Open Source Document Management System | OpenKM

Because information matters
https://forum.openkm.com/

LDAP - ActiveDirectory - OKM CE 6.2

https://forum.openkm.com/viewtopic.php?t=9263

Page 1 of 1

LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Thu Feb 14, 2013 2:58 pm
by fergalom
Can someone plase help with configuration of LDAP for AD (SBS 2011)

OKM CE 6.2 running on Ubuntu 12.10.

The administrator and users (e.g. fwuser) are in two different branches of the AD structure as follows:
Code: Select all
dc=fw,dc=local
|
|___
|     |
|     ou=MyBusiness
|           |
|           ou=Users
|                |
|               ou=SBSUsers
|                         |
|                        cn=fwuser
|
|___
      |
     CN=Users
           |
          CN=Administrator
My OpenKM.xml
Code: Select all
<?xml version="1.0" encoding="UTF-8"?>
<beans:beans xmlns:beans="http://www.springframework.org/schema/beans"
             xmlns:security="http://www.springframework.org/schema/security"
             xmlns:task="http://www.springframework.org/schema/task"
             xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
             xsi:schemaLocation="http://www.springframework.org/schema/beans
                                 http://www.springframework.org/schema/beans/spring-beans-3.1.xsd
                                 http://www.springframework.org/schema/security
                                 http://www.springframework.org/schema/security/spring-security-3.1.xsd
                                 http://www.springframework.org/schema/task
                                 http://www.springframework.org/schema/task/spring-task-3.1.xsd">
  
<security:ldap-server id="ldapServer"
    url="ldap://10.10.1.2:389/DC=ldap,DC=fw,DC=local"
    manager-dn="CN=Administrator,CN=Users,DC=fw,DC=local"
    manager-password="pass1234"/>
 
  <security:authentication-manager alias="authenticationManager">
    <security:ldap-authentication-provider
      server-ref="ldapServer"
      user-search-base="cn=Users"
      user-search-filter="(sAMAccountName={0})"
      group-search-base="cn=Users"
      group-search-filter="(member={0})"
      group-role-attribute="cn"
      role-prefix="none">
    </security:ldap-authentication-provider>
  </security:authentication-manager>
  
</beans:beans>
And the config within OpenKM:
Code: Select all
system.login.lowercase=on
principal.adapter=com.openkm.principal.LdapPrincipalAdapter
 
principal.ldap.server=ldap://10.10.1.2
principal.ldap.security.principal=CN=Administrator,cn=Users,dc=fw,dc=local
principal.ldap.security.credentials=pass1234
 
principal.ldap.user.search.base=cn=Users,dc=fw,dc=local
principal.ldap.user.search.filter=(objectclass=person)
principal.ldap.user.attribute=sAMAccountName
 
principal.ldap.role.search.base=cn=Users,dc=fw,dc=local
principal.ldap.role.search.filter=(objectclass=group)
principal.ldap.role.attribute=cn
 
principal.ldap.mail.search.base=cn=Users,dc=fw,dc=local
principal.ldap.mail.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.mail.attribute=mail
 
principal.ldap.username.search.base=cn=Users,dc=fw,dc=local
principal.ldap.username.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.username.attribute=cn
 
principal.ldap.users.by.role.search.base=cn={0},cn=Users,dc=fw,dc=local
principal.ldap.users.by.role.search.filter=(objectclass=group)
principal.ldap.users.by.role.attribute=member
 
principal.ldap.roles.by.user.search.base=cn=users,dc=fw,dc=local
principal.ldap.roles.by.user.search.filter=(&(objectclass=person)(sAMAccountName={0}))
principal.ldap.roles.by.user.attribute=memberOf
Catalina.log
Code: Select all
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 1 of 8 in additional filter chain; firing Filter: 'SecurityContextPersistenceFilter'
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade@625b99ed. A new one will be created.
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.FilterChainProxy - /j_spring_security_check at position 2 of 8 in additional filter chain; firing Filter: 'UsernamePasswordAuthenticationFilter'
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Request is to process authentication
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.authentication.ProviderManager - Authentication attempt using org.springframework.security.ldap.authentication.LdapAuthenticationProvider
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.ldap.authentication.LdapAuthenticationProvider - Processing authentication request for user: administrator
2013-02-14 14:07:01,328 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.ldap.search.FilterBasedLdapUserSearch - Searching for user 'administrator', with user search [ searchFilter: '(sAMAccountName={0})', searchBase: 'cn=Users', scope: subtree, searchTimeLimit: 0, derefLinkFlag: false ]
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=fw,DC=local'
\00]; nested exception is javax.naming.NameNotFoundException: [LDAP: error code 32 - 0000208D: NameErr: DSID-0310020A, problem 2001 (NO_OBJECT), data 0, best match of:
	'DC=fw,DC=local'
\00]; remaining name 'cn=Users'
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Updated SecurityContextHolder to contain null Authentication
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter - Delegating to authentication failure handlerorg.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler@331efc39
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler - Redirecting to /login.jsp?error=1
2013-02-14 14:07:01,411 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.DefaultRedirectStrategy - Redirecting to '/OpenKM/login.jsp?error=1'
2013-02-14 14:07:01,412 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.
2013-02-14 14:07:01,412 [http-bio-0.0.0.0-8080-exec-8] DEBUG org.springframework.security.web.context.SecurityContextPersistenceFilter - SecurityContextHolder now cleared, as request processing completed

Any pointers greatly appreciated

Re: LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Fri Feb 15, 2013 8:17 am
by dejanfc
At first glance it looks like you're trying to log in as 'administrator', but your account starts with a capital A (Administrator).

Re: LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Fri Feb 15, 2013 8:36 am
by fergalom
Thanks but from the wiki
Code: Select all
In the case of Active directory ( windows ), it's important that all users logins be in lower case. For this purpose we enable
system.login.lowercase=on
Also if you look at OpenKM.xml and the config, it is using "Administrator"

The catalina log shows lowercase due to system.login.lowercase=on
I have tried system.login.lowercase=off also and same result

Re: LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Fri Feb 15, 2013 9:01 am
by dejanfc
Try extending your user-search-base and group-search-base from

user-search-base="cn=Users"

to

user-search-base="cn=Users,dc=fw,dc=local"

Re: LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Fri Feb 15, 2013 9:57 am
by fergalom
Thanks but that did not work unfortunately

Re: LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Sat Feb 16, 2013 6:08 pm
by jllort
Concentrate first in OpenKM.xml and try with advanced configuration there we can have more control http://wiki.openkm.com/index.php/Active ... OpenKM_6.2

Re: LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Wed Feb 20, 2013 9:19 am
by fergalom
ok, with your suggestion, I get the following message now:
I believe from the logs that the user (both admin and a user) are getting authenticated but always get a screen with this messdage
Code: Select all
com.openkm.core.RepositoryException: PathNotFoundException: c8746fad-f424-4f70-9e45-733dad2aa035 : /okm:trash
Question: Do I need to setup ROLE_ADMIN and ROLE_USER as a new security group in my AD? (It's not clear from the documentation - sorry)

Re: LDAP - ActiveDirectory - OKM CE 6.2

PostPosted:Thu Feb 21, 2013 7:50 am
by dejanfc
This was a problem discussed in another topic - you can't update the security permissions on trash folder (works on all others) through the interface, if you want custom roles you'll have to manually adjust it in the database (OKM_NODE_PERMISSION - NRP_PERMISSION field).
All times are UTC
Page 1 of 1
Powered by phpBB® Forum Software © phpBB Limited