ldap authentication error

[michel-openkm]

Hi,

We have installed openkm5.02.
But now we can't connect with the ldap ( active directory )
We are testing at this moment Openkm if we can use this for our company.
But the ldap connection isn't working.
I hope you can advise us in this.


Config.cfg

Code: Select all

#system.ocr=/usr/bin/tesseract
repository.home=E:/data
system.openoffice=on
system.openoffice.path=E:/open office
system.openoffice.tasks=5
system.openoffice.port=2222
#system.openoffice.path=C:\\Program Files\\OpenOffice.org3
system.pdf2swf=E:/back-up-openkm-18-02-11/OpenKM-5.0.1_JBoss-4.2.3.GA/SWFTools/pdf2swf.exe
system.convert=E:/back-up-openkm-18-02-11/OpenKM-5.0.1_JBoss-4.2.3.GA/Imagemagick/ImageMagick-6.6.7-7/convert.exe
system.img2pdf=E:/back-up-openkm-18-02-11/OpenKM-5.0.1_JBoss-4.2.3.GA/Imagemagick/ImageMagick-6.6.7-7/convert.exe
#system.antivir=/usr/bin/clamscan
hibernate.dialect=org.hibernate.dialect.HSQLDialect
hibernate.hbm2ddl=none
#application.url=http://localhost:8080/OpenKM/com.openkm.frontend.Main/index.jsp
principal.adapter=es.git.openkm.principal.LdapPrincipalAdapter
principal.ldap.server=ldap://ADserver
principal.ldap.security.principal=CN=test,cn=users,dc=Domain,dc=org
principal.ldap.security.credentials=test
principal.ldap.user.search.base=cn=users,dc=Domain,dc=org
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.atribute=cn
principal.ldap.role.search.base=cn=users,dc=Domain,dc=org
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.atribute=cn
principal.ldap.mail.search.base=cn={0},cn=users,dc=Domain,dc=org
principal.ldap.mail.search.filter=(objectclass=person)
principal.ldap.mail.atribute=mail
system.login.lowercase=on

login-confiug.xml

Code: Select all

<!-- OpenKM -->
    <application-policy name="OpenKM">
  <authentication>
      <login-module code=\"org.jboss.security.auth.spi.LdapExtLoginModule\" flag=\"required\" >
        <module-option name=\"java.naming.provider.url\">ldap://ADserver>
        <module-option name=\"java.naming.security.authentication\">simple</module-option>
        <module-option name=\"bindDN\">uid=test,cn=users,dc=Domain,dc=org</module-option>
        <module-option name=\"bindCredential\">test</module-option>
        <module-option name=\"baseCtxDN\">dc=Domain,dc=org</module-option>
        <module-option name=\"baseFilter\">(uid={0})</module-option>
        <module-option name=\"rolesCtxDN\">cn=user,dc=Domain,dc=org</module-option>
        <module-option name=\"roleFilter\">(memberUid={0})</module-option>
        <module-option name=\"roleAttributeIsDN\">false</module-option>
        <module-option name=\"roleAttributeID\">cn</module-option>
        <module-option name=\"roleRecursion\">1</module-option>
        <module-option name=\"searchTimeLimit\">5000</module-option>
        <module-option name=\"searchScope\">ONELEVEL_SCOPE</module-option>
        <module-option name=\"defaultRole\">UserRole</module-option>
      </login-module>
     </authentication>
   </application-policy>

Error code server.log

Code: Select all

2011-02-21 10:30:29,776 DEBUG [org.jboss.mq.pm.jdbc2.PersistenceManager] Creating Schema
2011-02-21 10:30:29,776 WARN  [org.jboss.mq.pm.jdbc2.PersistenceManager] Error creating schema
java.lang.SecurityException: Invalid authentication attempt, principal=null

[jllort]

you've make at least some mistake on writing

Code: Select all

<module-option name=\"java.naming.provider.url\">ldap://ADserver>

must be

Code: Select all

<module-option name=\"java.naming.provider.url\">ldap://ADserver</module-option> 

And credential to accessing that ldap are right ? user test with pass test ? normally might be administrator who navigates across ldap ( it's an active directory ).
Other question ADserver is solved by your openkm server, if you make a ping from there returns some ip ?

[michel-openkm]

Tnx for your reply.

We have changed the values in the login-config.xml.
In the orginal login-config.xml we have </module-option>
The test account = domain admin
And we can ping the adserver.

[jllort]

in server/default/conf there jboss-log4j.xml add a category to take a full log of class org.jboss.security.auth.spi.LdapExtLoginModule

[michel-openkm]

We have added a category but it still didn't work.
Our code

Code: Select all

   
<category name="org.jboss.security.auth.spi.LdapExtLoginModule">
      <priority value="DEBUG"/>
   </category>

In the server.log we don't see an error/debug message.
Do you have an Example ?
What else can we do ?

[jllort]

use explorer ldap utility http://technet.microsoft.com/en-us/sysi ... 63907.aspx from other computer that has not ldap and try connecting and browsing that could give some idea about params you've put.

Be sure ldap integration runs, but is not easy to configure and forum is not good scenario for helping because it's so complicated without seeing it.