from roles and roles from user). In case professional edition we have mixed configuration where roles are into openkm database and user in ldap what simplies the case, but the feature is still not available from community.

Re: Active Directory Issues

PostPosted:Sun Mar 11, 2018 8:15 am
by saleem55
I am getting this error

Application error
Class: org.springframework.ldap.PartialResultException
Message: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''
Date: Sun Mar 11 12:14:13 GST 2018

while I am longing using AD

Re: Active Directory Issues

PostPosted:Sun Mar 11, 2018 11:43 am
by saleem55
saleem55 wrote: Sun Mar 11, 2018 8:15 am I am getting this error

Application error
Class: org.springframework.ldap.PartialResultException
Message: Unprocessed Continuation Reference(s); nested exception is javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name ''
Date: Sun Mar 11 12:14:13 GST 2018

while I am longing using AD
Solved by adding
Code: Select all
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited