Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Problem with LDAP in OpenKM 6.2

https://forum.openkm.com/viewtopic.php?t=8381

Page 1 of 2

Problem with LDAP in OpenKM 6.2

PostPosted:Mon Nov 05, 2012 4:18 pm
by gimla
Hello
I have a two problem with LDAP in OpenKM 6.2:
1)with administrator accounts. I can log in, and can see a administrator bookmark, but when I click on it, I get page with text: "Unauthorized access".
2) I use non adminitrator accounts, so when loggin i got a message:
com.openkm.core.RepositoryException: PathNotFoundException: 0a45bcad-3485-41d7-b0d0-df300b64d505 : /okm:trash

and from log file:
Code: Select all
INFO  org.dozer.DozerBeanMapper - Initializing a new instance of dozer bean mapper.
2012-11-05 13:09:37,851 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Using the following xml files to load custom mappings for the bean mapper instance: [dozerBeanMapping.xml]
2012-11-05 13:09:37,851 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Trying to find xml mapping file: dozerBeanMapping.xml
2012-11-05 13:09:37,860 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Using URL [file:/opt/tomcat-7.0.27/webapps/OpenKM/WEB-INF/classes/dozerBeanMapping.xml] to load custom xml mappings
2012-11-05 13:09:37,930 [http-bio-8443-exec-2] INFO  org.dozer.loader.CustomMappingsLoader - Successfully loaded custom xml mappings from URL: [file:/opt/tomcat-7.0.27/webapps/OpenKM/WEB-INF/classes/dozerBeanMapping.xml]
2012-11-05 13:09:42,216 [http-bio-8443-exec-8] WARN  com.openkm.util.DocConverter - system.openoffice.path not configured
2012-11-05 13:17:45,330 [http-bio-8443-exec-4] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-11-05 13:17:45,490 [http-bio-8443-exec-8] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/koc245
2012-11-05 13:17:45,519 [http-bio-8443-exec-8] ERROR com.openkm.module.db.DbAuthModule - 0a45bcad-3485-41d7-b0d0-df300b64d505 : /okm:trash
com.openkm.core.PathNotFoundException: 0a45bcad-3485-41d7-b0d0-df300b64d505 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:106)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:101)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:437)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:400)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:81)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
When I use standard log in without LDAP, I can see(from LDAP) users, roles - > everything looks alright.

I will be glad for any help.

Ldap config:
Code: Select all
principal.ldap.mail.attribute = mail       
principal.ldap.mail.search.base = ou=users,o=cz       
principal.ldap.mail.search.filter = (&(objectClass=inetOrgPerson)(cn={0}))       
principal.ldap.referral = follow       
principal.ldap.role.attribute = cn       
principal.ldap.role.search.base = ou=groups,o=cz       
principal.ldap.role.search.filter = (cn=ZAM_*)       
principal.ldap.roles.by.user.attribute = groupMembership       
principal.ldap.roles.by.user.search.base = ou=users,o=cz       
principal.ldap.roles.by.user.search.filter = (&(objectClass=inetOrgPerson)(cn={0}))       
principal.ldap.security.credentials =       
principal.ldap.security.principal =       
principal.ldap.server = ldaps://ldap.xxx:636       
principal.ldap.user.attribute = cn       
principal.ldap.user.search.base = ou=users,o=cz       
principal.ldap.user.search.filter = (groupMembership=cn=ZAM_xxx,ou=xxx,ou=groups,o=cz)       
principal.ldap.username.attribute = fullName       
principal.ldap.username.search.base = ou=users,o=cz       
principal.ldap.username.search.filter = (&(objectClass=inetOrgPerson)(cn={0}))       
principal.ldap.users.by.role.attribute = member       
principal.ldap.users.by.role.search.base = ou=groups,o=cz       
principal.ldap.users.by.role.search.filter = (&(objectClass=posixGroup)(cn={0}))       
principal.ldap.users.from.roles = false 
system.login.lowercase=true
OpenKM.xml:
Code: Select all
<security:authentication-manager alias="authenticationManager">
  <security:authentication-provider ref="ldapAuthProvider" />
</security:authentication-manager>
 
<beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
  <beans:constructor-arg value="ldaps://ldap.xxx:636/"/>
  <beans:property name="userDn" value=""/>
  <beans:property name="password" value=""/>
  <beans:property name="baseEnvironmentProperties">
      <beans:map>
        <beans:entry>
          <beans:key>
            <beans:value>java.naming.referral</beans:value>
          </beans:key>
          <beans:value>follow</beans:value>
        </beans:entry>
      </beans:map>
    </beans:property>
  </beans:bean>
 
<beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:property name="userSearch" ref="userSearch"/>
    </beans:bean>
  </beans:constructor-arg>
  <beans:constructor-arg>
    <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
      <beans:constructor-arg ref="contextSource"/>
      <beans:constructor-arg value="ou=groups,o=cz"/>
      <beans:property name="groupSearchFilter" value="member={0}"/>
      <beans:property name="groupRoleAttribute" value="cn"/>
      <beans:property name="searchSubtree" value="true" />
      <beans:property name="convertToUpperCase" value="true" />
      <beans:property name="rolePrefix" value="" /> 
    </beans:bean>
  </beans:constructor-arg>
</beans:bean>
 
<beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
  <beans:constructor-arg index="0" value="ou=users,o=cz"/>
  <beans:constructor-arg index="1" value="cn={0}" />
  <beans:constructor-arg index="2" ref="contextSource" />
  <beans:property name="searchSubtree" value="true" />
  </beans:bean>

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Mon Nov 05, 2012 9:31 pm
by ashley_420
Hi,

Please read this and enable logging for LDAP as suggested in the post.

http://stackoverflow.com/questions/3795 ... ailed-logi

Thanks

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Tue Nov 06, 2012 10:47 am
by gimla
I enable this logging.

I forgot write this change in my configuration:
Code: Select all
default.admin.role = A_AAA
default.user.role =B_AAA
I don't have role with names =ROLE_ADMIN, ROLE_USER

this is result from logging:
Code: Select all
2012-11-06 11:14:47,315 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: USER1
2012-11-06 11:14:47,316 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'USER1', with user search [ searchFilter: 'cn={0}', searchBase: 'ou=users,o=cz', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2012-11-06 11:14:47,533 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN '', base = 'ou=users,o=cz', filter = 'cn={0}'
2012-11-06 11:14:47,560 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,570 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,571 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,629 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2012-11-06 11:14:47,638 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,638 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'USER1', DN = 'cn=USER1,ou=users,o=cz', with filter member={0} in search base 'ou=groups,o=cz'
2012-11-06 11:14:47,639 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: member=cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,641 [http-bio-8443-exec-2] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2012-11-06 11:14:47,737 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [A_AAA, B_AAA,  C_AAA, D_AAA, E_AAA, F_AAA, G_AAA]
2012-11-06 11:14:47,738 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: cn=USER1,ou=users,o=cz
2012-11-06 11:14:47,743 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Invalidating session with Id 'F750B2CC15C2934D6B3373373485AAAE' and migrating attributes.
2012-11-06 11:14:47,747 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Started new session: C894B207F976A4C3020D7B3EFFEA93D6
2012-11-06 11:14:47,747 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc1dec9e: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2b85fcad: Dn: cn=USER1,ou=users,o=cz; Username: USER1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: A_AAA,B_AAA, C_AAA, D_AAA, E_AAA,F_AAA,G_AAA; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: XXX.XXX.XXX.XXX; SessionId: F750B2CC15C2934D6B3373373485AAAE; Granted Authorities: A_AAA,B_AAA, C_AAA, D_AAA, E_AAA,F_AAA,G_AAA
2012-11-06 11:14:47,748 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: https://localhost.cz:8443/OpenKM/frontend/index.jsp
2012-11-06 11:14:47,748 [http-bio-8443-exec-2] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'https://localhost:8443/OpenKM/frontend/index.jsp'
2012-11-06 11:16:08,085 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /admin/index.jsp; Attributes: [ROLE_ADMIN]
2012-11-06 11:16:08,086 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@cc1dec9e: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@2b85fcad: Dn: cn=USER1,ou=users,o=cz; Username: USER1; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: A_AAA, B_AAA, C_AAA, D_AAA, E_AAA, F_AAA, G_AAA,  ; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@0: RemoteIpAddress: XXX.XXX.XXX.XXX; SessionId: F750B2CC15C2934D6B3373373485AAAE; Granted Authorities: A_AAA, B_AAA, C_AAA, D_AAA, E_AAA, F_AAA, G_AAA
2012-11-06 11:16:08,086 [http-bio-8443-exec-8] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@7bff88c3, returned: -1
2012-11-06 11:16:08,086 [http-bio-8443-exec-8] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@456bf9ce, returned: 0
2012-11-06 11:16:08,087 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is not anonymous); delegating to AccessDeniedHandler
org.springframework.security.access.AccessDeniedException: Access is denied
	at org.springframework.security.access.vote.AffirmativeBased.decide(AffirmativeBased.java:83)
	at org.springframework.security.access.intercept.AbstractSecurityInterceptor.beforeInvocation(AbstractSecurityInterceptor.java:205)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:114)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
2012-11-06 11:16:08,095 [http-bio-8443-exec-8] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Tue Nov 06, 2012 1:32 pm
by ashley_420
I do not understand this
Code: Select all
2012-11-06 11:14:47,638 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=USER1,ou=users,o=cz
Code: Select all
2012-11-06 11:14:47,738 [http-bio-8443-exec-2] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: cn=USER1,ou=users,o=vsb
In first o=cz and in later o=vsb? Is there a typo somewhere in your configs? I guess you are not using MS AD.

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Tue Nov 06, 2012 2:26 pm
by gimla
I must change information about our structure in LDAP, I fix this result.

And yes we don't use MS AD

Is necessary that all roles has a prefix "ROLE_"?

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Wed Nov 07, 2012 8:03 pm
by ashley_420
I am not sure about prefix "ROLE_" but in the logs it is looking for the same when you try to access the Admin Tab.
Code: Select all
org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /admin/index.jsp; Attributes: [ROLE_ADMIN]
Maybe jllort can confirm this.

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Thu Nov 08, 2012 8:52 pm
by gimla
I do some test and if I create groups in LDAP : ROLE_ADMIN and ROLE_USER (and assign users in this roles), then everything work fine. Exists some way, how work without this roles?

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Sat Nov 10, 2012 9:02 am
by jllort
No, are mandatory. Are used to pass login page ( and only used for it )

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Sat Nov 10, 2012 3:23 pm
by ashley_420
Hi,

I was going through the documentation and it suggests that it is possible to change the default roles (ROLE_ADMIN and ROLE_USER) to a desired one.

To change ROLE_USER read this
http://wiki.openkm.com/index.php/Applic ... ction_role

and to change ROLE_ADMIN, read this
http://wiki.openkm.com/index.php/Applic ... admin_role

This refers to JBOSS but I guess this should work for Tomcat also. You can try the same and let us know if this solves your problem.

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Wed Nov 21, 2012 4:52 pm
by gimla
Finally, i decide to create groups ROLE_ADMIN and ROLE_USER. It's work.

But now I have different problem with Security. (I can see users, roles and all this information-> user by role and roles by user)

When i change Security on the folders, only users access work. I can add roles in security, but users in this role can't see or work with this folder.

Thank you for any help

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Thu Nov 22, 2012 7:04 pm
by jllort
Could be a problem getting roles from active directory. To test it:

1- login with user with ADMIN_ROLE and Other role:
2- go to administration tab -> scripting and execute it to get principals ( roles associated to users ):
Code: Select all
import com.openkm.spring.PrincipalUtils;
import java.util.*;
 
HashSet roles = PrincipalUtils.getRoles();
for (Iterator it = roles.iterator(); it.hasNext();) {
    String role = (String) it.next();
    print("{"+role+"}<br/>");
}
 
print(PrincipalUtils.getRoles());
You'll see which roles are really assigned to this user when login

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Thu Nov 22, 2012 9:32 pm
by gimla
Really thank you, it's help me find a problem.

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Mon Jan 07, 2013 1:05 pm
by Catscratch
Hi,

I got the same problem. But I can't solve them. Seems some problem with finding roles by the username.

But I don't know what is exactly wrong.
I think there is an error in the OpenKM.xml config. What exactly should the group-search-* contain?
Also I got a working okm 5.1 as reference for the settings.

But first of all, some logs and so on.

Logfile:
Code: Select all
...
2013-01-07 14:01:02,372 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2013-01-07 14:01:02,372 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: okmstudent
2013-01-07 14:01:02,377 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'okmstudent', with user search [ searchFilter: '(&(sAMAccountName={0})(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))', searchBase: 'ou=MMTOpenUsers,dc=mmtopen,dc=de', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-01-07 14:01:02,387 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN '', base = 'ou=MMTOpenUsers,dc=mmtopen,dc=de', filter = '(&(sAMAccountName={0})(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))'
2013-01-07 14:01:02,389 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,392 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,392 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,398 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2013-01-07 14:01:02,405 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de
2013-01-07 14:01:02,409 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'okmstudent', DN = 'cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de', with filter (member={1}) in search base 'cn=Users,dc=mmtopen,dc=de'
2013-01-07 14:01:02,412 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (member=okmstudent)
2013-01-07 14:01:02,412 [http-bio-0.0.0.0-8080-exec-3] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-01-07 14:01:02,414 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: []
2013-01-07 14:01:02,415 [http-bio-0.0.0.0-8080-exec-3] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: cn=OpenKM Student,ou=Studenten,ou=MMTOpenUsers,dc=mmtopen,dc=de

...

2013-01-07 14:01:02,469 [http-bio-0.0.0.0-8080-exec-1] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/okmstudent
2013-01-07 14:01:02,476 [http-bio-0.0.0.0-8080-exec-1] ERROR com.openkm.module.db.DbAuthModule - 6b5ca2f3-a901-4caa-878a-402eea293d42 : /okm:trash
com.openkm.core.PathNotFoundException: 6b5ca2f3-a901-4caa-878a-402eea293d42 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:106)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:102)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:437)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:400)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:81)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
OpenKM.xml
Code: Select all
<security:ldap-server id="ldapServer"
    url="ldap://<MY SERVER>:389"
    manager-dn="cn=<USER>,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de"
    manager-password="<PASSWORD>"/>
 
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="ou=MMTOpenUsers,dc=mmtopen,dc=de"
      user-search-filter="(&(sAMAccountName={0})(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))"
      group-search-base="cn=Users,dc=mmtopen,dc=de"
      group-search-filter="(member={1})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>
OpenKM Konfiguration in the database (put from working 5.1 copy):
Code: Select all
	default.user.role	UserRole
	default.admin.role	OpenKMAdmins

	principal.adapter	com.openkm.principal.DatabasePrincipalAdapter
			
	principal.ldap.server	ldap://<MYSERVER>:389
	principal.ldap.security.principal	CN=<USER>,ou=LMMT,ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.security.credentials	<PASSWORD>
	principal.ldap.referral	
	principal.ldap.users.from.roles	false
	principal.ldap.user.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.user.search.filter	(&(objectClass=person)(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de))
	principal.ldap.user.attribute	cn
	principal.ldap.role.search.base	cn=Users,dc=mmtopen,dc=de
	principal.ldap.role.search.filter	(&(objectClass=group)(memberOf=cn=OpenKMGroups,cn=Users,dc=mmtopen,dc=de))
	principal.ldap.role.attribute	cn
	principal.ldap.username.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.username.search.filter	(&(objectClass=person)(memberOf=cn=OpenKMAllUsers,cn=Users,dc=mmtopen,dc=de)(sAMAccountName={0}))
	principal.ldap.username.attribute	cn
	principal.ldap.mail.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.mail.search.filter	(&(objectClass=person)(sAMAccountName={0}))
	principal.ldap.mail.attribute	mail
	principal.ldap.users.by.role.search.base	cn={0},cn=Users,dc=mmtopen,dc=de
	principal.ldap.users.by.role.search.filter	(objectClass=group)
	principal.ldap.users.by.role.attribute	member
	principal.ldap.roles.by.user.search.base	ou=MMTOpenUsers,dc=mmtopen,dc=de
	principal.ldap.roles.by.user.search.filter	(&(objectClass=person)(cn={0}))
	principal.ldap.roles.by.user.attribute	memberOf
Some advice?

Thanks!

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Tue Jan 08, 2013 5:50 pm
by jllort
Please Catscratch open other post for it, otherside it becomes enormeus and we're talking of differents problems on same post ( that can generate confusion to the reader )

Re: Problem with LDAP in OpenKM 6.2

PostPosted:Wed Jan 09, 2013 9:00 am
by Catscratch
It's the same problem...but ok. I started a new post.
http://forum.openkm.com/viewtopic.php?f=4&t=9017

But I think it would be easier for other users to find solutions if the topics are grouped by, well, topics and not by persons and their problems. ;-)
All times are UTC
Page 1 of 2
Powered by phpBB® Forum Software © phpBB Limited