Open Source Document Management System | OpenKM

Hi,

I was able to get users and roles to show up in the interface but any changes in AD do not appear in the UI without completely restarting OpenKM. It seems that it doesn't refresh when someone clicks on a UI component that requires the information. Is there a cron task or some other automated task that is supposed to run on a regular basis to update the information?

Also I'm seeing this error happening in the log when I log in using db authentication but ldap for the users and roles:
2020-07-03 09:51:38,081 [ajp-nio-127.0.0.1-8009-exec-5] [] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: null (Cache: com.openkm.cache.ldapPrincipalAdapter.name - Key: testuser - Base: [DC=crossfire,DC=local] - Filter: (&(objectClass=person)(sAMAccountName=testuser)) - Attribute: cn) I think it's saying that value is null maybe? but it's not.

Also I still can't get the authentication to work - I seem to be closer now. I'm not getting Authentication error. I have attached a screenshot of the message I'm getting at login. I think the issue here is it says "crossfire.local" and not "dc1.crossfire.local" which is our domain controller but I don't know where it's getting that from. It's not like that in the XML.

Any help would be greatly appreciated!
Rich

You have several issues, first start with it: https://docs.openkm.com/kcenter/view/ok ... bletologin
The second issue will have more dificulties to solve, because you decided connecting to AD with SSL ( my suggestion is first trying without SSL and then with SSL ). Take a look here https://docs.openkm.com/kcenter/view/ok ... mematching

I only went with SSL because I got an error that looked like it said it needed it. I can't remember the exact error but it said something like Expected secure SSL or something like that. I can turn off the SSL if I could get it to work.. it's all internal - no external access anyway.

Rich

I think Microsoft in the latest advisors talks about nearly will only allow SSL connections to the AD. Only I suggest first do the connection without SSL ( easiest case ) and then switch to SSL. If you going to the objective step by step will be easiest.

Good thing I'm not using Microsoft then!

It's Samba 4 version 4.12 I think - I'm sure I can fully turn it off... I'll have to get back to you on the message that I had seen - it was in the log and made me think that SSL was required.

I just switched it back to Ldap vs Ldaps and I no longer get the user list in the admin panel and the log shows this message:

2020-07-05 21:43:10,829 [ajp-nio-127.0.0.1-8009-exec-2] [] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: [LDAP: error code 8 - BindSimple: Transport encryption required.]

That was the message that made me think I needed to enable encryption.

Rich

I just added the Samba parameter:

ldap server require strong auth = no

and now authentication works so it's apparently something with the certificate. I have another install that IS on Microsoft active directory so how do I make the ldaps work? It appears to be a naming conflict between the certificate on the server and the connection (seems to be looking for the wrong name)

Rich

Is there a way to increase the frequency of OpenKM refreshing it's information from AD? From time to creating a new object until it is available in the interface is rather long.

Rich

Anyone?

You might create a crontab task to periodically refresh the user and roles list. Usually, you should not change a lot the users who have access or not to OpenKM. For me is a best practice be manually refreshed by AD administrator what changes something in the AD either automatic refresh from OpenKM side. Because we try to minimize the load of the AD, consider retrieving list ( users and roles ) does some load in the AD.

If you want to create the cron task, I can try to guide about how doing it.

jllort wrote: ↑Sat Jul 11, 2020 5:29 pm If you want to create the cron task, I can try to guide about how doing it.

Yes please. I had tried a few things but I don't know the proper call to cause it to refresh.

jllort wrote: ↑Sat Jul 11, 2020 5:29 pm Usually, you should not change a lot the users who have access or not to OpenKM.

Yes that will likely be the case after the initial setup once everything is working but it would be nice to have a way to manually refresh from time to time.

Also I know this probably should be in a separate topic but I'm trying to come up with a beanshell script that will empty out my scans folder in the desktop every day at midnight. I want to make sure that scans are moved into their proper locations and they don't start using the scans folder as a storage location.

Rich

The key should be in this Servlet
https://github.com/openkm/document-mana ... rvlet.java

You might be interested in these two url:
http://localhost:8080/OpenKM/admin/Cach ... er.general
http://localhost:8080/OpenKM/admin/Cach ... apter.name

Basically the reset action with these two names. Follow the code in the serverlet and that's you should apply in the script.

Ok so that URL took me to a cache reset utilities page but looks like it reset the cache as well.. so can I just add a call to that URL in the cron job every so often to have it refresh the data?

rwebb wrote: ↑Sat Jul 04, 2020 4:29 pm I only went with SSL because I got an error that looked like it said it needed it. I can't remember the exact error but it said something like Expected secure SSL or something like that. I can turn off the SSL if I could get it to work.. it's all internal - no external access anyway.

Rich

Damm even I am having a similar kind of issue, I have searched all over the internet and even have posted on number of threads on different forum, no solution seems to work. I am really frustrated, can anyone of you here help me resolve this issue, I am very much tired now.

krankins wrote: ↑Wed Jul 22, 2020 7:59 pm Damm even I am having a similar kind of issue, I have searched all over the internet and even have posted on number of threads on different forum, no solution seems to work. I am really frustrated, can anyone of you here help me resolve this issue, I am very much tired now.

I had the same problem on Ubuntu 18 with ldaps after ldap gave the ERROR BindSimple: Transport encryption required. It turns out java does not go looking in your standard certificate store /etc/ssl/certs ... but need to be added to the java store using:

sudo keytool -import -trustcacerts -file <certificate>.crt -alias <name> -keystore /etc/ssl/certs/java/cacerts

Refer to : https://docs.oracle.com/cd/E19509-01/82 ... index.html