configure LDAP Identity Service - difficult ldap setup

[Markus Schulz]

hello,

i have a ldap server (openDJ) with a layout like:

- two Group-Search-Bases with GlobalGroups and LocalGroups (local => to one camunda/application server setup created under one ou=...)

- each local group can appear multiple time, for example each ou=.. can have a local group named employees.

- more then one User-Search-Base with global users (can access multiple apps) and local ones (local to one camunda/application server setup)

- every user has a mix of Global and LocalGroups.

i hope with the above description the ldap schema would be clear.

i've tried the following setup ldap-config:

class=org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin,\

properties={\

serverUrl="ldap://ldapserver:389/",\

managerDn="manager",\

managerPassword="password",\

baseDn="dc=example,dc=org",\

userSearchFilter="(objectclass=inetOrgPerson)",\

userIdAttribute="uid",\

userFirstnameAttribute="givenName",\

userLastnameAttribute="sn",\

userEmailAttribute="mail",\

userPasswordAttribute="userpassword",\

groupSearchFilter="(objectclass=groupOfUniqueNames)",\

groupNameAttribute="cn",\

groupTypeAttribute="cn",\

groupIdAttribute="cn",\

groupMemberAttribute="uniqueMember"\

}\

But this way i got always the exception

[0m [33m16:18:55,447 WARNING [ExceptionHandler] (http-/0.0.0.0:8080-8) org.camunda.bpm.engine.ProcessEngineException: Query return 3 results instead of max 1

at org.camunda.bpm.engine.impl.AbstractQuery.executeSingleResult(AbstractQuery.java:160)

at org.camunda.bpm.engine.impl.AbstractQuery.singleResult(AbstractQuery.java:104)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.getDnForGroup(LdapIdentityProviderSession.java:426)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUsersByGroupId(LdapIdentityProviderSession.java:157)

at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUserByQueryCriteria(LdapIdentityProviderSession.java:149)

at org.camunda.bpm.identity.impl.ldap.LdapUserQueryImpl.executeList(LdapUserQueryImpl.java:53)

at org.camunda.bpm.engine.impl.AbstractQuery.execute(AbstractQuery.java:137)

at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)

at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:90)

at org.camunda.bpm.engine.impl.interceptor.JtaTransactionInterceptor.execute(JtaTransactionInterceptor.java:59)

at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:32)

at org.camunda.bpm.engine.impl.AbstractQuery.list(AbstractQuery.java:111)

at org.camunda.bpm.engine.rest.impl.IdentityRestServiceImpl.getGroupInfo(IdentityRestServiceImpl.java:57)

at sun.reflect.GeneratedMethodAccessor141.invoke(Unknown Source)

at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

at java.lang.reflect.Method.invoke(Method.java:601)

The problem is, groupIdAttribute=cn is not unique across the ldap server.

i tried to use "entryDn", but this attribute must be queried, because it's not in normal search results, except it was queried.

the problematic function is inside the class org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession

  protected GroupEntity transformGroup(SearchResult result) throws NamingException {

    final Attributes attributes = result.getAttributes();

    LdapGroupEntity group = new LdapGroupEntity();

    group.setDn(result.getNameInNamespace());

    group.setId(getStringAttributeValue(ldapConfiguration.getGroupIdAttribute(), attributes));

    group.setName(getStringAttributeValue(ldapConfiguration.getGroupNameAttribute(), attributes));

    group.setType(getStringAttributeValue(ldapConfiguration.getGroupTypeAttribute(), attributes));

    return group;

  }

"attributes" contains no unique value across my ldap server and i can't use the Dn directly nor can i include the unique entryDn or entryUUID in the SearchRequest.

any suggestions?

[Markus Schulz]

the created SearchControls object should enlist all configured and needed attributes with the setReturningAttributes(String[]) function. 

This way i can use/query for entryDn and/or entryUUID values. 

Perhaps this will be enough to make my ldap setup working?

[Markus Schulz]

okay, i've found a solution with an extended user and group filter syntax like:

userSearchFilter="(&(objectclass=inetOrgPerson)(|(&(ou:dn:=company1)(ou:dn:=test_user))(ou:dn:=global_user)))"

groupSearchFilter="(&(objectclass=groupOfUniqueNames)(|(ou:dn:=company1)(ou:dn:=global_groups)))"

this way i can filter only on the subtrees i need and where the group-cn and user-uid is unique.

this works fine is all i need currently.