Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Can't connect to ldap

https://forum.openkm.com/viewtopic.php?t=4518

Page 1 of 1

Can't connect to ldap

PostPosted:Thu Feb 17, 2011 1:24 am
by rocabu
Hi there. I am trying to connect to our ldap application running on another server different than the one we use for openkm.

These are the files I have changed:

login-config.xml:
Code: Select all
    <!-- OpenKM -->
	<application-policy name = "OpenKM">
		<authentication>
			<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
				<module-option name="java.naming.provider.url">ldap://avantica.avanticatec.net:3268</module-option>
				<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="bindCredential">XXXXXXXX(Roy's password)</module-option>
				<module-option name="baseCtxDN">ou=dc1avantica,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="baseFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<!--<module-option name="rolesCtxDN">ou=Users,ou=Group,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="roleFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<module-option name="roleAttributeIsDN">true</module-option>
				<module-option name="roleAttributeID">MemberOf</module-option>
				<module-option name="roleNameAttributeID">cn</module-option>
				<module-option name="roleRecursion">-1</module-option>-->
				<module-option name="searchTimeLimit">5000</module-option>
				<module-option name="searchScope">SUBTREE_SCOPE</module-option>
				<module-option name="defaultRole">UserRol</module-option>
			</login-module> 
		</authentication>
	</application-policy>
OpenKM.cfg:
Code: Select all
    <!-- OpenKM -->
	<application-policy name = "OpenKM">
		<authentication>
			<!--<login-module code="org.jboss.security.auth.spi.DatabaseServerLoginModule" flag = "required" >
				<module-option name="dsJndiName">java:/OKMAuthDS</module-option>
				<module-option name="principalsQuery">select usr_pass as PASSWD from users where usr_id=? and usr_active='true'</module-option>
				<module-option name="rolesQuery">select ur_role as ROLEID, 'Roles' from user_role where ur_user=?</module-option>
				<module-option name="hashAlgorithm">md5</module-option>
				<module-option name="hashEncoding">hex</module-option>
			</login-module>-->
			<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
				<module-option name="java.naming.provider.url">ldap://avantica.avanticatec.net:3268</module-option>
				<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="bindCredential">XXXXXX (Roy's password)</module-option>
				<module-option name="baseCtxDN">ou=dc1avantica,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="baseFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<!--<module-option name="rolesCtxDN">ou=Users,ou=Group,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="roleFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
				<module-option name="roleAttributeIsDN">true</module-option>
				<module-option name="roleAttributeID">MemberOf</module-option>
				<module-option name="roleNameAttributeID">cn</module-option>
				<module-option name="roleRecursion">-1</module-option>-->
				<module-option name="searchTimeLimit">5000</module-option>
				<module-option name="searchScope">SUBTREE_SCOPE</module-option>
				<module-option name="defaultRole">UserRol</module-option>
			</login-module> 
		</authentication>
	</application-policy>
I have tried with A LOT of different connection parameters but I always get an error message when trying to connect from the same computer where the openkm is hosted. Before these changes I was able to login using the default okmadmin user.
Code: Select all
principal.ldap.server=ldap://192.168.1.15:3268
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.security.principal=CN=rcalvo,ou=Personnel,ou=Union,dc=192.168.1.15:3268,dc=org
principal.ldap.security.principal=CN=avantica\rcalvo,dc=avantica,dc=avanticatec,dc=net
principal.ldap.security.credentials=XXXXXX (Roy's password)
principal.ldap.user.search.base=ou=personnel,ou=union,dc=192.168.1.15:3268,dc=org
principal.ldap.user.search.filter=(&(objectclass=user)(memberOf=CN=UserRole,OU=Personnel,OU=Union,DC=192.168.1.15:3268,DC=org))
principal.ldap.user.search.filter=(&(objectCategory=user)(sAMAccountName={0}))
principal.ldap.user.search.filter=(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))
principal.ldap.user.attribute=sAMAccountName
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=ou=Personnel,ou=Union,dc=192.168.1.15:3268,dc=org
principal.ldap.role.search.filter=(&(objectclass=group)(memberOf=CN=OpenKM,OU=Personnel,OU=Union,DC=192.168.1.15:3268,DC=org))
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn={0},ou=Personnel,ou=Union,ou=192.168.1.15:3268,dc=org
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.attribute=mail
system.login.lowercase=on
Can you help me?

This is the error I got:
Code: Select all
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@8b33e8
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@fce051
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CachePolicy set to: org.jboss.util.TimedCachePolicy@1eb1dbd
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@1eb1dbd
2011-02-16 19:04:22,155 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added OpenKM, org.jboss.security.plugins.SecurityDomainContext@ed8b42 to map
2011-02-16 19:04:23,077 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=lsalas
javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-031001CD, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=AVANTICA,DC=AVANTICATEC,DC=NET'
Any help will be so much appreciated.

Best regards,

Re: Can't connect to ldap

PostPosted:Thu Feb 17, 2011 9:06 am
by jllort
You must concentrate at login-config.xml ( forget the others ).

As you observate in log there "lsalas" bad password ( at the begining that's what must be solved first )

Concentrate on
Code: Select all
<!-- OpenKM -->
<application-policy name = "OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
<module-option name="java.naming.provider.url">ldap://avantica.avanticatec.net:3268</module-option>
<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">RrCc56789</module-option>
<module-option name="baseCtxDN">ou=dc1avantica,dc=avantica,dc=avanticatec,dc=net</module-option>
<module-option name="baseFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
<!--<module-option name="rolesCtxDN">ou=Users,ou=Group,dc=avantica,dc=avanticatec,dc=net</module-option>
<module-option name="roleFilter">(&(objectClass=User)(!(objectClass=Computer))(sAMAccountName={0}))</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleAttributeID">MemberOf</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>-->
<module-option name="searchTimeLimit">5000</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="defaultRole">UserRol</module-option>
</login-module>
</authentication>
</application-policy>
Remember the rol must be called UserRole not UserRol ( but the error appears on log is different is pass error )

I could suggest some ones:
Code: Select all
      <module-option name="baseCtxDN">cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
      <module-option name="baseFilter">(sAMAccountName={0})</module-option>
      <module-option name="rolesCtxDN">cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
      <module-option name="roleFilter">(member={1})</module-option>
      <module-option name="roleAttributeID">cn</module-option>
      <module-option name="roleAttributeIsDN">false</module-option>
      <module-option name="roleRecursion">2</module-option>
      <module-option name="searchScope">ONELEVEL_SCOPE</module-option>
      <module-option name="defaultRole">UserRole</module-option>
      <module-option name="allowEmptyPasswords">false</module-option>
Seems your adminitrator is on other group than users no ?

Configuring ldap is not easy and really very difficult ( if not impossible ) to solve via forum due different ways administrators can configure it. Only I can suggest the most normal parameters as I put there

Re: Can't connect to ldap

PostPosted:Thu Feb 17, 2011 6:40 pm
by roycal93
Kudos!!! The configuration you gave me worked just fine. Thanks a lot!!!!

Now I am able to login using my ldap credentials. But when I do it and the system starts to load, it freezes out when loading the templates and shows the following error:
Code: Select all
The system has generated an error
OKM-012015(GetTemplate): OKM-012015
okm:templates
And in the log I got:
Code: Select all
2011-02-17 12:04:42,967 ERROR [es.git.openkm.frontend.server.OKMRepositoryServlet] okm:templates
es.git.openkm.core.PathNotFoundException: okm:templates
Is that because I need to configure the openKM.cfg?

Thanks in advanced.

Re: Can't connect to ldap

PostPosted:Fri Feb 18, 2011 3:31 pm
by jllort
Start other post for it problem. Put if you've configured with other database or if you're using the default openkm configuration. And the serverlog error ( only the error not all server.log file ).
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited