Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

Changing default LDAP Roles in OpenKM

https://forum.openkm.com/viewtopic.php?t=9195

Page 1 of 1

Changing default LDAP Roles in OpenKM

PostPosted:Mon Jan 21, 2013 8:09 pm
by diegolima
Hello,

I've installed OpenKM 6.2 and I've been trying to get LDAP auth to work for some time. As of now I've managed to log in with a single user after creating the LDAP groups "ROLE_USER" and "ROLE_ADMIN". The problem is that I need to use my current groups as roles.

This is my OpenKM.xml:
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">

  <!-- Tasks configuration -->
  <!--
  <task:scheduler id="taskScheduler" pool-size="1"/>
  <task:scheduled-tasks scheduler="taskScheduler">
    <task:scheduled ref="textExtractorWorker" method="work" fixed-delay="60000"/>
  </task:scheduled-tasks>
  <beans:bean id="textExtractorWorker" class="com.openkm.extractor.TextExtractorWorker" />
  -->
  
  <!-- Security configuration -->
  <security:authentication-manager alias="authenticationManager">
    <security:authentication-provider ref="ldapAuthProvider" />
  </security:authentication-manager>

  <beans:bean id="contextSource" class="org.springframework.security.ldap.DefaultSpringSecurityContextSource">
    <beans:constructor-arg value="ldap://ldap.mycompany.com.br:389/dc=mycompany,dc=com"/>
    <beans:property name="userDn" value="cn=admin,dc=mycompany,dc=com"/>
    <beans:property name="password" value="MyVerySecurePassword"/>
  </beans:bean>

  <beans:bean id="ldapAuthProvider" class="org.springframework.security.ldap.authentication.LdapAuthenticationProvider">
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.authentication.BindAuthenticator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:property name="userSearch" ref="userSearch"/>
      </beans:bean>
    </beans:constructor-arg>
    <beans:constructor-arg>
      <beans:bean class="org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator">
        <beans:constructor-arg ref="contextSource"/>
        <beans:constructor-arg value=""/>
        <beans:property name="groupSearchFilter" value="(&(objectClass=posixGroup)(memberUid={1}))"/>
        <beans:property name="groupRoleAttribute" value="cn"/>
        <beans:property name="searchSubtree" value="true" />
        <beans:property name="convertToUpperCase" value="false" />
        <beans:property name="rolePrefix" value="" /> 
      </beans:bean>
    </beans:constructor-arg>
  </beans:bean>
  
  <beans:bean id="userSearch" class="org.springframework.security.ldap.search.FilterBasedLdapUserSearch">
    <beans:constructor-arg index="0" value="" />
    <beans:constructor-arg index="1" value="(&(uid={0})(accountStatus=Active))" />
    <beans:constructor-arg index="2" ref="contextSource" />
    <beans:property name="searchSubtree" value="true" />
  </beans:bean>

</beans:beans>
Besides changing the openkm.xml file to use ldapAuthProvider I've also configured the following:
Code: Select all
default.user.role	suporte 
principal.ldap.mail.search.base	dc=mycompany,dc=com 	
principal.ldap.mail.search.filter	(&(accountStatus=active)(objectClass=customLdapClass)(uid={0})) 	
principal.ldap.referral	follow 	
principal.ldap.role.attribute	cn 	
principal.ldap.role.search.base	ou=GROUPS,dc=mycompany,dc=com 	
principal.ldap.role.search.filter	(&(objectClass=posixGroup)(!(cn=Invalid Group))) 	
principal.ldap.roles.by.user.attribute	cn 	
principal.ldap.roles.by.user.search.base	ou=GROUPS,dc=mycompany,dc=com 	
principal.ldap.roles.by.user.search.filter	(&(memberUid={0})(!(cn=Invalid Group))) 	
principal.ldap.security.credentials ""
principal.ldap.security.principal	 ""		
principal.ldap.server	 	ldap://ldap.mycompany.com
principal.ldap.user.attribute	 	uid
principal.ldap.user.search.base	cn=USERS,dc=mycompany,dc=com 	
principal.ldap.user.search.filter	(&(objectClass=customLdapClass)(accountStatus=active)) 	
principal.ldap.username.attribute	 cn 	
principal.ldap.username.search.base	 cn=USERS,dc=mycompany,dc=com 	
principal.ldap.username.search.filter	 (&(objectClass=customLdapClass)(accountStatus=active)(uid={0})) 	
principal.ldap.users.by.role.attribute	 memberUid 	
principal.ldap.users.by.role.search.base	ou=GROUPS,dc=mycompany,dc=com 	
principal.ldap.users.by.role.search.filter	(&(objectClass=posixGroup)(cn={0})) 	
principal.ldap.users.from.roles	 	Inactive
If I log in with anyone that is on the group "suporte" (as opposed to ROLE_USER) I get the following error on Tomcat's log:
Code: Select all
13-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/services/**'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/status'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/download'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/workflow-register'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/webdav/**'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/j_spring_security_check'; against '/feed/**'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@14c80702. A new one will be created.
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2013-01-21 13:06:49,213 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Request is to process authentication
2013-01-21 13:06:49,214 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2013-01-21 13:06:49,214 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: lucas.tominaga
2013-01-21 13:06:49,214 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'lucas.tominaga', with user search [ searchFilter: '(&(uid={0})(accountStatus=Active))', searchBase: '', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-01-21 13:06:49,215 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Searching for entry under DN 'dc=mycompany,dc=com', base = '', filter = '(&(uid={0})(accountStatus=Active))'
2013-01-21 13:06:49,215 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Found DN: krbprincipalname=lucas.tominaga@USERS,cn=USERS
2013-01-21 13:06:49,217 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Attempting to bind as krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com
2013-01-21 13:06:49,217 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.DefaultSpringSecurityContextSource - Removing pooling flag for user krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com
2013-01-21 13:06:49,243 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.authentication.BindAuthenticator - Retrieving attributes...
2013-01-21 13:06:49,245 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Getting authorities for user krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com
2013-01-21 13:06:49,245 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Searching for roles for user 'lucas.tominaga', DN = 'krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com', with filter (&(objectClass=posixGroup)(memberUid={1})) in search base ''
2013-01-21 13:06:49,245 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.SpringSecurityLdapTemplate - Using filter: (&(objectClass=posixGroup)(memberUid=lucas.tominaga))
2013-01-21 13:06:49,245 [http-bio-0.0.0.0-8080-exec-6] INFO  org.springframework.ldap.core.LdapTemplate - The returnObjFlag of supplied SearchControls is not set but a ContextMapper is used - setting flag to true
2013-01-21 13:06:49,248 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.userdetails.DefaultLdapAuthoritiesPopulator - Roles from search: [Invalid Group, suporte, openkmAdmin]
2013-01-21 13:06:49,248 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.ldap.userdetails.LdapUserDetailsMapper - Mapping user details from context with DN: krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com
2013-01-21 13:06:49,248 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Invalidating session with Id '7EF59315CE90D49DF6729303069E3D74' and migrating attributes.
2013-01-21 13:06:49,248 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.authentication.session.SessionFixationProtectionStrategy - Started new session: 7DB20C31DD2DF1F10E883A73D312746B
2013-01-21 13:06:49,249 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication success. Updating SecurityContextHolder to contain: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2e012dbf: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@545b718a: Dn: krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com; Username: lucas.tominaga; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Invalid Group, suporte, openkmAdmin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 10.100.0.187; SessionId: 7EF59315CE90D49DF6729303069E3D74; Granted Authorities: Invalid Group, suporte, openkmAdmin
2013-01-21 13:06:49,249 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.authentication.SavedRequestAwareAuthenticationSuccessHandler - Redirecting to DefaultSavedRequest Url: http://10.100.0.154:8080/OpenKM/frontend/index.jsp
2013-01-21 13:06:49,249 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to 'http://10.100.0.154:8080/OpenKM/frontend/index.jsp'
2013-01-21 13:06:49,249 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext stored to HttpSession: 'org.springframework.security.core.context.SecurityContextImpl@2e012dbf: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2e012dbf: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@545b718a: Dn: krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com; Username: lucas.tominaga; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Invalid Group, suporte, openkmAdmin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 10.100.0.187; SessionId: 7EF59315CE90D49DF6729303069E3D74; Granted Authorities: Invalid Group, suporte, openkmAdmin'
2013-01-21 13:06:49,249 [http-bio-0.0.0.0-8080-exec-6] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/frontend/index.jsp'; against '/services/**'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/frontend/index.jsp'; against '/status'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/frontend/index.jsp'; against '/download'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/frontend/index.jsp'; against '/workflow-register'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/frontend/index.jsp'; against '/webdav/**'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/frontend/index.jsp'; against '/feed/**'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - Obtained a valid SecurityContext from SPRING_SECURITY_CONTEXT: 'org.springframework.security.core.context.SecurityContextImpl@2e012dbf: Authentication: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2e012dbf: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@545b718a: Dn: krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com; Username: lucas.tominaga; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Invalid Group, suporte, openkmAdmin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 10.100.0.187; SessionId: 7EF59315CE90D49DF6729303069E3D74; Granted Authorities: Invalid Group, suporte, openkmAdmin'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - pathInfo: both null (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - queryString: both null (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURI: arg1=/OpenKM/frontend/index.jsp; arg2=/OpenKM/frontend/index.jsp (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverPort: arg1=8080; arg2=8080 (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - requestURL: arg1=http://10.100.0.154:8080/OpenKM/frontend/index.jsp; arg2=http://10.100.0.154:8080/OpenKM/frontend/index.jsp (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - scheme: arg1=http; arg2=http (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - serverName: arg1=10.100.0.154; arg2=10.100.0.154 (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - contextPath: arg1=/OpenKM; arg2=/OpenKM (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.DefaultSavedRequest - servletPath: arg1=/frontend/index.jsp; arg2=/frontend/index.jsp (property equals)
2013-01-21 13:06:49,300 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.savedrequest.HttpSessionRequestCache - Removing DefaultSavedRequest from session if present
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - SecurityContextHolder not populated with anonymous token, as it already contained: 'org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2e012dbf: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@545b718a: Dn: krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com; Username: lucas.tominaga; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Invalid Group, suporte, openkmAdmin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 10.100.0.187; SessionId: 7EF59315CE90D49DF6729303069E3D74; Granted Authorities: Invalid Group, suporte, openkmAdmin'
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/frontend/index.jsp'; against '/frontend/**'
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /frontend/index.jsp; Attributes: [IS_AUTHENTICATED_FULLY]
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.UsernamePasswordAuthenticationToken@2e012dbf: Principal: org.springframework.security.ldap.userdetails.LdapUserDetailsImpl@545b718a: Dn: krbprincipalname=lucas.tominaga@USERS,cn=USERS,dc=mycompany,dc=com; Username: lucas.tominaga; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; CredentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: Invalid Group, suporte, openkmAdmin; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@fffc7f0c: RemoteIpAddress: 10.100.0.187; SessionId: 7EF59315CE90D49DF6729303069E3D74; Granted Authorities: Invalid Group, suporte, openkmAdmin
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.RoleVoter@24753433, returned: 0
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.access.vote.AuthenticatedVoter@ab612f8, returned: 1
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Authorization successful
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - RunAsManager did not change Authentication object
2013-01-21 13:06:49,301 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.FilterChainProxy - /frontend/index.jsp reached end of additional filter chain; proceeding with original chain
2013-01-21 13:06:49,303 [http-bio-0.0.0.0-8080-exec-9] INFO  com.openkm.module.db.DbAuthModule - Create okm:trash/lucas.tominaga
2013-01-21 13:06:49,305 [http-bio-0.0.0.0-8080-exec-9] ERROR com.openkm.module.db.DbAuthModule - ac45f57b-47a1-43d0-94ed-11a82bb0efb2 : /okm:trash
com.openkm.core.PathNotFoundException: ac45f57b-47a1-43d0-94ed-11a82bb0efb2 : /okm:trash
	at com.openkm.module.db.stuff.SecurityHelper.checkRead(SecurityHelper.java:106)
	at com.openkm.dao.NodeFolderDAO.create(NodeFolderDAO.java:102)
	at com.openkm.module.db.DbAuthModule.createBase(DbAuthModule.java:443)
	at com.openkm.module.db.DbAuthModule.loadUserData(DbAuthModule.java:406)
	at com.openkm.module.db.DbAuthModule.login(DbAuthModule.java:82)
	at com.openkm.api.OKMAuth.login(OKMAuth.java:52)
	at org.apache.jsp.frontend.index_jsp._jspService(index_jsp.java:68)
	at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:432)
	at org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:390)
	at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:334)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:305)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:311)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.invoke(FilterSecurityInterceptor.java:116)
	at org.springframework.security.web.access.intercept.FilterSecurityInterceptor.doFilter(FilterSecurityInterceptor.java:83)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.access.ExceptionTranslationFilter.doFilter(ExceptionTranslationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.session.SessionManagementFilter.doFilter(SessionManagementFilter.java:101)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AnonymousAuthenticationFilter.doFilter(AnonymousAuthenticationFilter.java:113)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.servletapi.SecurityContextHolderAwareRequestFilter.doFilter(SecurityContextHolderAwareRequestFilter.java:54)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.savedrequest.RequestCacheAwareFilter.doFilter(RequestCacheAwareFilter.java:45)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:182)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:87)
	at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:323)
	at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:173)
	at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:259)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:243)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:210)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:225)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:169)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:472)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:168)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:98)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:927)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:118)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:407)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:999)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:565)
	at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:309)
	at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:886)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:908)
	at java.lang.Thread.run(Thread.java:662)
2013-01-21 13:06:49,307 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
2013-01-21 13:06:49,307 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession is now null, but was not null at start of request; session was invalidated, so do not create a new session
2013-01-21 13:06:49,307 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
2013-01-21 13:06:49,352 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/services/**'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/status'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/download'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/workflow-register'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/webdav/**'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/feed/**'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No HttpSession currently exists
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: null. A new one will be created.
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 3 of 8 in additional filter chain; firing Filter: 'RequestCacheAwareFilter'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 4 of 8 in additional filter chain; firing Filter: 'SecurityContextHolderAwareRequestFilter'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 5 of 8 in additional filter chain; firing Filter: 'AnonymousAuthenticationFilter'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.authentication.AnonymousAuthenticationFilter - Populated SecurityContextHolder with anonymous token: 'org.springframework.security.authentication.AnonymousAuthenticationToken@9055c2bc: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@b364: RemoteIpAddress: 10.100.0.187; SessionId: null; Granted Authorities: ROLE_ANONYMOUS'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 6 of 8 in additional filter chain; firing Filter: 'SessionManagementFilter'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.session.SessionManagementFilter - Requested session ID7DB20C31DD2DF1F10E883A73D312746B is invalid.
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 7 of 8 in additional filter chain; firing Filter: 'ExceptionTranslationFilter'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login at position 8 of 8 in additional filter chain; firing Filter: 'FilterSecurityInterceptor'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/frontend/**'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/login.jsp'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/admin/**'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/repositorystartup'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/test'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.util.AntPathRequestMatcher - Checking match of request : '/logo/login'; against '/extension/**'
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Public object - authentication not attempted
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.FilterChainProxy - /logo/login reached end of additional filter chain; proceeding with original chain
2013-01-21 13:06:49,353 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Chain processed normally
2013-01-21 13:06:49,354 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2013-01-21 13:06:49,354 [http-bio-0.0.0.0-8080-exec-5] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed
If I go to user management I can list all users and also their roles.

Re: Changing default LDAP Roles in OpenKM

PostPosted:Thu Jan 24, 2013 4:04 pm
by jllort
The problem seems is in OpenKM.xml is not getting roles and for it you get this error:
Code: Select all
2013-01-21 13:06:49,305 [http-bio-0.0.0.0-8080-exec-9] ERROR com.openkm.module.db.DbAuthModule - ac45f57b-47a1-43d0-94ed-11a82bb0efb2 : /okm:trash
com.openkm.core.PathNotFoundException: ac45f57b-47a1-43d0-94ed-11a82bb0efb2 : /okm:trash
Ensure the user has ROLE_USER ( in ROLE_USER you have a child node like memberUid=userx )

Re: Changing default LDAP Roles in OpenKM

PostPosted:Wed Jan 29, 2014 5:57 pm
by mahyar
Hi there,

I probably should have started a new post for this, but my problem is somehow related to this thread.
I don't want to define new roles in LDAP server and the role-names are not standard (admin,user). After I did all the settings mentioned in Wiki, I am able to see a list of users but without roles and when I choose a role from the dropdown list, the memberIDs are listed with their roles.
I am still unable to log in with an LDAP user and I am about to lose my patience :)
Strangely it seems that in contrast to the log file (posted here: http://forum.openkm.com/posting.php?mod ... e0#pr21012 ) my OpenKM installation is using another method instead of security.ldap.authentication.
Code: Select all
2014-01-29 18:42:36,197 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Request is to process authentication
2014-01-29 18:42:36,198 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.authentication.dao.DaoAuthenticationProvider
2014-01-29 18:42:36,199 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.provisioning.JdbcUserDetailsManager - Query returned no results for user 'mgh'
2014-01-29 18:42:36,200 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.authentication.dao.DaoAuthenticationProvider - User 'mgh' not found
2014-01-29 18:42:36,201 [http-bio-0.0.0.0-8080-exec-9] INFO  com.openkm.spring.LoggerListener - Authentication ERROR: mgh
2014-01-29 18:42:36,201 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.BadCredentialsException: Bad credentials
2014-01-29 18:42:36,201 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2014-01-29 18:42:36,202 [http-bio-0.0.0.0-8080-exec-9] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@4510764a
Does anybody have any idea, that is going wrong here? I have tested with both community and professional (test license) versions, same results.

Re: Changing default LDAP Roles in OpenKM

PostPosted:Sat Feb 01, 2014 4:24 pm
by jllort
You want to change ROLE_ADMIN and ROLE_USER with other names is that ?

Re: Changing default LDAP Roles in OpenKM

PostPosted:Sun Feb 02, 2014 10:14 am
by mahyar
One thing is to change the roles. yes, it seems more appropriate to let our LDAP remain as it is and just map the roles or even better, to change the default roles (which apparently can not be done by just changing it from configuration UI).

Another thing is that I don't really know, if DaoAuthentication is the same as LdapAuthentication. Comparing my log with the others, there is a difference which can cause be the cause of my problem. The user "mgh" can not be found anywhere and I don't know, whether OpenKM is even looking into our LDAP for this user or not.

As I understand, all the configuration and LDAP integration will be done by OpenKM, if we purchased the software. If yes, we will have no problem :D

Re: Changing default LDAP Roles in OpenKM

PostPosted:Tue Feb 04, 2014 6:43 pm
by jllort
Part of OpenKM installation include by default ldap integration.

About changing role names as you explain is not only changing in administration, must apply minimal patch at OpenKM.war file to change internal XML spring file. This is not documented in documentation because is not general case and is quite complex for major users. Must be changed the file WEB-INF/applicationContext.xml into OpenKM.war file

Re: Changing default LDAP Roles in OpenKM

PostPosted:Wed Feb 05, 2014 9:30 am
by mahyar
thanks jllort. I will give up on changing the roles.

By the way, it is still bothering me that I can not find out how to configure it to work with LDAP. All the documents in Wiki say that I only need to set some values in Configuration UI and add some lines to OpenKM.xml, defining the LDAP as authentication provider. It seems that Dao is used as the authenticator in my installation. Does it make any difference? Could it be the reason behind my problem with login and not (only) the roles?

Re: Changing default LDAP Roles in OpenKM

PostPosted:Wed Feb 05, 2014 11:18 am
by jllort
First must pass login screen ( work in OpenKM.xml)
Second is getting OpenKM table list integration ( that is configuration parameters ). You must use LdapPrincipalAdapter and restart openkm to take some effect.

Re: Changing default LDAP Roles in OpenKM

PostPosted:Wed Feb 05, 2014 1:23 pm
by mahyar
jllort wrote:You must use LdapPrincipalAdapter and restart openkm to take some effect.
Well, that seems to be a part of the problem. I have set principal.adapter to com.openkm.principal.LdapPrincipalAdapter and restarted the application hundreds of times. All my settings seem to be in accordance with Wiki, but it still does not work. I give up!

Re: Changing default LDAP Roles in OpenKM

PostPosted:Sun Feb 09, 2014 6:00 pm
by jllort
These are not trivial tasks. First time we need 2-3 days for doing it. After made a lot of integrations we need to spend 1-2 hours for it. Is not easy way explain how to doing it, I think documentation is right, but each ldap has their own specific configuration and here comes the problems.
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited