LDAP Identity Service is not working

[Manuel Gnerlich]

Hello,

I am not good on ldap, but I want to try with that and camunda. There are no Tutorial for that. So I describe my problem.

I set up LDAP-Server on local and added my account into LDAP:

camunda.ldif

dn:cn=Matthias,dc=localhost

objectclass:person

objectClass:inetOrgPerson

sn:Mustermann

cn:Matthias

mail:nob...@nobody.de

userpassword:manu

uid:manu

 commandline

ldapadd -x -D cn=admin,dc=localhost -W -f camunda.ldif

ldapsearch -H ldapi:/// -x -D "cn=Matthias,dc=localhost" -b "dc=localhost" -W

Enter LDAP Password: 

# extended LDIF

#

# LDAPv3

# base <dc=localhost> with scope subtree

# filter: (objectclass=*)

# requesting: ALL

#

# localhost

dn: dc=localhost

objectClass: dcObject

objectClass: organization

o: localhost

dc: localhost

description: Tree root 

 

# Matthias, localhost

dn: cn=Matthias,dc=localhost

objectClass: person

objectClass: inetOrgPerson

sn: Gnerlich

cn: Matthias

mail: nob...@nobody.de

userPassword:: bWFudQ==

uid: manu

It is working with commandline to connect with ldap server

I configured bpm-platform.xml:

 <!-- LDAP CONFIGURATION -->

    <!-- Uncomment this section in order to enable LDAP support for this process engine -->

    <!-- Adjust configuration, see ( http://docs.camunda.org/latest/guides/user-guide/#process-engine-identity-service-the-ldap-identity-service ) -->

      <plugin>

        <class>org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin</class>

        <properties>

          <property name="serverUrl">ldap://localhost:389/</property>

          <property name="managerDn">cn=admin,dc=localhost</property>

          <property name="managerPassword">manumanu</property>

          <property name="baseDn">dc=localhost</property>

          <property name="userSearchBase"></property>

          <property name="userSearchFilter">(objectclass=person)</property>

          <property name="userIdAttribute">uid</property>

          <property name="userFirstnameAttribute">cn</property>

          <property name="userLastnameAttribute">sn</property>

          <property name="userEmailAttribute">mail</property>

          <property name="userPasswordAttribute">userpassword</property>

          <property name="groupSearchBase"></property>

          <property name="groupSearchFilter">(objectclass=groupOfNames)</property>

          <property name="groupIdAttribute">ou</property>

          <property name="groupNameAttribute">cn</property>

          <property name="groupMemberAttribute">member</property>

        </properties>

      </plugin> 

      <!-- LDAP CONFIGURATION -->

      <!-- The following plugin allows you to grant administrator authorizations to an existing LDAP user -->

      <plugin>

        <class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>

        <properties>

          <property name="administratorUserName">admin</property>

        </properties>

      </plugin>

Tomcat starts no problem and connects with ldap server. But I cannot log on cockpit or tasklist with my account and cannot see more in log-file about failing. What is wrong?

Thank you for your help.

Manuel

[Manuel Gnerlich]

Maybe it helps to find the problem

log of ldap:

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 fd=18 ACCEPT from IP=127.0.0.1:55692 (IP=0.0.0.0:389)

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 op=0 BIND dn="cn=admin,dc=localhost" method=128

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 op=0 BIND dn="cn=admin,dc=localhost" mech=SIMPLE ssf=0

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 op=0 RESULT tag=97 err=0 text=

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 op=1 SRCH base="dc=localhost" scope=2 deref=3 filter="(&(objectClass=person)(uid=manu))"

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 op=2 UNBIND

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1139 fd=18 closed

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1140 fd=18 ACCEPT from IP=127.0.0.1:55693 (IP=0.0.0.0:389)

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1140 op=0 BIND dn="cn=gerd,dc=localhost" method=128

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1140 op=0 BIND dn="cn=gerd,dc=localhost" mech=SIMPLE ssf=0

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1140 op=0 RESULT tag=97 err=0 text=

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 fd=24 ACCEPT from IP=127.0.0.1:55694 (IP=0.0.0.0:389)

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=0 BIND dn="cn=admin,dc=localhost" method=128

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=0 BIND dn="cn=admin,dc=localhost" mech=SIMPLE ssf=0

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=0 RESULT tag=97 err=0 text=

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=1 SRCH base="dc=localhost" scope=2 deref=3 filter="(&(objectClass=person)(uid=manu))"

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=2 SRCH base="dc=localhost" scope=2 deref=3 filter="(&(objectClass=groupOfNames)(member=cn=Matthias,dc=localhost))"

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text=

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 op=3 UNBIND

Jun 19 22:33:34 Gnerlich slapd[19519]: conn=1141 fd=24 closed

[webcyberrob]

Hi,

My suggestion would be to get an LDAP client and run the engine's queries through the LDAP client so that you can see whats going on. In my experience theres quite a lot of LDAP background knowledge required as its not a case of one size fits all.

To help you, the engine basically performs two LDAP operations. The first authenticates the person, the second extracts their group membership and then authorizes their access based on group authorisations configued in the engine. The group membership LDAP query is probably the most effort to get working.

From your log, the group membership query is currently;

(&(objectClass=groupOfNames)(member=cn=Matthias,dc=localhost))

Hence if you were to enter this into an interactive LDAP client, you will see whats coming back, Ideally you need this query to return the set of groups for the user. Hopefully you can see how the query is made up from the configuration items. The trick is to understand the schema in your LDAP store and match your configurtion to your schema.

regards

Rob

mail:...@nobody.de

userpassword:manu

uid:manu

[Manuel Gnerlich]

Hi Rob,

thank you for your reply. Ok, i will try to use with LDAP client. You wrote "....then authorizes their access based on group authorisations configued in the engine" How can I configure the group authorisations in the engine? I though all persons and groups are only in LDAP, right?

Manuel

[Manuel Gnerlich]

Hi rob,

is it possible to get a example schema for use group and user? I would be happy to use example schema for camunda. thx

Manuel

[stefan.h...@camunda.com]

Hi Manuel,

If you use the LDAP plugin all users and groups are stored only in LDAP. The authorization is saved for a group/user in the engine database.

I hope this helps you a little to understand the authorization mechanism in camundaBPM.

For testing LDAP we use the following simple LDAP Structure:

-- first our test ldap tree:

o=camunda,c=com
|
|-- ou=qa-test,o=camunda,c=com
|
|-- ou=roles,ou=qa-test,o=camunda,c=com
| |
| |-- cn=accounting,ou=roles,ou=qa-test,o=camunda,c=com
|
|-- ou=users,ou=qa-test,o=camunda,com
| |
| |-- cn=ozzy,ou=users,ou=qa-test,o=camunda,c=com

This tree is only a snippet of the full testing tree.

I used the eclipse apache studio to export the following LDIF for the groups and users:

groups:
-------------------

version: 1

dn: cn=accounting,ou=roles,ou=qa-test,o=camunda,c=com
objectClass: groupOfNames
cn: accounting
member: uid=ozzy,ou=users,ou=qa-test,o=camunda,c=com
description: Kundenangebote, Standard Kundenablage, Marketing, usw.

user:
-------------------

version: 1

dn: uid=ozzy,ou=users,ou=qa-test,o=camunda,c=com
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: person
objectClass: top
cn: Ozzy
gidNumber: 1000
homeDirectory: /home/ozzy
sn: Ozzy
uid: ozzy
uidNumber: 1000
description: Ozzy Ozzy
givenName: Ozzy
mail: oz...@camunda.com
userPassword:: e1NIQX1yVVlPSmxXdnQwUTVjbFA1UzdjZTZYYk05Ync9

And we test it with the following ldap plugin configuration:

<plugin>
<class>
org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin
</class>
<properties>
<property name="serverUrl">

ldap://ldap.camunda.com:636/
</property>
<property name="acceptUntrustedCertificates">
true
</property>
<property name="managerDn">
<ADMIN CN>
</property>
<property name="managerPassword">
<ADMIN PASSWORD>
</property>
<property name="useSsl">
true
</property>
<property name="baseDn">
o=camunda,c=com
</property>
<property name="userSearchBase">
ou,users,ou=qa-test

</property>
<property name="userSearchFilter">
(objectclass=person)
</property>
<property name="userIdAttribute">
uid
</property>
<property name="userFirstnameAttribute">
cn
</property>
<property name="userLastnameAttribute">
sn
</property>
<property name="userEmailAttribute">
mail
</property>
<property name="userPasswordAttribute">

userPassword
</property>
<property name="groupSearchBase">
ou=roles,ou=qa-test

</property>
<property name="groupSearchFilter">
(objectclass=groupOfNames)
</property>
<property name="groupIdAttribute">

cn

</property>
<property name="groupNameAttribute">
cn
</property>
<property name="groupMemberAttribute">
member
</property>
</properties>
</plugin>

<plugin>
<class>
org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin
</class>
<properties>
<property name="administratorUserName">

<ADMIN USERNAME>
</property>
</properties>
</plugin>

Only for information purpose:

I used the following guide to create the test-ldap: http://wiki.ubuntuusers.de/OpenLDAP

I hopt this will help you to advance in this topic :-)

Cheers,

Stefan

[stefan.h...@camunda.com]

oh I forgot to mention, that passwords are sha encrypted :-)