Help! LDAP, permissions error when making a folder.

Having problems with IHMC CmapServer? Think you have found a bug? Let us know!
Forum rules
Before you post a problem or bug, please be sure you have included the version number of IHMC CmapServer, the operating system and version, the amount of RAM, and any other information that allows us to be able to replicate the problem you are having. (i.e. what were you doing when the problem occur? were you running another program (application) by the time you have the problem?)
Xthorvald
Posts: 14
Joined: Thu Aug 27, 2015 4:49 am

Help! LDAP, permissions error when making a folder.

Post by Xthorvald »

Hey Guys.

Ive run into some problems with my Companys CMAP server.

Enviroment:
Windows sever 2012
Cmap server v5.04.03
Cmap client 6.04
Set the Group and user OU to aim on my domain, so i have access to all users, both students and employees. Around 70000+ users.

The Error:
When I set my Cmap client to same info as my AD user, and choose to create a new folder. The administrator info will be collected from my AD, but after creation, it will not let the same user edit the permissions. i have not rights to a folder i just created, without chancing anything. How can that be?

Thanks in advance for the help 
cmapadmin
Site Admin
Posts: 793
Joined: Sat Dec 13, 2008 2:22 pm

Re: Help! LDAP, permissions error when making a folder.

Post by cmapadmin »

First we'd recommend you update the CmapServer. We've fixed quite a few bugs dealing with LDAP, and yours may be part of the fix. Your message indicates you are running v5.04.03.
Xthorvald
Posts: 14
Joined: Thu Aug 27, 2015 4:49 am

Re: Help! LDAP, permissions error when making a folder.

Post by Xthorvald »

I have updated the server to 6.04 and the problem still bugs me :(
jlott
Posts: 9
Joined: Tue Mar 31, 2009 6:05 pm

Re: Help! LDAP, permissions error when making a folder.

Post by jlott »

Hi,

When creating a new folder, the administrator of the folder is found by doing a search based on the userId; no authentication is performed at that time.

When trying to edit the permissions, the authentication is performed and is apparently failing.

So it appears that the search/lookup is working OK, but you're having an authentication problem, probably due to a configuration issue.

One thing to do would be to look in the server log (or attach it here) and see if there are any errors about the ldap.root.folder.account not being able to be authenticated.

Also a screenshot of the permissions of the root folder, along with the serverconfig.txt would be useful.
Xthorvald
Posts: 14
Joined: Thu Aug 27, 2015 4:49 am

Re: Help! LDAP, permissions error when making a folder.

Post by Xthorvald »

yes sir! I will just gather the information! :)
Xthorvald
Posts: 14
Joined: Thu Aug 27, 2015 4:49 am

Re: Help! LDAP, permissions error when making a folder.

Post by Xthorvald »

First off this is the last entry of the log file:

[*][*][*]
There appears to be a problem with the Directory Server.
(CLASS: nlk.base.LDAPAuthenticator METHOD: authenticateUser LINE: 33)
nlk.acl.directory.DirectoryXcp: javax.naming.NamingException: [LDAP: error code 1 - 000004DC: LdapErr: DSID-0C09072B, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v2580

and do you want me to copy all the serverconfig file? :)


###############################################################################
# serverconfig.txt
#
# IHMC CmapServer Configuration file
#
###############################################################################
###############################################################################
#
# Networking Configuration
#
# The bind address is the Internet address that the server and the webserver
# will be listening on for incoming requests. When not specified, the server and
# the webserver will listen on any/all local addresses (including 127.0.0.1).
#
# Unless the server and the webserver need to be configured to run in a
# multi-homed environment, it is recommended to leave this parameter empty.
#
# Example: server.bind.address = 123.123.123.1
#
server.bind.address=

# The hostname is the Internet address that will be used to generate the URLs
# of the web pages of the Cmaps stored on the CmapServer, and it is
# determined automatically by the server.
#
# Edit this property if you want the server to use a specific hostname to
# generate the URLs.
#
# It is recommended that you enter a full computer name rather than an
# IP address.
#
# Example: server.hostname = mypc.mydomain
#
server.hostname=

# The IP address is the Internet address that CmapTools will use to contact the
# CmapServer and it is automatically determined and registered by the server.
#
# Edit this property if you want the server to register a specific IP address.
# Use only dotted-decimal TCP/IP addresses.
#
# Example: server.ip.address = 123.123.123.1
#
server.ip.address=

# All servers create an index of their contents to permit searching. This index
# can be sent to an IndexServer that responds to client search requests.
#
# This has two benefits:
#
# 1) This server is not burdened (CPU and network) with responding to search
# requests from other clients,
#
# 2) The overall search time for clients is more consistent, as there is just
# one network connection.
#
# The index retains its permission settings, so searching the IndexServer
# will be just like searching on the server directly, in that the only
# resources returned for a search request will be those the searcher has
# permission to see.
#
# Most of the time, you will want to leave this variable set to true
#
sendtoindexserver=true

# This variable controls how often the server sends its index to the
# IndexServer, and is expressed in minutes.
#
# If you have a fast internet connection, the default value of sending the
# index every ten (10) minutes should be adequate. If you have a slower
# internet connection, one that is somewhat unreliable, or a very large
# number of resources on your server (e.g., 20-30,000 resources), then
# you may want to increase the timeout value to 60 or 120 (1 or 2 hours).
#
sendtoindexserver.timeout=10

# This variable controls how the index is sent to the indexserver.
#
# The default method for sending the index to the indexserver is to package
# the entire index into one file and transmit it to the indexserver. For
# servers with a large number of resources or that are very actively updated,
# the amount of data being transmitted can be reduced by sending just the
# information about what has changed to the indexserver and integrating that
# information on the indexserver. If there are any errors in the transmission,
# the entire index will be sent, and incremental updating will resume afterwards.
sendtoindexserver.incremental=true

# This variable controls if protected resources should be kept in the index
#
# The indexserver currently has no way to authenticate permissions on cmap-
# servers configured with LDAP permissions. These servers can still send
# their indicies to the indexserver, but may remove all of the resources that
# are not publicly viewable from the index beforehand. This is soley an efficiency
# concern on the indexserver.
sendtoindexserver.removeHidden=true

# Whether to create the index that allows you to search for cmaps
# and resources. The default is true.
index.create=true

#
# Controls whether the topology values are generated for concept maps.
# The topology generation code is currently under development and
# may sometimes cause the indexer to stall. The default is true.
index.generate.topology.value=true

# The server can be contacted using either normal, ssl or pki
# connection mode.
#
# In ssl mode, all data is encrypted for secure communication.
# In pki mode, the server activates the SSL connection mode, but it uses
# PKI infrastructure to authenticate clients.
#
# Administrators can configure the server to operate using normal, ssl
# or pki mode.
#
# IMPORTANT: It is highly recommended not to change the connection mode after
# the server has become operational (except when changing from ssl to pki
# or vice versa). All links pointing to resources in this server will be
# broken because the webserver changes its protocol from http to https
# or vice versa, while the URL of the link remains the same.
#
server.connection.mode=normal

###############################################################################
#
# SSL OPTIONS
#
# The path to the keystore that contains a valid X.509 SSL server certificate.
#
# If not specified, the server will generate a self-signed certificate to be
# stored in its default keystore with a random password.
#
ssl.keystore=

# The password for accessing the keystore specified in ssl.keystore, if any.
#
# IMPORTANT: Once the server is launched, the password will be encrypted.
# To replace the encrypted password: shutdown the server, remove the
# encrypted_<some random characters>\\= (no quotes) value completely,
# type in the new password for the value, then save this file and launch the
# CmapServer again. All passwords that were replaced in this file will again
# be encrypted once the CmapServer has been launched.
#
ssl.keystore.password=

###############################################################################
#
# PKI Configuration
#
# Parameters to request a new certificate from a website via PKCS10 enrollment.
#
# pki.csr.url
# - URL to which the PKCS10 certificate request should be sent.
#
# pki.csr.url.params
# - optional params to post before sending the certificate request.
#
# pki.csr.subject
# - distinguished name of the subject of the certificate request.
#
# If set, the server will try to request a new certificate from the CA,
# otherwise, it will use the keystore file specified by pki.keystore (see
# below).
#
pki.csr.url=

pki.csr.url.params=

pki.csr.subject=

# The path to the PKCS12 file containing the server's certificate and
# its private key.
#
pki.keystore=

# The password for accessing the server's keystore.
#
# IMPORTANT: Once the server is launched, the password will be encrypted.
# To replace the encrypted password: shutdown the server, remove the
# encrypted_<some random characters>\\= (no quotes) value completely,
# type in the new password for the value, then save this file and launch the
# CmapServer again. All passwords that were replaced in this file will again
# be encrypted once the CmapServer has been launched.
#
pki.keystore.password=

# The URL to import the CA trusted certificate from a web server.
#
# If set, the server will try to download the CA trusted certificate
# from the given URL, otherwise, it will use the certificate file
# specified by pki.ca.certificate (see below).
#
pki.ca.cert.url=

# The path to the X.509 file containing the CA trusted certificate.
#
pki.ca.certificate=

# The hostname of the LDAP server to retrieve Certificate
# Revocation Lists (CRLs).
#
# This value is optional. If no LDAP host is specified, no certificate
# revocation checking will be performed.
#
pki.ldap.host=

# The port number of the LDAP server.
#
# Defaults is: 389
#
pki.ldap.port=389

# Specifies which security protocol is used to contact the LDAP server.
# Two security protocols are supported: TLS and SSL
#
# Default is: tls
#
pki.ldap.mode=tls

###############################################################################
#
# Server and Embedded Web Server Configuration
#
# The webserver.program.name variable tells the CMapServerShell which
# webserver to try to instantiate.
#
# The webserver.home.directory variable tells the cmapserver the
# home directory of the webserver that it is instantiating.
#
# Examples:
# webserver.program.name=lite.webserver
# webserver.home.directory=../lws
# webserver.program.name=jigsaw.webserver
# webserver.home.directory=../jigsaw/jigsaw
# Enables/disables the logger of the web server.
#
# Default is: false
#
webserver.logging.enabled=false

# Sets the root folder (the webapps directory) of the webserver.
# This is the directory that contains the index.html file.
#
# This option applies only when the webserver program is tomcat.webserver.
#
# If not set, it defaults to TOMCAT_HOME/webapps/ROOT.
#
webserver.root.folder=

# server.id=
# Specifies the folder in the machine's file system used by the server
# to store the cmaps and resources.
#
server.rootfolder=../serverRootFolder

save.as.xml=false

# The name of the server.
# This is the name that will be diplayed in the Views of CmapTools.
#
# Example: My CmapServer
#
server.name=VIA University College CMAP03 (DK)

# The organization to which this server belongs to.
#
# Example: My Organization
#
server.org=

# The port number of the server.
# CmapTools clients will contact the server on this port.
#
# Default is '4447'
#
server.port=4447

# The port number of the embedded web server.
#
# Under non-Windows systems, it may be necessary to change the value
# of this port to a number above 1024 if the server cannot run
# with administrative privileges (usually the 'root' account).
#
# Default is '80'
#
webserver.port=80

# Host address of the name server used by some services (DTs) to
# resolve domain names for sending email notifications.
#
nameserver=ns.ihmc.us

###############################################################################
#
# AdminTool and Root Folder Administration Account Configuration
#
# IMPORTANT: Once the server is launched, the values for any password parameter
# in this file, including values for the admin.password= and
# root.folder.password=, will be encrypted.
# To replace any encrypted password: shutdown the server, remove the
# encrypted_<some random characters>\\= (no quotes) value completely,
# type in the new password for the value, then save this file and launch the
# CmapServer again. All passwords that were replaced in this file will again
# be encrypted once the CmapServer has been launched.
#
# These options specify the username and password to access the server
# through the AdminTool program. The contact email address (optional) is used by
# the server to send notifications about startup problems or shutdown events.
#
admin.account=DELETED!

admin.password=DELETED!

admin.email.address=

#
# These options specify the username and password of the server's root
# folder administrator.
#
root.folder.account=DELETED!

root.folder.password=DELETED!

################################################################################
#
# Logging Configuration
#
# Enable logging.
#
# Default is 'yes'
#
logger.enabled=yes

# This option specifies the path to the directory where log files are created.
#
# %h = user home directory
# %t = user temporary directory
#
# Default is: '%h/logs'
#
logger.file.path=../logs

# This option specifies the prefix of the log file name. The log file name is
# generated using this prefix and a counter. For example: logfile0.log,
# logfile1.log, etc. being logfile0.log the most recently modified.
#
# Default is 'logfile'
#
logger.file.prefix=cmapserver

# This option specifies the maximum size in bytes of each log file.
# When the maximum size is reached, a new log file is created.
#
# Default is '1048576' (1 MB)
#
logger.file.size=5242880

# This option specifies the maximum number of log files that can be created.
# When the maximum number is reached, the files are rotated by removing the
# oldest log file.
#
# Default is '10'
#
logger.file.number=10

###############################################################################
#
# Collaboration Configuration
#
# The collaboration.audio variable indicates whether audio chat is permitted during
# Synchronous Collaboration sessions on this server. Set to enabled is permitted;
# otherwise set to disabled.
#
collaboration.audio=disable

# Maximum number of clients that can collaborate simultaneously relative to the
# number of clients that can be served concurrently in this CmapServer (see
# concurrent.client.limit). If '0' (0%), the number of collaboration clients
# is unlimited and bound by the maximum number of clients that this CmapServer
# can serve concurrently.
#
# It is recommended to always set a limit in the number of collaboration clients,
# otherwise, the CmapServer will be unable to handle further requests once
# all threads are taken by collaboration clients.
#
# Default is '80' (80% of concurrent.client.limit).
#
collaboration.max.clients=80

###############################################################################
#
# LDAP Configuration for Permissions
#
# These settings enable the CmapServer to use an LDAP directory for user
# authentication when defining permissions for folders.
# Authentication mode: standard permissions, LDAP permissions, or both
# If this line is missing or blank, then standard permissions is assumed
# Valid values: authentication.standard
# authentication.ldap
#
# Example (for both): user.authentication = authentication.standard,authentication.ldap
#
###DETTE ER FOR MIXED MODE
#user.authentication=authentication.standard,authentication.ldap
###DETTE ER FOR LDAP ONLY MODE
user.authentication=authentication.ldap

##user.authentication=authentication.ldap
# User ID of the root folder administrator for an LDAP-enabled server.
# This User ID should match an entry in the LDAP server.
#
ldap.root.folder.account=DELETED!

# Password of the root folder administrator for an LDAP-enabled server.
# This password should match the password stored in the LDAP server.
#
# IMPORTANT: Once the server is launched, the password will be encrypted.
# To replace the encrypted password: shutdown the server, remove the
# encrypted_<some random characters>\\= (no quotes) completely,
# type in the new password for the value, then save this file and launch the
# CmapServer again. All passwords that were replaced in this file will again
# be encrypted once the CmapServer has been launched.
#
ldap.root.folder.password=DELETED!

# IP address or hostname of the LDAP server
#
# Example: ldap.user.directory.ip = myhost.mydomain.com
#
ldap.user.directory.ip=dc-aarh01

# Port number of the LDAP server
#
ldap.user.directory.port=389

# Protocol to use for communication with the LDAP server.
# If a secure mode is selected, the certificates from the PKI
# settings above will be used, if they have been specified.
# Valid values: normal, tls, or ssl
#
# Example: ldap.user.directory.connection.mode=normal
ldap.user.directory.connection.mode=normal

# DN of the container where individual users are stored
#
# Example: ldap.user.directory.usersBaseDN = ou=People,dc=mydomain,dc=com
#
##ldap.user.directory.usersBaseDN=ou\=8200_Hedeager_2,ou\=bioanalytikeruddannelsen,ou\=studerende,dc\=via,dc\=dk
ldap.user.directory.usersBaseDN=dc\=via,dc\=dk

# DN of the container where groups are stored
#
# Example: ldap.user.directory.groupsBaseDN = ou=Groups,dc=mydomain,dc=com
#
ldap.user.directory.groupsBaseDN=ou\=8200_Hedeager_2,ou\=bioanalytikeruddannelsen,ou\=studerende,dc\=via,dc\=dk

# Name of the attribute which holds the user's ID
#
ldap.user.directory.userAttr=userprincipalname

# Name of the attribute which holds the group's ID
#
ldap.user.directory.groupAttr=cn

# LDAP debug logging (may greatly increase size of log file)
ldap.user.directory.debug=false

# This option specifies whether or not the server should cache the table of
# contents (TOC) of the root folder and send the cache'd value back to the
# client, or whether it should simply serialize the root folder TOC every time
# is requested, which can be a very expensive operation.
#
# It is recommended that for large root folders, this value should be set
# to 'true'. If this flag is absent, the value defaults to 'false'.
#
cache.root.folder.toc=true

# Boolean that determines whether or not the server should generate thumbnails for:
# 1. Each resource whose major mimetype is image (e.g. .jpg, .png, .gif, .bmp)
# 2. Each .cmap file that is a zipfile containing a htmljpeg part.
# The thumbnails themselves are also jpeg's. Each thumbnail gets stored in the
# ResourceInfo of the resource to which it pertains.
#
generate.thumbnails=true

# Boolean that determines whether or not the server should erase all thumbnails
# at startup (while reindexing all the resources)
# This can be used in conjunction with generate.thumbnails. E.g., if you want
# to regenerate all thumbnails, you can set erase.thumbnails to true and set
# generate.thumbnails to true.
# If you want to just remove all thumbnails from your system, you should set
# erase.thumbnails to true and generate.thumbnails to false
#
erase.thumbnails=false

# #############################################################################
#
# Advanced Server Configuration
#
# WARNING: Unless strictly necessary, we recommend not to change this values
# as it may affect the server's performance and availability.
#
# Maximum number of client connections the server can handle simultaneously.
# If the number of client connections being handled simultaneously reaches this
# maximum, further accepted connections will be put in a queue (see
# server.socket.backlog).
#
# Default is: 100
#
concurrent.client.limit=100

# Maximum number of client connections that can be accepted while the server
# is busy. If the number of client connections waiting in the queue reaches
# this maximum, further connection attempts will be refused.
#
# Default is: 47
#
server.socket.backlog=47

# Time in milliseconds the server will wait for the client request to arrive.
# If the request times out, the connection is dropped.
#
# Default is: 30000 (30 seconds)
#
request.read.timeout=30000

# Time in milliseconds the server will keep a persistent connection open.
# If the persistent connection times out, the connection is closed.
#
# Default is: 10000 (10 seconds)
#
persistent.connection.lifetime=10000

# This option specifies the maximum number of resource descriptors that are
# stored on disk (known as ResourceInfo objects) that the server will cache
# in memory to increase response time.
#
# A very large value will require a considerable amount of memory, but it
# will improve the response time of the server. On the other hand, a shorter
# value will require less memory, but the server will take more time to
# response as it constantly needs to read data from disk.
#
# Default is '2000'
#
project.cache.size=2000

# The CmapServer is capable of sending three types of email messages:
# 1. Status messages sent by the CmapServer's administrator(s).
# Examples of notification messages sent by the CmapServer are:
# a. The CmapServer has successfully restarted and is now servicing clients.
# b. The CmapServer attempted to restart but failed.
# c. The CmapServer has detected a severe error and must shut down.
# 2. Discussion thread messages. Each user of CmapTools can request to be notified
# if a new discussion thread message has been posted to a particular discussion
# thread on this CmapServer.
# 3. Request for a forgotten account and password. Sometimes a user of CmapTools
# might attempt to perform an operation (e.g. save a Cmap) in a folder for which
# the CmapServer claims that the user has no permission to perform that
# operation. The user will be prompted for a userid and password. If the user
# still believes that he does have permissions on that folder, he may request
# his permissions list, along with the corresponding userid and password
# necessary to perform the desired action. If the credentials in the user's
# profile match the credentials stored in one or more permissions lists in the
# folder, the CmapServer will attempt to send an email to the email address
# stored with the permissions list.
#
# Explanation of what mail fields are mandatory, which are optional, and which
# are only useful in certain cases.
# mail.smtp.host always mandatory
# mail.smtp.port always mandatory
# mail.smtp.transport always mandatory
# mail.cmapserver.email.address always mandatory
# mail.smtp.transport always mandatory; must be either NORMAL or SSL
# mail.smtp.authentication.userid only if SMTP server requires authentication
# mail.smtp.authentication.password only if SMTP server requires authentication
# mail.cmapserver.status.recipients only for status emails
#
# mail.smtp.fallback.port only useful if you know that the SMTP server
# provides both SSL and NORMAL transport, and you have set mail.smtp.transport to
# SSL and you have set mail.smtp.port to the SMTP server's SSL port. If the SSL
# fails, the CmapServer will automatically attempt NORMAL transport over the port
# value supplied here.
#
# The DNS or IP address of the SMTP server to which the CmapServer should connect.
# Always mandatory.
#
# Example: mail.smtp.host = smtp.domain.com
#
mail.smtp.host=10.253.22.151

# The SMTP port number on which the CmapServer should connect to the SMTP server.
# Always mandatory.
#
# Example: mail.smtp.port = 25
#
mail.smtp.port=25

# This field is not provided in the CmapServer Installation program. It will only
# be used by the CmapServer if mail.smtp.transport is set to SSL and the CmapServer
# fails to connect via SSL to the SMTP server on the specified port.
# Not mandatory. Leaving it blank is the same as setting it to 25.
#
# Example: mail.smtp.fallback.port = 25
#
mail.smtp.fallback.port=

# The transport protocol specified by the SMTP server. May not be blank.
# Only one valued may be specified. If more than one value is specified, the first
# value found will be used. Allowed values are NORMAL and SSL
# Always mandatory.
#
# Example: mail.smtp.transport = normal
#
mail.smtp.transport=normal

# The userid and password for authenticating with the SMTP server.
# Mandatory if and only if the SMTP server requires authentication.
# NOTE: If the SMTP server does not require authentication, leave these blank!
#
# Example: mail.smtp.authentication.userid = no-reply
# mail.smtp.authentication.password = p@ssw0rd
#
mail.smtp.authentication.userid=

mail.smtp.authentication.password=

# The email address in the From: header of all emails sent by the CmapServer
# Mandatory for the sending of all emails. For some SMTP servers, the userid in
# this email address must match the userid in mail.smtp.authentication.userid
#
# Example: mail.cmapserver.email.address = no-reply@domain.com
#
mail.cmapserver.email.address=cmap03@via.dk

# The list of e-mail addresses that should receive CmapServer status notifications.
# White space and commas are interpreted as separators.
# These email addresses will appear in the To: header of each status message sent by the CmapServer.
# Mandatory only for the CmapServer to send out status messages.
#
# Example: mail.cmapserver.status.recipients = admin1@domain.com, admin2@gmail.com, admin3@hotmail.com
#
mail.cmapserver.status.recipients=DELETED!

server.id=1P8FZYRW2-TZ3SJF-1
jlott
Posts: 9
Joined: Tue Mar 31, 2009 6:05 pm

Re: Help! LDAP, permissions error when making a folder.

Post by jlott »

Thanks for the information, this is helpful.

Could you also please upload your entire server log file as well? I need to see it from the beginning to make some determinations.

Rather than copying and pasting, you can also upload attachments when you post a reply. Below the reply window, there is a tab "Upload attachment" which will let you add files.

Thanks!
jlott
Posts: 9
Joined: Tue Mar 31, 2009 6:05 pm

Re: Help! LDAP, permissions error when making a folder.

Post by jlott »

Actually, I think the lines you copied and pasted from your logfile contain enough information for us to go on.

It looks like your ActiveDirectory server is returning a different error code than we have seen in the past. Unlike a standard LDAP server which returns known errors which we then handle, ActiveDirectory servers tend to return generic errors with the error code and reason hidden in the text of the error. We will need to add a special case to handle this error code.

This fix will require a new release of the CmapServer. We'll post another update when it's ready.
Xthorvald
Posts: 14
Joined: Thu Aug 27, 2015 4:49 am

Re: Help! LDAP, permissions error when making a folder.

Post by Xthorvald »

Thanks alot :) will keep a keen eye on here!

and thanks alot
cmapadmin
Site Admin
Posts: 793
Joined: Sat Dec 13, 2008 2:22 pm

Re: Help! LDAP, permissions error when making a folder.

Post by cmapadmin »

We found a bug in the CmapServer that may be the cause of this problem.

Try the new build with a fix at:

ftp://ftp.ihmc.us/DownloadCmapTools/CmapServer/

with "150904" in the filename (Sept 4, 2015).
Post Reply