Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Issue when trying to login trough ldap

https://forum.openkm.com/viewtopic.php?t=4536

Page 1 of 1

Issue when trying to login trough ldap

PostPosted:Fri Feb 18, 2011 9:06 pm
by roycal93
Hi guys,

I am trying to integrate OpenKM with Ldap, in another post you helped me with the login-config.xml and I was able to login succesfully.

Now the issue is that when I login system starts to load everything, it freezes out when loading the templates and shows the following error:
The system has generated an error
Code: Select all
OKM-012015(GetTemplate): OKM-012015
okm:templates

In the server.log I got:
2011-02-18 14:48:27,251 ERROR [es.git.openkm.frontend.server.OKMRepositoryServlet] okm:templates
es.git.openkm.core.PathNotFoundException: okm:templates
.........
Caused by: javax.jcr.PathNotFoundException: okm:templates
	at org.apache.jackrabbit.core.NodeImpl.getNode(NodeImpl.java:2478)
	at es.git.openkm.module.direct.DirectFolderModule.getProperties(DirectFolderModule.java:81)
	at es.git.openkm.module.direct.DirectRepositoryModule.getTemplatesFolder(DirectRepositoryModule.java:433)
	... 30 more
Is that because I need to configure something else in openKM.cfg?

Here is my login-config.xml:
Code: Select all
    <!-- OpenKM -->
    <application-policy name = "OpenKM">
		<authentication>
			<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag = "required">
				<module-option name="java.naming.provider.url">ldap://avantica.avanticatec.net:3268</module-option>
				<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="java.naming.security.authentication">simple</module-option>
				<module-option name="bindCredential">RrCc56789</module-option>
				<module-option name="baseCtxDN">cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="baseFilter">(sAMAccountName={0})</module-option>
				<module-option name="rolesCtxDN">cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
				<module-option name="roleFilter">(member={1})</module-option>
				<module-option name="roleAttributeID">cn</module-option>
				<module-option name="roleAttributeIsDN">false</module-option>
				<module-option name="roleRecursion">2</module-option>
				<module-option name="searchScope">ONELEVEL_SCOPE</module-option>
				<module-option name="defaultRole">UserRole</module-option>
				<module-option name="allowEmptyPasswords">false</module-option>				
			</login-module> 
		</authentication>
	</application-policy>
And the openkm.cfg, everything is commented as per I don't know which things should be there:
Code: Select all
#principal.ldap.server=ldap://192.168.1.15:3268
#principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
#principal.ldap.security.principal=cn=Roy Calvo Burgos,cn=avantica,cn=users,dc=avantica,dc=avanticatec,dc=net
#principal.ldap.security.credentials=RrCc56789
#principal.ldap.user.search.base=cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
#principal.ldap.user.search.filter=(sAMAccountName={0})
#principal.ldap.user.attribute=sAMAccountName
#principal.ldap.role.search.base=cn=Users,dc=avantica,dc=avanticatec,dc=net
#principal.ldap.role.search.filter=(member={1})
#principal.ldap.role.attribute=cn
#principal.ldap.mail.search.base=cn=Users,dc=avantica,dc=avanticatec,dc=net
#principal.ldap.mail.search.filter=(member={1})
#principal.ldap.mail.attribute=mail
#system.login.lowercase=on
The rest of the configuration is the default openkm uses. If you could help me I would really appreciate it.

Best regards,

RC.

Re: Issue when trying to login trough ldap

PostPosted:Fri Feb 18, 2011 9:24 pm
by roycal93
Ohhh.... I forgot to specify that when I remove the ldap integration and leave the default openkm authentication, everything works perfectly. But I need to link it to our ldap. :(

Thanks.

Re: Issue when trying to login trough ldap

PostPosted:Sat Feb 19, 2011 11:12 am
by jllort
If i Understand when authentication is setting at it comes by default the okm:template is found otherside when you use ldap appears it error.

Ok, lets enable now OpenKM.cfg parameters.
Capture server.log error from login( only this segment not all server.log ) and put here to understandind what causes really the error.

Re: Issue when trying to login trough ldap

PostPosted:Mon Feb 21, 2011 7:07 pm
by roycal93
Thanks a lot! This is what I got when I login with the ldap credentials:
Code: Select all
2011-02-21 12:45:15,332 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CallbackHandler: org.jboss.security.auth.callback.SecurityAssociationHandler@295b9a
2011-02-21 12:45:15,332 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Created securityMgr=org.jboss.security.plugins.JaasSecurityManager@13d0493
2011-02-21 12:45:15,332 DEBUG [org.jboss.security.plugins.JaasSecurityManager.OpenKM] CachePolicy set to: org.jboss.util.TimedCachePolicy@f7757c
2011-02-21 12:45:15,332 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] setCachePolicy, c=org.jboss.util.TimedCachePolicy@f7757c
2011-02-21 12:45:15,332 DEBUG [org.jboss.security.plugins.JaasSecurityManagerService] Added OpenKM, org.jboss.security.plugins.SecurityDomainContext@42299e to map
2011-02-21 12:45:23,223 DEBUG [es.git.openkm.module.direct.DirectWorkflowModule] findUserTaskInstances(107639881777656779930212337924401)
2011-02-21 12:45:23,239 DEBUG [es.git.openkm.module.direct.DirectWorkflowModule] findPooledTaskInstances(107639881777656779930212337924401)
2011-02-21 12:45:23,317 DEBUG [es.git.openkm.module.direct.DirectWorkflowModule] findPooledTaskInstances: []
2011-02-21 12:45:23,661 ERROR [es.git.openkm.module.direct.DirectRepositoryModule] okm:templates
javax.jcr.PathNotFoundException: okm:templates
	at org.apache.jackrabbit.core.NodeImpl.getNode(NodeImpl.java:2478)
	at es.git.openkm.module.direct.DirectFolderModule.getProperties(DirectFolderModule.java:81)
	at es.git.openkm.module.direct.DirectRepositoryModule.getTemplatesFolder(DirectRepositoryModule.java:433)
	at es.git.openkm.api.OKMRepository.getTemplatesFolder(OKMRepository.java:64)
	at es.git.openkm.frontend.server.OKMRepositoryServlet.getTemplate(OKMRepositoryServlet.java:106)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:527)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:164)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.doPost(RemoteServiceServlet.java:86)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Thread.java:619)
2011-02-21 12:45:23,661 ERROR [es.git.openkm.frontend.server.OKMRepositoryServlet] okm:templates
es.git.openkm.core.PathNotFoundException: okm:templates
	at es.git.openkm.module.direct.DirectRepositoryModule.getTemplatesFolder(DirectRepositoryModule.java:439)
	at es.git.openkm.api.OKMRepository.getTemplatesFolder(OKMRepository.java:64)
	at es.git.openkm.frontend.server.OKMRepositoryServlet.getTemplate(OKMRepositoryServlet.java:106)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at com.google.gwt.user.server.rpc.RPC.invokeAndEncodeResponse(RPC.java:527)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.processCall(RemoteServiceServlet.java:164)
	at com.google.gwt.user.server.rpc.RemoteServiceServlet.doPost(RemoteServiceServlet.java:86)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:432)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Thread.java:619)
Caused by: javax.jcr.PathNotFoundException: okm:templates
	at org.apache.jackrabbit.core.NodeImpl.getNode(NodeImpl.java:2478)
	at es.git.openkm.module.direct.DirectFolderModule.getProperties(DirectFolderModule.java:81)
	at es.git.openkm.module.direct.DirectRepositoryModule.getTemplatesFolder(DirectRepositoryModule.java:433)
	... 30 more
2011-02-21 12:45:23,755 DEBUG [es.git.openkm.module.direct.DirectWorkflowModule] findUserTaskInstances: []
But this does not happen when removing the ldap integration and leaving the default one.

Thanks a lot for your help.

Re: Issue when trying to login trough ldap

PostPosted:Mon Feb 21, 2011 7:09 pm
by roycal93
And this is the OpenKM.cfg
Code: Select all
restrict.file.mime=off
restrict.file.extension=*~,*.bak,._*
max.file.size=25

principal.ldap.server=ldap://192.168.1.15:3268
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.security.principal=cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net
principal.ldap.security.credentials=(mypassword)
principal.ldap.user.search.base=cn=Users,dc=avantica,dc=avanticatec,dc=net
principal.ldap.user.search.filter=(sAMAccountName={0})
principal.ldap.user.attribute=sAMAccountName
principal.ldap.role.search.base=cn=Users,dc=avantica,dc=avanticatec,dc=net
principal.ldap.role.search.filter=(member={1})
principal.ldap.role.attribute=cn
principal.ldap.mail.search.base=cn=Users,dc=avantica,dc=avanticatec,dc=net
principal.ldap.mail.search.filter=(member={1})
principal.ldap.mail.attribute=mail
system.login.lowercase=on

Re: Issue when trying to login trough ldap

PostPosted:Tue Feb 22, 2011 7:24 am
by jllort
Which openkm version are you using, because es.git.openkm.principal.LdapPrincipalAdapter seems to and older class now is called com.openkm.principal.LdapPrincipalAdapter

Search filter seems bad for version 5.x is older version then don't take it
Code: Select all
principal.ldap.user.search.filter=(objectclass=person)
and that too
Code: Select all
principal.ldap.role.search.filter=(objectclass=group)
You might include some category log on jboss-log4j.xml to the LdapPrincipalAdapter to getting a full log in server.

Re: Issue when trying to login trough ldap

PostPosted:Tue Feb 22, 2011 7:47 pm
by roycal93
Thanks for your help.

The version we're using is OpenKM4.

I have made the change but now it shows another message for I think it is of the same type. I got this message when it loads the taxonomy and those things:
Code: Select all
The system has generated an error:
OKM-007001(GetGrantedUsers): Repository internal error
com.openkm.principal.LdapPrincipalAdapter
OKM-007001(GetGrantedUsers): Repository internal error
com.openkm.principal.LdapPrincipalAdapter
OKM-012015(GetTemplate): OKM-012015
okm: templates
I didn't removed these lines because you said they are needed for older versions.
Code: Select all
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.role.search.filter=(objectclass=group)
These are the errors I got on the log server:
Code: Select all
2011-02-22 12:46:19,868 ERROR [es.git.openkm.frontend.server.OKMAuthServlet] com.openkm.principal.LdapPrincipalAdapter
es.git.openkm.core.RepositoryException: com.openkm.principal.LdapPrincipalAdapter
...
Caused by: java.lang.ClassNotFoundException: com.openkm.principal.LdapPrincipalAdapter
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1358)
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1204)
	at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:169)
	at es.git.openkm.module.direct.DirectAuthModule.getPrincipalAdapter(DirectAuthModule.java:849)

2011-02-22 12:46:22,524 ERROR [es.git.openkm.module.direct.DirectAuthModule] com.openkm.principal.LdapPrincipalAdapter
java.lang.ClassNotFoundException: com.openkm.principal.LdapPrincipalAdapter
...

2011-02-22 12:46:22,524 ERROR [es.git.openkm.frontend.server.OKMAuthServlet] com.openkm.principal.LdapPrincipalAdapter
es.git.openkm.core.RepositoryException: com.openkm.principal.LdapPrincipalAdapter
...
Caused by: java.lang.ClassNotFoundException: com.openkm.principal.LdapPrincipalAdapter
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1358)
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1204)
	at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:169)
	at es.git.openkm.module.direct.DirectAuthModule.getPrincipalAdapter(DirectAuthModule.java:849)

2011-02-22 12:46:22,649 ERROR [es.git.openkm.module.direct.DirectRepositoryModule] okm:templates
javax.jcr.PathNotFoundException: okm:templates
2011-02-22 12:46:22,649 ERROR [es.git.openkm.frontend.server.OKMRepositoryServlet] okm:templates
es.git.openkm.core.PathNotFoundException: okm:templates
...
Caused by: javax.jcr.PathNotFoundException: okm:templates
	at org.apache.jackrabbit.core.NodeImpl.getNode(NodeImpl.java:2478)
	at es.git.openkm.module.direct.DirectFolderModule.getProperties(DirectFolderModule.java:81)
	at es.git.openkm.module.direct.DirectRepositoryModule.getTemplatesFolder(DirectRepositoryModule.java:433)

2011-02-22 12:46:34,462 ERROR [es.git.openkm.module.direct.DirectAuthModule] com.openkm.principal.LdapPrincipalAdapter
java.lang.ClassNotFoundException: com.openkm.principal.LdapPrincipalAdapter

2011-02-22 12:46:34,462 ERROR [es.git.openkm.core.UserMailImporter] com.openkm.principal.LdapPrincipalAdapter
es.git.openkm.core.RepositoryException: com.openkm.principal.LdapPrincipalAdapter
...
Caused by: java.lang.ClassNotFoundException: com.openkm.principal.LdapPrincipalAdapter
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1358)
	at org.apache.catalina.loader.WebappClassLoader.loadClass(WebappClassLoader.java:1204)
	at java.lang.ClassLoader.loadClassInternal(ClassLoader.java:319)
	at java.lang.Class.forName0(Native Method)
	at java.lang.Class.forName(Class.java:169)
	at es.git.openkm.module.direct.DirectAuthModule.getPrincipalAdapter(DirectAuthModule.java:849)
Any other idea? I am going to try with a OpenKM 5. And see what happends.

Re: Issue when trying to login trough ldap

PostPosted:Wed Feb 23, 2011 9:58 pm
by jllort
In that case the correct class is es.git.openkm.principal.LdapPrincipalAdapter

Re: Issue when trying to login trough ldap

PostPosted:Thu Feb 24, 2011 11:37 pm
by roycal93
I finally got it!!!! I changed what you said and now the users can login using the ldap username and password. Thanks a lot for your help!!!

Now I have a couple of questions:

1. I have this lines on my login-config.xml file (and some others):
Code: Select all
<module-option name="bindDN">cn=Roy Calvo Burgos,cn=Users,dc=avantica,dc=avanticatec,dc=net</module-option>
<module-option name="bindCredential">my_password</module-option>
If I remove my info (name and pw) I am unable to login. Why do I need to have a user name and a password written on those fields?

2. How do we manage the Openkm privileges with these users? Is there any way to assign roles to these users? Right now they all use the:
Code: Select all
<module-option name="defaultRole">UserRole</module-option>
I remove it and I couldn't login, is there any way to handle the openkm roles by separately?

Thanks again for your help, YOU REALLY ROCK!!!

Re: Issue when trying to login trough ldap

PostPosted:Fri Feb 25, 2011 5:27 pm
by jllort
Users on ldap must have assigned some role called UserRole you must remove defaultRole. That indicates your job is still not finished because autentication is not getting the roles.

About why you're authenticating without username and pass ... the reason is you server don't demand any credential to login ( low security level in your server ). Are you sure about it ... login-config.xml changes only take effect when you restart jboss !
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited