Clicking a specific group in flowable-idm does not return users


#1

When Clicking on groups in the header the following query is performed:
SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(objectClass=groupOfUniqueNames)"

When Clicking on a group the users field stays empty.
From the ldap log I notice the same query is performed:
SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(objectClass=groupOfUniqueNames)"

I am running a fresh install of flowable 6.0.1

This is my openldap config:

The relevant part in my flowable config:

LDAP

ldap.enabled=true
ldap.server=ldap://snk-ldap.newtec.eu
ldap.port=389
ldap.user=uid=flowable,ou=system-users,ou=intranet,dc=newtec,dc=eu
ldap.password=password
ldap.basedn=ou=intranet,dc=newtec,dc=eu
ldap.query.userbyid=(&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(uid={0}))
ldap.query.userbyname=(&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(|({0}={1})({2}={3})))
ldap.query.userall=(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))
ldap.query.groupsforuser=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
ldap.query.groupall=(objectClass=groupOfUniqueNames)
ldap.attribute.userid=uid
ldap.attribute.firstname=givenname
ldap.attribute.lastname=sn
ldap.attribute.email=mail
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn

Is anyone else noticing this behaviour?

Sebastiaan


#2

Hi Sebasitaan,

The ldap.query.userall query will be used to get the users for a group. Do you see that query in the ldap log as well?

Best regards,

Tijs


#3

Hi Tijs,

I’ll check this later.


#4

According to some testing I did the query “ldap.query.userall” is performed during login when you view all users.
It is not used when you click on a group.

These are the queries and my results:

ldap.query.userbyid=(&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(uid={0}))
query: (&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(uid=slag))
result: uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu

ldap.query.userbyname=(&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(|({0}={1})({2}={3})))
query: (&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(|(givenname=Sebastiaan)))
result: uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu
(all users with sirname sebastiaan )

ldap.query.userall=(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))
query: (|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))
result: dn of ALL users.

ldap.query.groupsforuser=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
query: (&(objectClass=groupOfUniqueNames)(uniqueMember=slag))
result: NO RESULT!!!

query: (&(objectClass=groupOfUniqueNames)(uniqueMember=uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu))
result: dn of all groups of slag.

ldap.query.groupall=(objectClass=groupOfUniqueNames)
query: (objectClass=groupOfUniqueNames)
result: - cn=admins,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu
- cn=users,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu

Logging in:

May 31 16:15:26 snk-ldap slapd[32131]: conn=26382636 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(uid=slag))"
result: - uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu

May 31 16:15:26 snk-ldap slapd[32131]: conn=26382637 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu))"
result: - cn=admins,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu
- cn=users,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu

May 31 16:15:27 snk-ldap slapd[32131]: conn=26382639 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))"
result: all users.

clicking groups:
May 31 16:24:23 snk-ldap slapd[32131]: conn=26384839 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(uid=slag))"
result: - uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu

May 31 16:24:23 snk-ldap slapd[32131]: conn=26384842 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu))"
result: - cn=admins,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu
- cn=users,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu

May 31 16:24:23 snk-ldap slapd[32131]: conn=26384843 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(objectClass=groupOfUniqueNames)"
result: - cn=admins,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu
- cn=users,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu

clicking a group to view the users
May 31 16:28:13 snk-ldap slapd[32131]: conn=26385527 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(&(|(&(objectClass=inetOrgPerson)(ou:dn:=people))(uid=flowable))(uid=slag))"
result: - uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu

May 31 16:28:13 snk-ldap slapd[32131]: conn=26385530 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(&(objectClass=groupOfUniqueNames)(uniqueMember=uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu))"
result: - cn=admins,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu
- cn=users,ou=flowable,ou=services,ou=groups,ou=intranet,dc=newtec,dc=eu

May 31 16:28:13 snk-ldap slapd[32131]: conn=26385531 op=1 SRCH base=“ou=intranet,dc=newtec,dc=eu” scope=2 deref=3 filter="(objectClass=groupOfUniqueNames)"
result: - uid=slag,ou=people,ou=intranet,dc=newtec,dc=eu


#5

I don’t think the ldap.query.groupsforuser query is used when clicking on a group, from the code it seems that it is used when a group information is needed for a user (so the other way around).

However, looking through the code the logic for querying user for a particular group is not there, but it in fact defaults to returning all users: https://github.com/flowable/flowable-engine/blob/master/modules/flowable-ldap/src/main/java/org/flowable/ldap/impl/LDAPUserQueryImpl.java#L76 . So you’re not seeing any users at all coming back when clicking on a group?


#6

Hi Joram,

Welcome back.

ldap.query.groupsforuser indeed returns the groups of a user.

Clicking on a group returns no users. According to my ldap logs the query “ldap.query.groupsforuser” is performed.


#7

Which is odd … as you’d expect it to be usersForGroup.
I do see in the code that the ldap logic does not anything on board for fetching users for a group … but the default implementation actually returns all the users in that case … not an empty list. I’ll have to test/dig a little deeper I’m afraid :frowning:


Integration with Microsoft Active Directory
#8

In the default config, there is no usersForGroup property :slight_smile:

In my config there is actually not a single query that would return the users in a group.


#9

It might be a bit old topic, but I’m still having the issue.
I have LDAP integrated IDM app to Active Directory (AD), but AD group membership/privileges is not functioning, at least not in IDM UI.
If I have only a single AD group and I click on it in Groups section, it does not list the AD group members, but all the AD users. (In IDM, if I try to add a users to a group, it just does nothing, but that is kind of expected, since group membership should come from AD.)
If there are more than one AD groups, then logic fails earlier, when selecting a group in Groups section, nothing is displayed, but DEBUG shows “org.flowable.engine.common.api.FlowableException: Query return 2 results instead of max 1”

Additionally, in Privileges section I can only assign an AD group to a privilege, only if I have only one group in AD, however that group based privilege is still not applied, when try to sign in with a group member.
Having more than one AD group will block assignment to privilege.


#10

Hi Attila,

This issue is still not resolved.
There is another thread about this issue: Integration with Microsoft Active Directory


#11

Hi Sebastiaan,
Thanks, I have studied the other topic too, and btw I’m quite sure that it is not LDAP implementation related, but the logic in flowable-idm is incorrect.
Also the LDAP query to get users in a group is missing completely. (That could be still “reverse calculated” from the ldap.query.userall and ldap.query.groupsforuser queries.)
So in the current IDM UI implementation, the LDAP based grouping of users does not function.
I also tried to build a form in flowable-modeler and use the “Group of people” field. Interestingly I can pick a group, and it gets stored in the process (as string), but it is not possible to display it in a later form in “Group of people” type field (only as text), and does not function as user task candidate group either. I’m not sure if that is casued by the flowable-task or flowable-idm.
Now it seems so that without having the UI apps fixed, or having an own identity management, I cannot use the suit to execute business processes.


Getting LDAP integration to work with prebuilt 6.3.0 artifacts with docker
#12

Hi,

Sometime ago i was facing the same issue. Till now i am not able to figure out the problem, but i have something interesting to share.

PS. I am not a LDAP Pro. Just wanted to learn how to integrate flowable with LDAP so setup a local small LDAP.

Now when I have 3 Groups in my LDAP

I get an error when i click in any group tab

If you see the the 4th line from last, you see the string, query return 3 instead of max 1. This increases as we make new groups.

Now when i have 1 group in my LDAP

and i click in the group in Group tab, i get users for that group

Don’t know why this weird behavior

Thank You,
Arpit


#13

Hi Arpit,

There is something weird with your ldap config. But you are getting group members… :slight_smile:

Could you post your properties file and your flowable version?


#14

Hi,

These are my LDAP configs :

ldap.enabled=true
ldap.server=ldap://localhost
ldap.port=389
ldap.user=cn=admin,dc=example,dc=com
ldap.password=root
ldap.basedn=dc=example,dc=com
ldap.groupBaseDn=dc=example,dc=com
ldap.query.userbyid=(&(objectClass=inetOrgPerson)(uid={0}))
ldap.query.userbyname=(&(objectClass=inetOrgPerson)(|({0}={1})({2}={3})))
ldap.query.userall=(&(objectClass=inetOrgPerson)(uid=*))
ldap.query.groupsforuser=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
ldap.query.groupall=(objectClass=groupOfUniqueNames)
ldap.attribute.userid=uid
ldap.attribute.firstname=cn
ldap.attribute.lastname=sn
ldap.attribute.email=mail
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn
ldap.cache.groupsize=10000
ldap.cache.groupexpiration=180000

I am using Flowable 6.2.0 Version.


#15

+1. I believe I have the same issue. My config:


ldap.basedn=dc=wellsmith,dc=com
ldap.cache.groupexpiration=180000
ldap.cache.groupsize=-1
ldap.query.userbyid=(&(objectClass=inetOrgPerson)(uid={0}))
ldap.query.userbyname=(&(objectClass=inetOrgPerson)(|({0}={1})({2}={3})))
ldap.query.userall=(objectClass=inetOrgPerson)
ldap.query.groupsforuser=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
ldap.query.groupall=(objectClass=groupOfUniqueNames)
ldap.attribute.email=email
ldap.attribute.userid=uid
ldap.attribute.firstname=givenName
ldap.attribute.lastname=sn
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn

I have two groups in my LDAP server (ApacheDS), both have DN of “cn=xxx”. In the IDM app, under the Groups tab, when I click on a group, Flowable throws:

FlowableException: Query return 2 results instead of max 1

Invalid Credentials after LDAP Integration
#16

+1 Looks like this is still an issue


#17

@TTBruce and for everyone else I think that this is tracked in the #763 issue in GitHub and we currently have a pending PR with the fix

Cheers,
Filip