Flowable-rest doesn't use ldap users

I configured flowable-rest with the following parameters:

db=mysql
datasource.driver=com.mysql.jdbc.Driver
datasource.url=jdbc:mysql://127.0.0.1:3306/flowable?characterEncoding=UTF-8
datasource.username=flowable
datasource.password=gfvEsygoAZh3XagGKu5tkexAFs

demo data properties

create.demo.users=true
create.demo.definitions=false
create.demo.models=false

engine properties

engine.process.schema.update=true
engine.process.asyncexecutor.activate=true
engine.process.history.level=full

engine.dmn.schema.update=true
engine.form.schema.update=true

rest properties

Enable/disable Java serializable objects to be passed as variables in the REST API.

rest.variables.allow.serializable=true

Enable/disable whether the docs are available on /docs

rest.docs.swagger.enabled=true

The user I need to use to query the rest interface is kermit.
When i query all users “flowable-rest/service/identity/users” only the demo users are returned. (kermit, fozzie, gonzo.)

Is LDAP implemented in flowable-rest?

Hi, I saw this old post, but no one answered this post. I am interested in knowing the answer to the same question. I’ve followed other posts to enable LDAP in my flowable-default.properties file under flowable-rest\WEB-INF\classes:

flowable.idm.ldap.enabled=true

But the authentication still goes against dbo.ACT_ID_USER table of the configured database, not to LDAP.

Reading through the document, to enable LDAP integration, one needs to include dependency in pom.xml:

<dependency>
  <groupId>org.flowable</groupId>
  <artifactId>flowable-ldap-configurator</artifactId>
  <version>latest.version</version>
</dependency>

I looked at pom.xml in the flowable-rest package, I do not see this dependency. So I am afraid that I cannot use LDAP authentication for flowable-rest.war, is that true?

If that is true, what are my options if I want to integrate flowable-rest.war with LDAP as user store?

I cannot use the database configured for flowable engine because it looks like the user passwords in the dbo.ACT_ID_USERS are in clear text.

Thanks, Joey

Hi Joey
I actually never got it working.
I ended putting an API-Manager in front of it.
The one I used was wso2 (https://wso2.com/api-management/)

This had the advantage that it is a generic solution that also supports other applications and adds features like keys.

The disadvantage is that since wso2 uses a “configured” user to connect to Flowable, all actions, no matter who did it are done by that configured user.

You could also try this how to:
https://robferguson.org/blog/2019/01/28/how-to-flowable-and-ldap/

Haven’t tried it yet, but maybe that resolves your issue

Thanks, Sebastiaan. I followed your link, unfortunately, I am not able to make much progress yet. I even tried to configure flowable-idm to work with Active directory following the link Integration with Microsoft Active Directory. It appears I was directed to AD for authentication, but I could not get it working. At least, I know the LDAP configuration does make some difference to flowable-idm app, but it does nothing to flowable-rest. b

Thanks, Joey

Hey Joey,

The Flowable REST Application only supports Basic authentication. This is done in its SecurityConfiguration.

In case you need some other custom security you would need to create your own. You can get some pointers from the Building your own Flowable Spring Boot Application blog post

Thank you Filiphr for your reply. I do not have issue with the basic authentication to flowable-rest APIs. I was hoping I can use flowable-rest.war as it is with just additional configuration to support AD users and groups. The goals are

  1. Use a valid AD user with required privileges to authenticate into flowable-rest application.
  2. Use AD users and groups as the CandidateUsers and CandidateGroups in the user task definition in the BPMN process definition.

The second goal is more important to me than the first one. If the above goal cannot be accomplished by configuration only, then it seems that I will have to build my own REST application by using flowable-spring-boot-starter-rest dependency. It looks like I can use LDAP configurator (https://flowable.com/open-source/docs/bpmn/ch17-Ldap/) to accomplish the above goal, is that correct?

Thanks, Joey

Hi Joey,

The first goal can be accomplished with an API manager.
The 2nd goal can be accomplished by doing an LFAP call in a service class, or a rest call to something like keycloak.

Thanks Sebastiaan for your pointer. I did think of the approach of doing the LDAP lookup in my own code. Maybe there is a better way, but the simplest way is to get all the tasks from flowable-rest API without any filter. Then get all the AD groups this user belongs to. Then loop through all the tasks to see if any of them is assigned to a group matching this user’s AD groups. This approach would work, although it will add a lot more network traffic between flowable-rest service and my client app if there are a lot of tasks for a lot of people. So I hope I can find a better solution.

I will take a look at keycloak suggestion next.

Thanks, Joey

Hey Joey,

Your approach is also interesting. Keep in mind that you can also pass the groups and user id to flowable-rest. This way the filtering is done in the DB and you’ll have proper paging and less network traffic

Cheers,
Filip

Hi, Philip,

Many thanks for your reply. I have a followup question regarding this group filter in Flowable-rest API. Say there is a task with candidategroup = “sales”. Say John is a member of the “sales” group. I read from other threads in the forum, you’ve said that one cannot query the task by user John. That is, one cannot call

query/tasks?CandidateUser=john

Instead, one has to call
query/tasks?CandidateGroup=sales

So if john belongs to 10 groups, does the client have to first find out all 10 groups john belongs to and call query/tasks 10 times to see all of John’s tasks? Or is there a single API call to send all 10 groups with OR logic, something like this:

query/tasks?CandidateGroup=sales&CandidateGroup=marketing&…?

I remember someone in another thread asked similar question and you answered that flowable-rest API does not support OR logic.

Thanks, Joey

Sorry, Filip,

I mistyped your name to Philip. Sincere apology!

Joey

Hi, Filip, upon further reading of the document, it appears one can use candidategroups=sales,marketing,… That may work, of course it would be much better if candidateuser=john would work as well.

Thanks, Joey

Hey Joey,

It’s completely fine :slight_smile:.

Yes you are right OR is currently not supported as a query option. So you would either search for groups or for the user (I know it is not ideal).

So using candidateGroups=sales,marketing,...&candidateUser=john will not work.

Additionally there is also involvedUser (over REST) and also involvedGroups (over Java, not exposed over REST).

If you can create your own Flowable REST App you can in theory add your own endpoint that would be able to use the Java API and use OR (you can do that with Java).

Cheers,
Filip

Thanks, Filip, for clarification!

Joey