AD ACCOUNT INTEGRATION OPENKM 6.3 issues

[WEN-HSAING]

Hi OpenKM Team:

I am testing the 6.3.11 Community Edition active directory integration account.

AD test structure.

ABC.png (3.65 KiB) Viewed 1494 times

User ldif

Code: Select all

dn: CN=A123,OU=Mail,DC=ABC,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: A123
sn: li
givenName: michael
distinguishedName: CN=A123,OU=Mail,DC=ABC,DC=com
memberOf: CN=ROLE_ADMIN,OU=OpenKM,DC=ABC,DC=com
memberOf: CN=TEST,OU=OpenKM,DC=ABC,DC=com
name: A123
sAMAccountName: A123
sAMAccountType: 805306368
userPrincipalName: A123@ABC.COM
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=ABC,DC=com
mail: michael_li@ABC.com

OpenKM.xml contents：

Code: Select all

            <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
                <beans:constructor-arg ref="contextSource"/>
                <beans:constructor-arg value="ou=OpenKM,dc=ABC,dc=com"/>
                <beans:property name="groupSearchFilter" value="member={0}"/>
                <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="true" />

        <beans:property name="rolePrefix" value="" />

            </beans:bean>
        </beans:constructor-arg>
  </beans:bean>

   <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="dc=ABC,dc=com"/>
    <beans:constructor-arg index="1" value="sAMAccountName={0}"/>
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

Then in the administrator web interface Configuration parameters:

Code: Select all

principal.ldap.mail.attribute	String		mail	
principal.ldap.mail.search.base	String		dc=ABC,dc=com	
principal.ldap.mail.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))	
principal.ldap.role.attribute	String		cn	
principal.ldap.role.search.base	List		ou=OpenKM,dc=ABC,dc=com	
principal.ldap.role.search.filter	String	(objectclass=group)
principal.ldap.roles.by.user.attribute	String	memberOf	
principal.ldap.roles.by.user.search.base	String	dc=ABC,dc=com	
principal.ldap.roles.by.user.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.user.attribute	String	sAMAccountName	
principal.ldap.user.search.base	List	ou=Mail,dc=ABC,dc=com	
principal.ldap.user.search.filter	String	(objectclass=person)
principal.ldap.username.attribute	String	cn	
principal.ldap.username.search.base	String	ou=Mail,dc=ABC,dc=com
principal.ldap.username.search.filter	String	(&(objectClass=person)(sAMAccountName={0}))
principal.ldap.users.by.role.attribute	String	member	
principal.ldap.users.by.role.search.base	String	cn={0},ou=OpenKM,dc=ABC,dc=com	
principal.ldap.users.by.role.search.filter	String	(objectclass=group)

User login an error message will appear in the catalina.log
But the access permissions are normal.

Code: Select all

2022-10-12 10:23:42,388 [ajp-nio-127.0.0.1-8081-exec-1] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: Unprocessed Continuation Reference(s) (Cache: com.openkm.cache.ldapPrincipalAdapter.general - Key: getRolesByUser:A123 - Base: [dc=ABC,dc=com] - Filter: (&(objectClass=person)(sAMAccountName=A123)) - Attribute: memberOf)

Log in with the ROLE_ADMIN account with administrative privileges to view the user list and display it normally.
But an error message will appear in the catalina.log

Code: Select all

2022-10-12 10:34:46,255 [ajp-nio-127.0.0.1-8081-exec-2] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: Unprocessed Continuation Reference(s) (Cache: com.openkm.cache.ldapPrincipalAdapter.general - Key: getRolesByUser:A123 - Base: [dc=ABC,dc=com] - Filter: (&(objectClass=person)(sAMAccountName=A123)) - Attribute: memberOf)
2022-10-12 10:34:46,299 [ajp-nio-127.0.0.1-8081-exec-2] ERROR c.o.principal.LdapPrincipalAdapter - NamingException: Unprocessed Continuation Reference(s) (Cache: com.openkm.cache.ldapPrincipalAdapter.general - Key: getMail:A123 - Base: [dc=ABC,dc=com] - Filter: (&(objectClass=person)(sAMAccountName=A123)) - Attribute: mail)

Excuse me, where is the setting wrong? Thank you.

Best Regards,

[jllort]

Do you success login or not? do not worry about showing errors in the log file because most of them really are warning although shown as errors ( because AD may be configured with a hierarchical structure between servers, when login the classes try to go as deep as possible, arrived at some point can not continue and raises an error -> what really should be a warning ). These errors are shown as "NamingException: Unprocessed Continuation Reference(s)"

Search in google for "NamingException: Unprocessed Continuation Reference(s)" -> and read
* https://docs.openkm.com/kcenter/view/ok ... ptionerror
* https://stackoverflow.com/questions/937 ... references

If you are able to login and the list in the administratoin are fine should not worry about it.

You can also try changing the port as described here https://social.technet.microsoft.com/Fo ... inserverDS