How to configure authentication using Active Directory

[thu...@gmail.com]

Hi there,
Anyone ever configure Camunda using Active Directory authentication.
I configured as following but it was not work. Camunda can connect to LDAP server but authentication failed:

<!-- LDAP CONFIGURATION -->
<!-- Uncomment this section in order to enable LDAP support for this process engine -->
<!-- Adjust configuration, see ( http://docs.camunda.org/latest/guides/user-guide/#process-engine-identity-service-the-ldap-identity-service ) -->

<plugin>
<class>org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin</class>
<properties>

<property name="serverUrl">ldap://****</property>
<property name="acceptUntrustedCertificates">true</property>
<property name="managerDn">uid=***,ou=***,dc=***,dc=***,dc=***</property>
<property name="managerPassword">****</property>

<property name="baseDn">DC=***,DC=***,DC=***</property>

<property name="userSearchBase"></property>
<property name="userSearchFilter">(&amp;(objectCategory=user)(objectClass=user))</property>

<property name="userIdAttribute">sAMAccountName</property>
<property name="userFirstnameAttribute">givenName</property>
<property name="userLastnameAttribute">sn</property>
<property name="userEmailAttribute">mail</property>
<property name="userPasswordAttribute">userPassword</property>

<property name="groupSearchBase">OU=Groups</property>
<property name="groupSearchFilter">(objectCategory=group)</property>
<property name="groupIdAttribute">distinguishedName</property>
<property name="groupNameAttribute">sAMAccountName</property>

<property name="groupMemberAttribute">member</property>

</properties>
</plugin>

<!-- LDAP CONFIGURATION -->
<!-- The following plugin allows you to grant administrator authorizations to an existing LDAP user -->

<plugin>
<class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
<properties>
<property name="administratorUserName">*****</property>
</properties>
</plugin>

[Daniel Meyer]

Hi thuylx,

could you define "it was not work"? Do you get an exception?

Thanks!
Daniel

--
Camunda Technical Lead
Blog: http://long-running.net/
Twitter: @meyerdan

[Thuy Le]

Hi Daniel,

I entered a valid credential (I am sure username and password is correct) but could not login.

The catalina log said:

WARNING: org.camunda.bpm.identity.impl.ldap.LdapAuthenticationException: Could not authenticate with LDAP server

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.openContext(LdapIdentityProviderSession.java:114)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.ensureContextInitialized(LdapIdentityProviderSession.java:124)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUserByQueryCriteria(LdapIdentityProviderSession.java:150)

at org.camunda.bpm.identity.impl.ldap.LdapUserQueryImpl.executeList(LdapUserQueryImpl.java:53)

at org.camunda.bpm.engine.impl.AbstractQuery.evaluateExpressionsAndExecuteList(AbstractQuery.java:179)

at org.camunda.bpm.engine.impl.AbstractQuery.executeSingleResult(AbstractQuery.java:189)

at org.camunda.bpm.engine.impl.AbstractQuery.singleResult(AbstractQuery.java:127)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUserById(LdapIdentityProviderSession.java:131)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.checkPassword(LdapIdentityProviderSession.java:275)

at org.camunda.bpm.engine.impl.cmd.CheckPassword.execute(CheckPassword.java:37)

at org.camunda.bpm.engine.impl.cmd.CheckPassword.execute(CheckPassword.java:24)

at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)

at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:97)

at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:32)

at org.camunda.bpm.engine.impl.IdentityServiceImpl.checkPassword(IdentityServiceImpl.java:99)

at org.camunda.bpm.webapp.impl.security.auth.UserAuthenticationResource.doLogin(UserAuthenticationResource.java:93)

at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)

at java.lang.reflect.Method.invoke(Unknown Source)

at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)

at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)

at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)

at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211)

at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)

at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)

at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)

at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)

at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)

at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:59)

at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)

at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:38)

at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)

at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)

at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)

at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)

at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)

at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)

at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)

at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)

at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:957)

at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)

at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:423)

at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1079)

at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:620)

at org.apache.tomcat.util.net.JIoEndpoint$SocketProcessor.run(JIoEndpoint.java:316)

at java.util.concurrent.ThreadPoolExecutor.runWorker(Unknown Source)

at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)

at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)

at java.lang.Thread.run(Unknown Source)

Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.connect(Unknown Source)

at com.sun.jndi.ldap.LdapCtx.<init>(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(Unknown Source)

at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(Unknown Source)

at javax.naming.spi.NamingManager.getInitialContext(Unknown Source)

at javax.naming.InitialContext.getDefaultInitCtx(Unknown Source)

at javax.naming.InitialContext.init(Unknown Source)

at javax.naming.ldap.InitialLdapContext.<init>(Unknown Source)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.openContext(LdapIdentityProviderSession.java:111)

... 63 more

[Thuy Le]

Hi Daniel,

Sorry for spelling mistake. My English is not so good.

Anyway, I posted the log file already. Could you please help to check? 

Please let me know if you need any more details.

Thanh you very much in advance.

On Friday, September 4, 2015 at 1:30:25 PM UTC+7, Daniel Meyer wrote:

[webcyberrob]

Hi,

The error and stack trace suggest that the Camunda engine is not able to authenticate to your AD server. Hence check that you have the correct username and password configured.

Note that the LDAP connector uses a 'system account' username and password in order to connect to the AD server. This is the manager name and password configured in the connector. Hence, make sure you have these correctly configured.

regards

Rob

[Thuy Le]

Hi,

 

I have integrated some software to use AD for authentication already; hence, I know what the system account you mentioned is. In fact, I created a dedicated account to query AD. I tried to use a wrong password, Camunda log showed another error message (cannot connect to LDAP server), so I think the system account information was correct.

 

I used my domain account for testing so I am sure that username, password I use to login Camunda are correct as well. Furthermore, I tried to telnet LDAP server and port, this port is reachable. There should not be any network issue.

 

Do you have any example Camunda configure file which use AD for authentication?

 

Thank you and best regards,
Thuy Le

--
You received this message because you are subscribed to a topic in the Google Groups "camunda BPM users" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/camunda-bpm-users/Mw8SsG_4QcM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to camunda-bpm-us...@googlegroups.com.
To post to this group, send email to camunda-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/camunda-bpm-users/316e46ee-c806-4246-9a68-dffd710aef6b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

 

 

[Thuy Le]

I changed managerDN from uid=***,ou=***,dc=***,dc=***,dc=*** to below format, it is working now:

user...@ad.local.domain

Thank Ingo Richtsmeier for his advise.