[opencms-dev] Unable to fetch groups from ldap with ocee-ldap

Per-Olof Widström per-olof.widstrom at splendid.se
Wed Aug 26 19:07:16 CEST 2009 

Hi,

someone already asked kindly, in a nice way, I presume, so we have a 
second trail period (tnx).

I changed the xml so it has the "by-member" tag, and now I don't get any 
exceptions complaining  about that it is missing. nice.

I looked in the docs, and in ou-definitions the by-member tag is 
missing, and I'm pretty sure I didn't get them in the xml-file that was 
provided in the installation. It wouldn't hurt if someone changed the 
ldap-package so it included the "by-member" tag for ou-definitions.

Copied from ocee-ldap.xml:
<ou-definitions>
  <ou-definition>
    <ou-name>/test/</ou-name>
    <group-definitions>
      <group-definition membersformat="mburl">
        <group-access>
          <group-filters>
            <all>(objectclass=groupofurls)</all>
            <by-name>(&(objectclass=groupofurls)(cn=?))</by-name>
          </group-filters>


My problem is still there, unfortunately,  I get no groups to sync. Is 
there some way I can troubleshot this, like turning up log levels in 
log4j.properties, or something else?

My ldap xml now looks like this:
        <group-definitions>
          <group-definition membersformat="fulldn">
            <group-access>
              <group-filters>
                <all>(objectclass=groupofuniquenames)</all>
                
<by-name>(&(objectclass=groupofuniquenames)(cn=?))</by-name>
                
<by-member>(&(objectclass=groupofuniquenames)(uniquemember=?))</by-member>
              </group-filters>
              <contexts>
                    
<context>ou=Groups,o=org1,o=comms,dc=domain,dc=com</context>
              </contexts>
            </group-access>
            <group-mappings>
              <groupid>cn</groupid>
              <groupname>cn</groupname>
              <member>uniquemember</member>
            </group-mappings>
            <editable>false</editable>
          </group-definition>


Regards
Per-Olof


Michael Moossen wrote:
> Hi Per-Olof!
>
> it seems to be that there is a problem in your configuration file.
>
> any group definition of type(membersformat) fulldn or userid needs a 
> filter by member, like:
> <by-member>(&(objectclass=groupofuniquenames)(uniquemember=?))</by-member>
>
> see the documentation and sample configuration files for more details.
>
> by the way, your evaluation license also expired already 1 month ago, if 
> you ask kindly we could give a second one...
>
> HTH
> -------------------
> Michael Moossen
>
> Alkacon Software GmbH  - The OpenCms Experts
> http://www.alkacon.com - http://www.opencms.org
>
> Per-Olof Widström schrieb:
>   
>> Hi,
>>
>> I'm trying to set up the ocee-ldap module. Everything works, except 
>> getting groups from ldap.
>>
>> I can synchronize users i.e. import them to the database, but when I try 
>> to do the same with the groups I get nothing (an empty list).
>>
>>
>> It is also possible to authenticate against the ldap, but when a valid 
>> combination of username and password is given, while logging in to the 
>> open cms explorer, I get a 500 error message.
>>
>> The logs tells me this:
>> Aug 17, 2009 3:04:08 PM org.apache.catalina.core.ApplicationDispatcher 
>> invoke
>> SEVERE: Servlet.service() for servlet jsp threw exception
>> java.lang.NullPointerException
>>         at 
>> org.opencms.ocee.ldap.CmsLdapGroupDefinition.getFilterByMember(CmsLdapGroupDefinition.java:145)
>>         at 
>> org.opencms.ocee.ldap.CmsLdapManager.lookupGroupNames(CmsLdapManager.java:789)
>>         at 
>> org.opencms.ocee.ldap.CmsLdapUserDriver.o0000000000000000000000000000000000000000000000000000000000000000000
>> 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000000000000super(CmsLdapUserDriver.java:1376)
>>         at 
>> org.opencms.ocee.ldap.CmsLdapUserDriver.o0000000000000000000000000000000000000000000000000000000000000000000
>> 00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>> 000000000000000000000000000000000000000000000000000000000000000000000super(CmsLdapUserDriver.java:1197)
>>         at 
>> org.opencms.ocee.ldap.CmsLdapUserDriver.readUser(CmsLdapUserDriver.java:833)
>>         at 
>> org.opencms.ocee.ldap.CmsLdapUserDriver.readUser(CmsLdapUserDriver.java:844)
>>         at 
>> org.opencms.db.CmsDriverManager.loginUser(CmsDriverManager.java:4700)
>>         at 
>> org.opencms.db.CmsSecurityManager.loginUser(CmsSecurityManager.java:2884)
>>         at org.opencms.file.CmsObject.loginUser(CmsObject.java:2267)
>>         at org.opencms.jsp.CmsJspLoginBean.login(CmsJspLoginBean.java:189)
>>         at org.opencms.jsp.CmsJspLoginBean.login(CmsJspLoginBean.java:169)
>>         at org.opencms.workplace.CmsLogin.displayDialog(CmsLogin.java:293)
>>         at 
>> org.apache.jsp.WEB_002dINF.jsp.online.system.login.index_html_jsp._jspService(index_html_jsp.java:59)
>>         at 
>> org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70)
>>         at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
>>         at 
>> org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:374)
>>         at 
>> org.apache.jasper.servlet.JspServlet.serviceJspFile(JspServlet.java:342)
>>         at org.apache.jasper.servlet.JspServlet.service(JspServlet.java:267)
>> [snip]
>>
>> The ldap server I'm using is Sun Java System Directory Server Enterprise 
>> Edition 6.3. It supports RFC 2798, and it looks as it supports 2256 
>> also, although that RFC  number seems to be obsolete, see link below.
>> http://docs.sun.com/app/docs/doc/820-2766/gdutg?a=view
>>
>> My ocee-ldap.xml has the following enteries:
>>       <ou-definition> <!-- Splendid -->
>>         <ou-name>org1</ou-name>
>>         <group-definitions>
>>           <group-definition membersformat="fulldn">
>>             <group-access>
>>               <group-filters>
>>                 <all>(objectclass=groupofuniquenames)</all>
>>                 
>> <by-name>(&(objectclass=groupofuniquenames)(cn=?))</by-name>
>>               </group-filters>
>>               <contexts>
>>                 <context>ou=Groups,o=org1,o=comms,dc=domain,dc=com</context>
>>               </contexts>
>>             </group-access>
>>             <group-mappings>
>>               <groupid>cn</groupid>
>>               <groupname>cn</groupname>
>>               <member>uniquemember</member>
>>             </group-mappings>
>>             <editable>false</editable>
>>           </group-definition>
>>         </group-definitions>
>>
>> I have looked at a the groups in ldap-browser, which tells me that the 
>> group has the following classes: inetlocalmailrecipient, inetmailgroup, 
>> groupofuniquenames, ipgroup, inetmailgroupmanagement, inetgroup. The 
>> query (objectclass=groupofuniquenames) work in the ldapbrowser I use 
>> (Soft terra ldapbrowser).
>>
>> Any ideas why I don't get any groups from ldap?
>>
>>
>>
>> ------------------------------------------------------------------------
>>
>>
>> _______________________________________________
>> This mail is sent to you from the opencms-dev mailing list
>> To change your list options, or to unsubscribe from the list, please visit
>> http://lists.opencms.org/mailman/listinfo/opencms-dev
>>     
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/mailman/listinfo/opencms-dev
>   

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20090826/675488f7/attachment.htm>

More information about the opencms-dev mailing list