Active Directory will not log in

[andrew]

I am asked this question in another tread, but as have no resonce, will try asking a differnant way.

I have installed OpenKM 6.3 CE on a fresh Ubuntu 18 build, and have managed to connect to a Ubutu SMABA AD using ldaps, and have uers showing very nicely in the UI - but when refreshing the cache get an error message in log report "ERROR c.o.principal.LdapPrincipalAdapter - NamingException: Unprocessed Continuation Reference(s) (Cache: com.openkm.cache.ldapPrincipalAdapter.general ... blah blah blah ...".

Is this a real error? would this be stopping users logging in - I ask this because I have tried every version of OpenKM.xml I can find and non give any enough of a trace to follow to a solution. From all the blogs, it seems like the right version of OpenKM.xml to use in found under the OpenKM 6.3 CE Active Directory example with login based on filtering users by role

While this product seems to have great promise, the implantation (and later extension) is threatening to be too much ... I would be interested in hearing from have others experience, have you got this product to work OK and have your found it worthwhile after the initial pain?

Any help / advice / user experience very welcome .

[jllort]

The message "ERROR c.o.principal.LdapPrincipalAdapter - NamingException: Unprocessed Continuation Reference(s)" usually it is a warning, not an error. It tells you have not been able to continue following the search, but that not means be an error ). Here the problem comes with "referral set as follow" attribute what it is needed for login but what it is causing this behaviour.

You can look in google for this kind of error: "spring AD NamingException Unprocessed Continuation Reference(s)"

Maybe there's a way to ignore partial results exception:
https://myshittycode.com/2017/03/26/lda ... ning-name/

[andrew]

Thank you for your response ... so we should be able to ignore this "error" as a warning - cool ...

I can get all my users listed fine into the user interface - I am past this step .

Now to the ... I just cannot get the login to work .

What I have done is to followed your advice and used the your I suggestion to "try these: https://docs.openkm.com/kcenter/view/ok ... bletologin"

The result is I cannot log with any username / password. Every once in a while I see a warning (which looks like the same thing as error you said to ignore)

Code: Select all

2020-08-06 20:46:30,158 [Update Info] [] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: null (Cache: com.openkm.cache.ldapPrincipalAdapter.general - Key: getUsers - Base: [DC=domain,DC=com,DC=au] - Filter: (|(memberOf=CN=ROLE_USER,CN=Users,DC=domain,DC=com,DC=au)(memberOf=CN=ROLE_ADMIN,CN=Users,DC=domain,DC=com,DC=au)) - Attribute: sAMAccountName)

Looking at this random error (which seems to come from the settings in OpenKM.xml) - I tried transposing the parameters from the error into a ldapsearch query :

Code: Select all

ldapsearch -LLL  -w password -H ldaps://domain.com.au -D CN=ldap_user,DC=domain,DC=com,DC=au -b DC=domain,DC=com,DC=au "(|(memberOf=CN=ROLE_USER,CN=Users,DC=domain,DC=com,DC=au)(memberOf=CN=ROLE_ADMIN,CN=Users,DC=domain,DC=com,DC=au))" sAMAccountName

... and get a list of all the sAMAccountName's OK ... but still cannot log in.

I set the property on the DefaultLdapAuthoritiesPopulator as you suggested also and this did not help.

Code: Select all

<beans:property name="ignorePartialResultException" value="true" />

Turning on debug messaging does not help ... (the most we can get is "Authentication ERROR") ... it looks like ldap authentication will not work with the ldap from a AD.

[jllort]

Try with it https://docs.openkm.com/kcenter/view/ok ... bletologin

[andrew]

Thank You very much for you suggestion ... but you have already directed me around this loop and I have tried "with it https://docs.openkm.com/kcenter/view/ok ... bletologin" and could not get working.

I had someone with more expertise than me, look at this and they were stumped too - it seems there are to many disparate moving parts and too little debugging information (and perhaps we are too stupid as well ). Thanks again for trying to help ... it was so close.

[jllort]

Share the OpenKM.xml and we can take a look.

[andrew]

Please see latest version of OpenKM.xml ... any suggestions welcome.

Code: Select all

<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task.xsd">

<security:authentication-manager alias="authenticationManager">
     <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldaps://domain.com.au"/>
  <beans:property name="userDn" value="CN=auchiv05_ldap,OU=AUCHI,OU=AU,DC=domain,DC=com,DC=au"/>
  <beans:property name="password" value="[password]"/>
  <beans:property name="baseEnvironmentProperties">
     <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
   </beans:property>
</beans:bean>

<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="DC=domain,DC=com,DC=au"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="false" />
      <beans:property name="rolePrefix" value="" />
      <beans:property name="defaultRole" value="ROLE_USER" />
      <beans:property name="ignorePartialResultException" value="true" />
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>

<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="DC=domain,DC=com,DC=au" />
  <beans:constructor-arg index="1" value="(&amp;(sAMAccountName={0})(|(memberOf=CN=ROLE_ADMIN,DC=domain,DC=com,DC=au)(memberOf=CN=ROLE_USER,DC=domain,DC=com,DC=au)))" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
</beans:bean>

</beans:beans>

[jllort]

1- Switch SSL ldaps://domain.com.au to NON SSL ldap://domain.com.au ( if it is mandatory using SSL then here are more steps to be done )

2- Use low conditional and later increase
<beans:constructor-arg index="1" value="(sAMAccountName={0})" />

3- Add in your /etc/hosts file or in your windows host file the next resolutionj
LDAP_IP domain.com.au
LDAP_IP LDAP_SERVER_NAME LDAP_SERVER_NAME.domain.com.au
LDAP_IP Schema.Configuration.domain.com.au
LDAP_IP Configuration.domain.com.au
LDAP_IP DomainDnsZones.domain.com.au
LDAP_IP ForestDnsZones.domain.com.au