Problem with LDAP configuration

[gregrlb]

Hello,

I'm trying to configure authentication through our Active Directory with LDAP. I've googled and tried several ways to set it up but it doesn't work: I get "authentication error".
Can you help me with this?

Here is my configuration:

OpenKM.cfg:

Code: Select all

restrict.file.mime=off
restrict.file.extension=*~,*.bak,._*
system.openoffice=on
system.openoffice=/usr/lib/openoffice
system.pdf2swf=/usr/local/bin/pdf2swf
hibernate.hbm2ddl=none
max.file.size=060520010
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://our.server.example.net:389
principal.ldap.security.principal=cd=queryldap,cn=Users,dc=server,dc=example,,dc=net
principal.ldap.security.credentials=queryldap
principal.ldap.user.search.base=cn=our,dc=server,dc=example,,dc=net
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=OPENKM_UserRole,CN=our,dc=server,dc=example,dc=net))
principal.ldap.user.atribute=cn
principal.ldap.role.search.base=cn=our,dc=server,dc=example,dc=net
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OPENKM_OpenKM,CN=our,dc=server,dc=example,dc=net))
principal.ldap.role.atribute=cn
principal.ldap.mail.search.base=cn={0},cn=our,dc=server,dc=example,dc=net
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.atribute=mail
system.login.lowercase=on

.../server/default/conf/login-config.xml:

Code: Select all

    <!-- OpenKM -->
    <application-policy name = "OpenKM">
       <authentication>
<!--          <login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required">
            <module-option name="dsJndiName">java:/OpenKMDS</module-option>
            <module-option name="principalsQuery">select usr_password as PASSWD from OKM_USER where usr_id=? and usr_active=true</module-option>
            <module-option name="rolesQuery">select ur_role as ROLEID, 'Roles' from OKM_USER_ROLE where ur_user=?</module-option>
            <module-option name="hashAlgorithm">md5</module-option>
            <module-option name="hashEncoding">hex</module-option>
          </login-module>-->
    <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
      <module-option name="java.naming.provider.url">ldap://our.server.example.net:389</module-option>
      <module-option name="bindDN">CN=queryldap,cn=Users,dc=server,dc=example,dc=net</module-option>
      <module-option name="java.naming.security.authentication">simple</module-option>
      <module-option name="bindCredential">queryldap</module-option>
      <module-option name="baseCtxDN">cn=Users,dc=server,dc=example,dc=net</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=Users,dc=server,dc=example,dc=net</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OPENKM_UserRole,CN=our,dc=server,dc=example,dc=net))</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
    </login-module>
       </authentication>
    </application-policy>

Thanks,

Greg.

[jllort]

concentrate first in login-config.xml, if you can not login the problem is there. Ensure you can login with that credentials.

I suggest you add module org.jboss.security ( I think it's called as category ) into log4j login that's in the same conf folder

[gregrlb]

Hello,

Again, I googled a little bit but didn't find how to add this module you suggest.

But I found this error message in .../server/default/server.log:

2010-11-23 10:00:04,808 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=my_username
javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece]

Strange, I give him the right password ... Any idea?

Thank you,

Greg.

[jllort]

The user is called queryldap ? and his passord is queryldap ?

replace it:

Code: Select all

<module-option name="baseFilter">(&(sAMAccountName={0})(memberOf=CN=OPENKM_UserRole,CN=our,dc=server,dc=example,dc=net))</module-option>

for

Code: Select all

<module-option name="baseFilter">(sAMAccountName={0})</module-option>

Try using some client to connect with this credential to you ldap, to ensure is right ( try on google something like ldap explorer )