• Active Directory Questions

  • OpenKM has many interesting features, but requires some configuration process to show its full potential.
OpenKM has many interesting features, but requires some configuration process to show its full potential.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 #50181  by rwebb
 
Hi,

I was able to get users and roles to show up in the interface but any changes in AD do not appear in the UI without completely restarting OpenKM. It seems that it doesn't refresh when someone clicks on a UI component that requires the information. Is there a cron task or some other automated task that is supposed to run on a regular basis to update the information?

Also I'm seeing this error happening in the log when I log in using db authentication but ldap for the users and roles:
2020-07-03 09:51:38,081 [ajp-nio-127.0.0.1-8009-exec-5] [] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: null (Cache: com.openkm.cache.ldapPrincipalAdapter.name - Key: testuser - Base: [DC=crossfire,DC=local] - Filter: (&(objectClass=person)(sAMAccountName=testuser)) - Attribute: cn) I think it's saying that value is null maybe? but it's not.

Also I still can't get the authentication to work - I seem to be closer now. I'm not getting Authentication error. I have attached a screenshot of the message I'm getting at login. I think the issue here is it says "crossfire.local" and not "dc1.crossfire.local" which is our domain controller but I don't know where it's getting that from. It's not like that in the XML.

Any help would be greatly appreciated!
Rich
Attachments
error.png
error.png (104.17 KiB) Viewed 5427 times
 #50188  by jllort
 
You have several issues, first start with it: https://docs.openkm.com/kcenter/view/ok ... bletologin
The second issue will have more dificulties to solve, because you decided connecting to AD with SSL ( my suggestion is first trying without SSL and then with SSL ). Take a look here https://docs.openkm.com/kcenter/view/ok ... mematching
 #50190  by rwebb
 
I only went with SSL because I got an error that looked like it said it needed it. I can't remember the exact error but it said something like Expected secure SSL or something like that. I can turn off the SSL if I could get it to work.. it's all internal - no external access anyway.

Rich
 #50191  by jllort
 
I think Microsoft in the latest advisors talks about nearly will only allow SSL connections to the AD. Only I suggest first do the connection without SSL ( easiest case ) and then switch to SSL. If you going to the objective step by step will be easiest.
 #50192  by rwebb
 
Good thing I'm not using Microsoft then! :D

It's Samba 4 version 4.12 I think - I'm sure I can fully turn it off... I'll have to get back to you on the message that I had seen - it was in the log and made me think that SSL was required.
 #50193  by rwebb
 
I just switched it back to Ldap vs Ldaps and I no longer get the user list in the admin panel and the log shows this message:

2020-07-05 21:43:10,829 [ajp-nio-127.0.0.1-8009-exec-2] [] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: [LDAP: error code 8 - BindSimple: Transport encryption required.]

That was the message that made me think I needed to enable encryption.

Rich
 #50195  by rwebb
 
I just added the Samba parameter:

ldap server require strong auth = no

and now authentication works so it's apparently something with the certificate. I have another install that IS on Microsoft active directory so how do I make the ldaps work? It appears to be a naming conflict between the certificate on the server and the connection (seems to be looking for the wrong name)

Rich
 #50197  by rwebb
 
Is there a way to increase the frequency of OpenKM refreshing it's information from AD? From time to creating a new object until it is available in the interface is rather long.

Rich
 #50219  by jllort
 
You might create a crontab task to periodically refresh the user and roles list. Usually, you should not change a lot the users who have access or not to OpenKM. For me is a best practice be manually refreshed by AD administrator what changes something in the AD either automatic refresh from OpenKM side. Because we try to minimize the load of the AD, consider retrieving list ( users and roles ) does some load in the AD.

If you want to create the cron task, I can try to guide about how doing it.
 #50220  by rwebb
 
jllort wrote: Sat Jul 11, 2020 5:29 pm If you want to create the cron task, I can try to guide about how doing it.
Yes please. I had tried a few things but I don't know the proper call to cause it to refresh.
jllort wrote: Sat Jul 11, 2020 5:29 pm Usually, you should not change a lot the users who have access or not to OpenKM.
Yes that will likely be the case after the initial setup once everything is working but it would be nice to have a way to manually refresh from time to time.

Also I know this probably should be in a separate topic but I'm trying to come up with a beanshell script that will empty out my scans folder in the desktop every day at midnight. I want to make sure that scans are moved into their proper locations and they don't start using the scans folder as a storage location.

Rich
 #50225  by jllort
 
The key should be in this Servlet
https://github.com/openkm/document-mana ... rvlet.java

You might be interested in these two url:
http://localhost:8080/OpenKM/admin/Cach ... er.general
http://localhost:8080/OpenKM/admin/Cach ... apter.name

Basically the reset action with these two names. Follow the code in the serverlet and that's you should apply in the script.
 #50267  by rwebb
 
Ok so that URL took me to a cache reset utilities page but looks like it reset the cache as well.. so can I just add a call to that URL in the cron job every so often to have it refresh the data?
 #50287  by krankins
 
rwebb wrote: Sat Jul 04, 2020 4:29 pm I only went with SSL because I got an error that looked like it said it needed it. I can't remember the exact error but it said something like Expected secure SSL or something like that. I can turn off the SSL if I could get it to work.. it's all internal - no external access anyway.

Rich

Damm even I am having a similar kind of issue, I have searched all over the internet and even have posted on number of threads on different forum, no solution seems to work. I am really frustrated, can anyone of you here help me resolve this issue, I am very much tired now.
 #50292  by andrew
 
krankins wrote: Wed Jul 22, 2020 7:59 pm Damm even I am having a similar kind of issue, I have searched all over the internet and even have posted on number of threads on different forum, no solution seems to work. I am really frustrated, can anyone of you here help me resolve this issue, I am very much tired now.
I had the same problem on Ubuntu 18 with ldaps after ldap gave the ERROR BindSimple: Transport encryption required. It turns out java does not go looking in your standard certificate store /etc/ssl/certs ... but need to be added to the java store using:

sudo keytool -import -trustcacerts -file <certificate>.crt -alias <name> -keystore /etc/ssl/certs/java/cacerts

Refer to : https://docs.oracle.com/cd/E19509-01/82 ... index.html

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.