Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

LDP Configuration Problem in OpenKM

https://forum.openkm.com/viewtopic.php?t=7437

Page 1 of 1

LDP Configuration Problem in OpenKM

PostPosted:Thu Aug 02, 2012 11:31 am
by madhav
Hi,

I configured ldap in my openkm application. Authentication is working perfectly. But I can't get the roles and users from the Apache directory studio.

Please help me.

Re: LDP Configuration Problem in OpenKM

PostPosted:Fri Aug 03, 2012 10:58 am
by jllort
which query are you using ? put here some screenshot to see better what you're doing

Re: LDP Configuration Problem in OpenKM

PostPosted:Mon Aug 06, 2012 7:22 am
by madhav
Here I am sending my login-config.xml , my schema and exception.

----------------------------------------Schema-------------------------------------------------------------------------
Code: Select all
o=sevenSeas

dn: ou=groups,o=sevenSeas
dn: ou=people,o=sevenSeas
dn: ou=roles,o=sevenSeas

dn: cn=guestrole,ou=roles,o=sevenSeas
dn: cn=AdminRole,ou=roles,o=sevenSeas
dn: cn=UserRole,ou=roles,o=sevenSeas

dn: cn=Fletcher Christian,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: Fletcher Christian
sn: Christian
description: Lieutenant Fletcher Christian
givenname: Fletcher
mail: fchristi@royalnavy.mod.uk
manager: cn=William Bligh,ou=people,o=sevenSeas
uid: fchristi
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9
-----------------------------------------login-config.xml---------------------------------------------------------------
Code: Select all
<application-policy name="FAB66">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
         <module-option name="java.naming.provider.url">ldap://xx.xx.xx.xx:10389/</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="bindDN">uid=admin,ou=system</module-option>
         <module-option name="bindCredential">secret</module-option>
         <module-option name="baseCtxDN">ou=people,o=sevenSeas</module-option>
         <module-option name="baseFilter">(uid={0})</module-option>
         <module-option name="rolesCtxDN">ou=groups,o=sevenSeas</module-option>
         <module-option name="roleFilter">(uniqueMember={1})</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false</module-option>
         <module-option name="roleRecursion">-1</module-option>
         <module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
		 <module-option name="principal.ldap.referral">manual</module-option>
    <!-- <module-option name="defaultRole">UserRole</module-option> -->
    </login-module>
    </authentication>
</application-policy>
--------------------------------Exception--------------------------------------------------------------------------------
Code: Select all
 javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
 	at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
 	at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
 	at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
 	at javax.naming.InitialContext.init(Unknown Source)
 	at javax.naming.InitialContext.<init>(Unknown Source)
 	at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
 	at com.fab66.principal.LdapPrincipalAdapter.ldapSearch(LdapPrincipalAdapter.java:205)
 	at com.fab66.principal.LdapPrincipalAdapter.getRoles(LdapPrincipalAdapter.java:85)
 	at com.fab66.servlet.frontend.PendingTask_Number.doPost(PendingTask_Number.java:68)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
	at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
	at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
	at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
	at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
	at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
	at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
	at java.lang.Thread.run(Unknown Source)

Re: LDP Configuration Problem in OpenKM

PostPosted:Tue Aug 07, 2012 7:36 am
by jllort
Curios your application-policy name <application-policy name="FAB66"> should be name "OpenKM" are you sure you're really login with ldap ?

I'll asume all users are under ou=people,o=sevenSeas and all roles under ou=roles,o=sevenSeas ( otherside will need some changes )

You should go to OpenKM administration configuration -> configuration parameters http://wiki.openkm.com/index.php/Configuration_view

Then enable ldap principal adapter ( that is the only which need restarting openkm service )
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
If your ldap is not case sensitive like microsoft active directory should force all id to be lowercase ( I think is not your case )
Code: Select all
system.login.lowercase=on
Then for example configure to get all users list in administration ( I'm not sure about your user search filter, the idea is get all nodes with some property, in active directoy is (objectclass=person) but in your ldap your ldap could be inetOrgPerson or organizationalPerson too.
Code: Select all
principal.ldap.user.search.base=ou=people,o=sevenSeas
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=uid
Then get roles ( I have not seen all grop properties in your post but normal filter is )
Code: Select all
principal.ldap.role.search.base=ou=roles,o=sevenSeas
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
That for getting mail
Code: Select all
principal.ldap.mail.search.base=ou=people,o=sevenSeas
principal.ldap.mail.search.filter=(&(objectclass=person)(uid={0}))
principal.ldap.mail.attribute=mail
Users by roles ( I'm not sure about member attribute you should take a look in your real ldap configuration )
Code: Select all
principal.ldap.users.by.role.search.base=cn={0},ou=roles,o=sevenSeas
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
Other filter
Code: Select all
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(uid={0}))
etc ..

I think with it you got the idea

Re: LDP Configuration Problem in OpenKM

PostPosted:Wed Aug 08, 2012 6:09 am
by madhav
I am getting the exception.
Exception is
Code: Select all
javax.naming.ConfigurationException: java.naming.provider.url property does not contain a URL
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)
at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)
at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)
at javax.naming.InitialContext.init(Unknown Source)
at javax.naming.InitialContext.<init>(Unknown Source)
at javax.naming.directory.InitialDirContext.<init>(Unknown Source)
at com.fab66.principal.LdapPrincipalAdapter.ldapSearch(LdapPrincipalAdapter.java:205)
at com.fab66.principal.LdapPrincipalAdapter.getRoles(LdapPrincipalAdapter.java:85)
at com.fab66.servlet.frontend.PendingTask_Number.doPost(PendingTask_Number.java:68)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:710)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:803)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:230)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:175)
at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:182)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:524)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Unknown Source)
Here I am sending my ldap sample schema.
Code: Select all
version: 1

dn: o=sevenSeas
objectClass: top
objectClass: organization
o: sevenSeas

dn: ou=groups,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: groups
description: Contains entries which describe groups (crews, for instance)

dn: ou=people,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: people
description: Contains entries which describe persons (seamen)


dn: ou=roles,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: roles

dn: cn=AdminRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: AdminRole
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=okmAdmin,ou=people,o=sevenSeas
uniqueMember: cn=madhav,ou=people,o=sevenSeas
uniqueMember: cn=prasanna,ou=people,o=sevenSeas

dn: cn=guestrole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: guestrole
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=UserRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: UserRole
uniqueMember: cn=John Fryer,ou=people,o=sevenSeas
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=pratik,ou=people,o=sevenSeas
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=William Bligh,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bligh
sn: Bligh
description: Captain William Bligh
givenname: William
mail: wbligh@royalnavy.mod.uk
uid: wbligh
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

dn: cn=William Bush,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bush
sn: Bush
description: Lt. William Bush
givenname: William
mail: wbush@royalnavy.mod.uk
manager: cn=Horatio Hornblower,ou=people,o=sevenSeas
uid: wbush
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9
My cfg file is
Code: Select all
system.login.lowercase=on
principal.adapter=com.fab66.principal.LdapPrincipalAdapter
 
principal.ldap.server=ldap://192.168.104.75:10389/
principal.ldap.security.principal=uid=admin,ou=system
principal.ldap.security.credentials=secret

principal.ldap.role.search.base=ou=roles,o=sevenSeas
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn

principal.ldap.user.search.base=ou=people,o=sevenSeas
principal.ldap.user.search.filter=(objectclass=inetOrgPerson)
principal.ldap.user.attribute=uid

principal.ldap.mail.search.base=ou=people,o=sevenSeas
principal.ldap.mail.search.filter=(&(objectclass=inetOrgPerson)(uid={0}))
principal.ldap.mail.attribute=mail
my login-config.xml
Code: Select all
<application-policy name="OpenKM">
   <authentication>
      <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
         <module-option name="java.naming.provider.url">ldap://192.xx.xx.xx:10389/</module-option>
         <module-option name="java.naming.security.authentication">simple</module-option>
         <module-option name="bindDN">uid=admin,ou=system</module-option>
         <module-option name="bindCredential">secret</module-option>
         <module-option name="baseCtxDN">ou=people,o=sevenSeas</module-option>
         <module-option name="baseFilter">(uid={0})</module-option>
	   
		 <module-option name="rolesCtxDN">ou=roles,o=sevenSeas</module-option>
         <module-option name="roleFilter">(uniqueMember={1})</module-option>
         <module-option name="roleAttributeID">cn</module-option>
         <module-option name="roleAttributeIsDN">false</module-option>
         <module-option name="roleRecursion">-1</module-option>
         <module-option name="searchScope">SUBTREE_SCOPE</module-option>
         <module-option name="allowEmptyPasswords">false</module-option>
		 <module-option name="referral">follow</module-option>

    <!-- <module-option name="defaultRole">UserRole</module-option> -->
    </login-module>
    </authentication>
</application-policy>

Re: LDP Configuration Problem in OpenKM

PostPosted:Wed Aug 08, 2012 7:39 am
by jllort
You have logged into OpenKM ( and then get some error ) or really you have not passed login page ? First we should concentrate in login-config.xml that's phase to pass login page, after it concentrate in other parameters, now are not rellevant if we have not passed it.

Is it correct ? should not be something like cn=William Bush,ou=people,o=sevenSeas
Code: Select all
<module-option name="bindDN">uid=admin,ou=system</module-option>

Re: LDP Configuration Problem in OpenKM

PostPosted:Wed Aug 08, 2012 9:51 am
by madhav
There is no problem for the authentication purpose. After logged into OpenKM I am getting the roles from the database not from the ldap.

Re: LDP Configuration Problem in OpenKM

PostPosted:Wed Aug 08, 2012 1:26 pm
by michaeled
madhav wrote:There is no problem for the authentication purpose. After logged into OpenKM I am getting the roles from the database not from the ldap.
what makes you say that?
if you remove the user from a group, he can still access the resource limited to this group?

Re: LDP Configuration Problem in OpenKM

PostPosted:Wed Aug 08, 2012 1:52 pm
by madhav
Previously I used the database values for the authentication purpose, the list of roles and users.

Instead of database now I am using the apache directory studio for the authentication purpose and getting the list of roles and users.
Authentication done.After logged into the OpenKM I am not getting ldap roles and users but I am wrongly getting the database roles and user. Tell me how could I get the Ldap roles and users from the ldap server in OpenKM.

Re: LDP Configuration Problem in OpenKM

PostPosted:Thu Aug 09, 2012 9:53 am
by jllort
I suggest you delete all values into OKM_USERS and OKM_ROLES ( I thinks should be removed some values in other tables ). Before doing it take a look at okmAdmin values to backup ( if you need to restore ).

If you apache studio queries are right simply you should copy in
Code: Select all
principal.ldap.role.search.base=ou=roles,o=sevenSeas
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
etc... there's no mistery on it

Ensure you have principal.adapter=com.fab66.principal.LdapPrincipalAdapter correctly and you have restarted application

Re: LDP Configuration Problem in OpenKM

PostPosted:Thu Aug 09, 2012 10:50 am
by madhav
I deleted okm_user,okm_role values from the database after that I restarted my application. I see no roles listed to filter my user list, and no roles listed when I go into the Roles link. I'm attaching screenshots that should make it clear what I'm describing.

Re: LDP Configuration Problem in OpenKM

PostPosted:Sat Aug 11, 2012 3:43 pm
by jllort
Concentrate only in getting user list

Ensure you have correctly written this parameters:
Code: Select all
principal.ldap.referral=follow
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
This are parameters you need to get user list, only work on it.
Code: Select all
principal.ldap.server=ldap://192.168.104.75:10389/
principal.ldap.security.principal=uid=admin,ou=system
principal.ldap.security.credentials=secret
 
principal.ldap.user.search.base=
principal.ldap.user.search.filter=
principal.ldap.user.attribute=

Re: LDP Configuration Problem in OpenKM

PostPosted:Thu Sep 27, 2012 10:37 am
by madhav
Hi,

Iam getting the roles from the roles list from the active directory but I am not getting roles in the user list page.
Roles Problem in the User page...
Roles Problem in the User page...
roles_problem.JPG (74.55 KiB) Viewed 15423 times
Here I am sending the my ldif file also. Please give me solution.
Code: Select all
version: 1

dn: o=sevenSeas
objectClass: top
objectClass: organization
o: sevenSeas

dn: ou=groups,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: groups
description: Contains entries which describe groups (crews, for instance)

dn: ou=people,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: people
description: Contains entries which describe persons (seamen)


dn: ou=roles,o=sevenSeas
objectClass: top
objectClass: organizationalUnit
ou: roles

dn: cn=AdminRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: AdminRole
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=okmAdmin,ou=people,o=sevenSeas
uniqueMember: cn=madhav,ou=people,o=sevenSeas
uniqueMember: cn=prasanna,ou=people,o=sevenSeas

dn: cn=guestrole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: guestrole
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=UserRole,ou=roles,o=sevenSeas
objectClass: top
objectClass: groupOfUniqueNames
cn: UserRole
uniqueMember: cn=John Fryer,ou=people,o=sevenSeas
uniqueMember: cn=William Bush,ou=people,o=sevenSeas
uniqueMember: cn=pratik,ou=people,o=sevenSeas
uniqueMember: cn=John Hallett,ou=people,o=sevenSeas

dn: cn=William Bligh,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bligh
sn: Bligh
description: Captain William Bligh
givenname: William
mail: wbligh@royalnavy.mod.uk
uid: wbligh
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

dn: cn=William Bush,ou=people,o=sevenSeas
objectClass: top
objectClass: inetOrgPerson
objectClass: person
objectClass: organizationalPerson
cn: William Bush
sn: Bush
description: Lt. William Bush
givenname: William
mail: wbush@royalnavy.mod.uk
manager: cn=Horatio Hornblower,ou=people,o=sevenSeas
uid: wbush
userpassword:: e1NIQX1uVTRlSTcxYmNuQkdxZU8wdDl0WHZZMXU1b1E9

Re: LDP Configuration Problem in OpenKM

PostPosted:Sat Sep 29, 2012 6:23 pm
by jllort
Now you should concentrate on get roles.by.user:
principal.ldap.roles.by.user.search.base=o=sevenSeas
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited