Flowable-Ldap Integration

Flowable Engine
1

Hi All,

I am new to flowable and successfully integrated flowable with Ldap using below configuration in my docker-compose.yml:
environment:
- SERVER_PORT=9090
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=<>
- SPRING_DATASOURCE_USERNAME=<>
- SPRING_DATASOURCE_PASSWORD=<>
#Default LDAP Admin User
- FLOWABLE_IDM_APP_ADMIN_USER_ID=<>
- FLOWABLE_IDM_APP_ADMIN_PASSWORD=<>
- FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=<>
- FLOWABLE_COMMON_APP_IDM_ADMIN_USER=<>
- FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=<>
#FLowable-Ldap Configuration
- FLOWABLE_IDM_LDAP_ENABLED=true
- FLOWABLE_IDM_LDAP_SERVER=
- FLOWABLE_IDM_LDAP_PORT=389
- FLOWABLE_IDM_LDAP_USER=<>
- FLOWABLE_IDM_LDAP_PASSWORD=<>
- FLOWABLE_IDM_LDAP_BASE_DN=<>
#Users
- FLOWABLE_IDM_LDAP_USER_BASE_DN=<>
- FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE=(&(objectClass=inetOrgPerson)(|({0}={1})({2}={3})))
- FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID=(&(objectClass=inetOrgPerson)(uid={0}))
- FLOWABLE_IDM_LDAP_QUERY_ALL_USERS=(objectClass=inetOrgPerson)
- FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID=uid
- FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME=cn
- FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME=sn
#Groups
- FLOWABLE_IDM_LDAP_GROUP_BASE_DN=<>
- FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER=(&(objectClass=posixGroup)(gidNumber={0}))
- FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS=(objectClass=posixGroup)
- FLOWABLE_IDM_LDAP_QUERY_GROUP_BY_ID=(&(objectClass=posixGroup)(gidNumber={0}))
- FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID=gidNumber
- FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME=cn
- FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE=10000
- FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION=180000

Problem statement:
Inside Ldap I have each user assigned to a group. These groups are visible on my flowable. But while giving privileges to groups inside flowable-idm, users dont get the desired access. I have to individually assign each user to flowable-modeler,workflow.

Example:

  1. User “naman” having group “admin” in ldap.
  2. In flowable if “admin” group is given access to “Access the workflow application”, naman must implicitly have access to it.
  3. Currently in my setUp it doesn’t happen.
  4. User “naman” has to be explicitly added to be given “Access the workflow application”

Any help on this is highly appreciated.

Regards

2

I think this is related to the Flowable IDM Web App using the IdentityService rather than the RemoteIDMService.

See: https://github.com/flowable/flowable-engine/issues/1958#issuecomment-571778563

3

Thanks for replying on such a short notice. Going by the link looks like I need to write custom implementation inside flowable sourceCode to implement RemoteIDMService.
Please correct me in case my understanding differs.

4

@Robinyo I have similar issue where i follow below steps:

  1. Login to flowable-idm portal, create a user ankit and then create a group claimManager where i added ankit user.

  2. In flowable-idm portal, go to Privileges section -> Access modeler application -> remove ankit user from user(if exist) -> go to group tab -> add group claimManager.

  3. Login to flowable-modeler portal with usename: ankit and this is issue where i am not able to login as i added group having ankit user.

But when i try to add ankit user to users tab in flowable-idm and try to login in flowable-modeler with ankit user, then i am able to login with ankit user:

And When i go to above GitHub link i found that was not relate with this one. Please correct me if i am wrong.