Transmenu powered by JoomlArt.com - Mambo Joomla Professional Templates Club

Hi,

we have been using OpenKM in our company for the past 7 months now and i have not heard anything bad about it from the users so credits to the developers for creating a good and reliable (and Open) application!


i have been trying to connect OpenKM to our company windows 2000 active directory.
i have read the documentation and all the forum posts (special thanks to Google translator) but i am afraid that i know to little to understand it all.

i would appreciate some help in setting up OpenKM AND my AD to work together. i have very little experiance in using AD and ldap.



here's what i have done so far!

in " server/default/conf " i have modified login-config.xml. in that file i have placed this:



<application-policy name="OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required" >
<module-option name="java.naming.provider.url">ldap://vabi-dc.vabi.nl:389</module-option>
<module-option name="bindDN">CN=beheer,DC=vabi,DC=nl</module-option>
<module-option name="java.naming.security.authentication">simple</module-option>
<module-option name="bindCredential">user beheer password</module-option>
<module-option name="baseCtxDN">DC=vabi,DC=nl</module-option>
<module-option name="baseFilter">(sAMAccountName={0})</module-option>
<module-option name="rolesCtxDN">DC=vabi,DC=nl</module-option>
<module-option name="roleFilter">(sAMAccountName={0})</module-option>
<module-option name="roleAttributeID">emmberOf</module-option>
<module-option name="roleAttributeIsDN">true</module-option>
<module-option name="roleNameAttributeID">cn</module-option>
<module-option name="roleRecursion">-1</module-option>
<module-option name="searchScope">SUBTREE_SCOPE</module-option>
<module-option name="defaultRole">UserRol</module-option>
</login-module>
</authentication>
</application-policy>



i have also commented out this. (i believe this is the standard credentials config)


<!-- OpenKM --><!--
<application-policy name = "OpenKM">
<authentication>
<login-module code="org.jboss.security.auth.spi.UsersRolesLoginModule" flag = "required">

<module-option name="usersProperties">props/openkm-users.properties</module-option>
<module-option name="rolesProperties">props/openkm-roles.properties</module-option>
</login-module>
<login-module code="org.jboss.security.ClientLoginModule" flag="required" />
</authentication>
</application-policy>-->



So Far So Good ?

in the OpenKM documentation i found this

QUOTE:

Only users having the “UserRol” set at <module-option name=”defaultRole”>UserRol</module-option> are allowed to access the OpenKM, therefore add this role to every authenticated user, because only users with that role are allowed to access OpenKM.

so then in the AD i made a group called UserRol and made users that are going to be using OpenKM a member of this group ( do i have to do this?? )


also in the documentation i found this

QUOTE:

An admin user must be created to run OpenKM, at the moment administrator user name must be “system” and must have assigned “AdminRol” and “UserRol”. In future releases administrator name will be independent.

does this mean i have to make a user in the AD calles 'system' and also make a group named AdminRole and make system a member of AdminRole????


anyway there are many things that i am not sure about but these are the things i know for sure:

1/ i have a user called 'beheer' who had admin rights in the AD
2/ i know the password for the 'beheer' account
3/ i have a AD called VABI-DC.vabi.nl

finaly i have here the output of the server log. i have added the complete logs as attachments

---------------------------------------------------------------------------------

2008-07-22 08:53:13,578 DEBUG [org.jboss.security.auth.spi.LdapExtLoginModule] Bad password for username=beheer
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=vabi,DC=nl'
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2763)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
at com.sun.jndi.ldap.LdapNamingEnumeration.getNextBatch(LdapNamingEnumeration.java:129)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMoreImpl(LdapNamingEnumeration.java:198)
at com.sun.jndi.ldap.LdapNamingEnumeration.hasMore(LdapNamingEnumeration.java:171)
at org.jboss.security.auth.spi.LdapExtLoginModule.rolesSearch(LdapExtLoginModule.java:424)
at org.jboss.security.auth.spi.LdapExtLoginModule.createLdapInitContext(LdapExtLoginModule.java:351)
at org.jboss.security.auth.spi.LdapExtLoginModule.validatePassword(LdapExtLoginModule.java:232)
at org.jboss.security.auth.spi.UsernamePasswordLoginModule.login(UsernamePasswordLoginModule.java:210)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at javax.security.auth.login.LoginContext.invoke(LoginContext.java:769)
at javax.security.auth.login.LoginContext.access$000(LoginContext.java:186)
at javax.security.auth.login.LoginContext$4.run(LoginContext.java:683)
at java.security.AccessController.doPrivileged(Native Method)
at javax.security.auth.login.LoginContext.invokePriv(LoginContext.java:680)
at javax.security.auth.login.LoginContext.login(LoginContext.java:579)
at org.jboss.security.plugins.JaasSecurityManager.defaultLogin(JaasSecurityManager.java:603)
at org.jboss.security.plugins.JaasSecurityManager.authenticate(JaasSecurityManager.java:537)
at org.jboss.security.plugins.JaasSecurityManager.isValid(JaasSecurityManager.java:344)
at org.jboss.web.tomcat.security.JBossSecurityMgrRealm.authenticate(JBossSecurityMgrRealm.java:491)
at org.apache.catalina.authenticator.FormAuthenticator.authenticate(FormAuthenticator.java:257)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:416)
at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:84)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:157)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:262)
at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:844)
at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:583)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:446)
at java.lang.Thread.run(Thread.java:595)

------------------------------------------------------------------------------

please can/will anybody take the time to help me out! i would realy appreciate it.

Peter

The log files!

On windows we've found a bug integration on ldap on OpenKM, that system user is yet defined, for it we've applied a patch, now only avaliable on cvs that changes "system" user to "admin" user this solves problem with actual system user created on Windows by default.

Seems the user that tries to connect to your ldap has no enought credential to connect to it, because the log error show the message : "Bad password for username=beheer" try for example with administrator user to solve if it's a login/grants problems to access to your ldap information repository. Seems the error is not a connection to vabi-dc.vabi.nl, becauses shows pwd message error

About UserRol -> seems you've done well, all users must have this role.

thanx for the reply.


i eventualy managed to get acces to OpenKM trough Active directery!
i found that the config error i made was in the:

baseCtxDN
rolesCtxDN

first of all i was not pointing to my users but to the root

wrong: dn=vabi,dn=nl
good: cn=users,dn=vabi,dn=nl

second i pointed the rolesbCTxDN to the group UO instead of where the users where

wrong: uo=groups,dn=vabi,dn=nl
good: cn=users,dn=vabi,dn=nl


the only problem now is that i have no groups in OpenKM???!!! so i can't put users into these groups and put permissions per folder per group!

anyway again thanx for the help and keep up the good work

I've answered about roles on that post

Really now to get a full ldap integration needs some extra job on future we'll try to do it more automatic on configuration.