Online demo
Download
Contact

Because information matters

  • Can't connect to ldap

  • We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
It is currently Mon Nov 10, 2025 8:31 am

Can't connect to ldap

We tried to make OpenKM as intuitive as possible, but an advice is always welcome.
Forum rules: Please, before asking something see the documentation wiki or use the search feature of the forum. And remember we don't have a crystal ball or mental readers, so if you post about an issue tell us which OpenKM are you using and also the browser and operating system version. For more info read How to Report Bugs Effectively.
 Reply

Can't connect to ldap

 #8878  by rocabu
 
Hi there. I am trying to connect to our ldap application running on another server different than the one we use for openkm.

These are the files I have changed:

login-config.xml:
Code: Select all
    <!-- OpenKM -->
	<application-policy name = "OpenKM">
		<authentication>
			<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
				<module-option name="java.naming.provider.url">ldap://avantica.avanticatec.net:3268</module-option>
				<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="bindCredential">XXXXXXXX(Roy's password)</module-option>
				<module-option name="baseCtxDN">ou=dc1avantica,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="baseFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<!--<module-option name="rolesCtxDN">ou=Users,ou=Group,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="roleFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<module-option name="roleAttributeIsDN">true</module-option>
				<module-option name="roleAttributeID">MemberOf</module-option>
				<module-option name="roleNameAttributeID">cn</module-option>
				<module-option name="roleRecursion">-1</module-option>-->
				<module-option name="searchTimeLimit">5000</module-option>
				<module-option name="searchScope">SUBTREE_SCOPE</module-option>
				<module-option name="defaultRole">UserRol</module-option>
			</login-module> 
		</authentication>
	</application-policy>
OpenKM.cfg:
Code: Select all
    <!-- OpenKM -->
	<application-policy name = "OpenKM">
		<authentication>
			<!--<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
				<module-option name="dsJndiName">java:/OKMAuthDS</module-option>
				<module-option name="principalsQuery">select usr_pass as PASSWD from users where usr_id=? and usr_active='true'</module-option>
				<module-option name="rolesQuery">select ur_role as ROLEID, 'Roles' from user_role where ur_user=?</module-option>
				<module-option name="hashAlgorithm">md5</module-option>
				<module-option name="hashEncoding">hex</module-option>
			</login-module>-->
			<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
				<module-option name="java.naming.provider.url">ldap://avantica.avanticatec.net:3268</module-option>
				<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="bindCredential">XXXXXX (Roy's password)</module-option>
				<module-option name="baseCtxDN">ou=dc1avantica,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="baseFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<!--<module-option name="rolesCtxDN">ou=Users,ou=Group,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="roleFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<module-option name="roleAttributeIsDN">true</module-option>
				<module-option name="roleAttributeID">MemberOf</module-option>
				<module-option name="roleNameAttributeID">cn</module-option>
				<module-option name="roleRecursion">-1</module-option>-->
				<module-option name="searchTimeLimit">5000</module-option>
				<module-option name="searchScope">SUBTREE_SCOPE</module-option>
				<module-option name="defaultRole">UserRol</module-option>
			</login-module> 
		</authentication>
	</application-policy>
I have tried with A LOT of different connection parameters but I always get an error message when trying to connect from the same computer where the openkm is hosted. Before these changes I was able to login using the default okmadmin user.
Code: Select all
principal.ldap.server=ldap://192.168.1.15:3268
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.security.principal=CN=rcalvo,ou=Personnel,ou=Union,dc=192.168.1.15:3268,dc=org
principal.ldap.security.principal=CN=avantica\rcalvo,dc=avantica,dc=avanticatec,dc=net
principal.ldap.security.credentials=XXXXXX (Roy's password)
principal.ldap.user.search.base=ou=personnel,ou=union,dc=192.168.1.15:3268,dc=org
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,OU=Personnel,OU=Union,DC=192.168.1.15:3268,DC=org))
principal.ldap.user.search.filter=(&(objectCategory=user)(sAMAccountName={0}))
principal.ldap.user.search.filter=(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=ou=Personnel,ou=Union,dc=192.168.1.15:3268,dc=org
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,OU=Personnel,OU=Union,DC=192.168.1.15:3268,DC=org))
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},ou=Personnel,ou=Union,ou=192.168.1.15:3268,dc=org
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail
system.login.lowercase=on
Can you help me?

This is the error I got:
Code: Select all
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@8b33e8
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@fce051
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CachePolicy set to: org.jboss.util.TimedCachePolicy@1eb1dbd
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@1eb1dbd
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added OpenKM, org.jboss.security.plugins.SecurityDomainContext@ed8b42 to map
2011-02-16 19:04:23,077 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=lsalas
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=AVANTICA,DC=AVANTICATEC,DC=NET'
Any help will be so much appreciated.

Best regards,
Last edited by rocabu on Thu Feb 17, 2011 2:18 pm, edited 2 times in total.

Re: Can't connect to ldap

 #8884  by jllort
 
You must concentrate at login-config.xml ( forget the others ).

As you observate in log there "lsalas" bad password ( at the begining that's what must be solved first )

Concentrate on
Code: Select all
<!-- OpenKM -->
<application-policy name = "OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
<module-option name="java.naming.provider.url">ldap://avantica.avanticatec.net:3268</module-option>
<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">RrCc56789</module-option>
<module-option name="baseCtxDN">ou=dc1avantica,dc=avantica,dc=avanticatec,dc=net</module-option>
<module-option name="baseFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
<!--<module-option name="rolesCtxDN">ou=Users,ou=Group,dc=avantica,dc=avanticatec,dc=net</module-option>
<module-option name="roleFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleAttributeID">MemberOf</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>-->
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="defaultRole">UserRol</module-option>
</login-module>
</authentication>
</application-policy>
Remember the rol must be called UserRole not UserRol ( but the error appears on log is different is pass error )

I could suggest some ones:
Code: Select all
      <module-option name="baseCtxDN">cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="defaultRole">UserRole</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
Seems your adminitrator is on other group than users no ?

Configuring ldap is not easy and really very difficult ( if not impossible ) to solve via forum due different ways administrators can configure it. Only I can suggest the most normal parameters as I put there

Re: Can't connect to ldap

 #8897  by roycal93
 
Kudos!!! The configuration you gave me worked just fine. Thanks a lot!!!!

Now I am able to login using my ldap credentials. But when I do it and the system starts to load, it freezes out when loading the templates and shows the following error:
Code: Select all
The system has generated an error
OKM-012015(GetTemplate): OKM-012015
okm:templates
And in the log I got:
Code: Select all
2011-02-17 12:04:42,967 ERROR [es.git.openkm.frontend.server.OKMRepositoryServlet] okm:templates
es.git.openkm.core.PathNotFoundException: okm:templates
Is that because I need to configure the openKM.cfg?

Thanks in advanced.

Re: Can't connect to ldap

 #8937  by jllort
 
Start other post for it problem. Put if you've configured with other database or if you're using the default openkm configuration. And the serverlog error ( only the error not all server.log file ).
 Reply
 Return to “Usage”

Favorites

About Us

OpenKM is part of the management software. A management software is a program that facilitates the accomplishment of administrative tasks. OpenKM is a document management system that allows you to manage business content and workflow in a more efficient way. Document managers guarantee data protection by establishing information security for business content.

Powered By phpBB -
 ©OpenKM 2021
 - All times are UTC -