Integration with LDAP

Dear Tijs,

Firstly I’m sorry for bother you! I beg you not to bother yourself, could you just suggest directions, I’ll do the rest by myself. I have found instruction how to deploy Maven. After Maven installation I will try again. I want to walk through all these steps to create a document (procedure) to all newbies like me and publish it on the Google++ link

Thank you very much Tijs!

Best regards,
Zholaman

Tijs,

I have installed Maven and run ant, but faced with error. So let me ask what OS do you use under which you are building the Flowable ?

Best regards,
Zholaman

Ok that’s indeed to be expected on Windows (I use Mac OSx). But this is at the end of building the distro (building the user guide), so you should already have the Flowable Task application WAR file that you can use to test with AD.

Best regards,

Tijs

Thanks Tijs,

Indeed I got war files :slight_smile:

Best regards,
Zholaman

Dear Tijs,

First of all I have build Flowable from the src again (today) and checked intagration with LDAP server (embedded in Apache Studio) all working correctly.

Now I tried integration Flowable with MS Active Directory but no success a while. So I have couple of questions and I kindly ask you to answer on them when you have time.

1. In flowable-ui-app.properties (flowable-idm module) we have the option - “ldap.user=uid=admin” so what ‘uid’ is, can we use different indetificator insteed it ? For example, in MS AD we do not have ‘uid’, but there are two identificator what we can to use:

a) cn (like ‘John Deep’, with space character between first and last names);
b) sAMAccountName (like ‘john.deep’, without space character)

2. What type of data and in what format we need to return to the following two variables:

ldap.query.userbyid=?
ldap.query.userbyname=?

3. If we do not have ‘uid’ identificator in MS AD, what exactly we need to change in the following LDAP query or if we need to change only ‘uid’ parameter then what we should to use instead ‘uid’:

ldap.query.userbyid=(&(objectClass=person)(uid={0}))

Thanks in advance !

Best regards,
Zholaman

Hi Zholaman,

I’m not very familiar with Active Directory, maybe someone else from the community is able to help with these questions?
The ldap.user property is the value that is used to logon to the LDAP server together with ldap.password. So this needs to be your AD login.
For the queries, you would need to define a valid LDAP query to fetch a user by its id, where id is the username of the user that wants to login.

Best regards,

Tijs

Hi Zholaman,

When 6.0.0.1 is released I’ll post A working active directory config.
I’ll include a “translation” between the ldap properties and the AD/LDAP schema.

Thanks Sebastiaan!

Best regards,
Zholaman

Thanks Tijs!

Best regards,
Zholaman

Dear Sebastiaan,

JYI,

Let me draw your attention on some moment relating to integration with Active Directory.

When new user are creating they usually fall down under Users CN (which is default for new users), but in some cases System Administrators have different folder for new users.
So as I understand Flowable get admin login by ‘Distinguished Name’ (in case of LDAP) BUT what happens if ‘Distinguished Name’ of Administrator login/user will differ from ‘Distinguished Name’ of other domain users ?

Example:
“Distinguished Name” of Administrator:
CN=Administrator,CN=Users,DC=work,DC=company,DC=com

“Distinguished Name” of ordinary AD users:
CN=Sophie Marceau,OU=employees,DC=work,DC=company,DC=com

CN = Common Name
OU = Organizational Unit
DC = Domain Component

Thank you in advance for your answer!

Best regards,
Zholaman

Hi Zholaman.

From my experience with activiti:

AD does not allow anonymous access, The following settings are used to query AD.
ldap.user=uid=admin, ou=system
ldap.password=secret

To find your users you will have to set the base dn.
ldap.basedn=OU=employees,DC=work,DC=company,DC=com

Incase you have multiple ou’s containing users, you just move the basedn a bit up.
For example:
ldap.basedn=DC=work,DC=company,DC=com

It is very important that ALL user objects below the basedn have all attributes set. Otherwise it can lead to null pointers.

A 2nd option that I have not thested is to point the basedn to “DC=company,DC=com”, and use ldap queries.

Once LDAP is in the stable branch, I’ll do some testing and document some scenarios with AD and LDAP.

A 3rd option is to add an attribute to the user and create an ldap query to filter out those users.
A 4th option would be to put all flowable users in a group and create an ldap query to filter out those users.

Hi Sebastiaan,

thank you a lot for your answer!

I have a proposal if you not against I can provide you a fresh build ‘war’ files of Flowable now or you can build it by youself using this step-by-step instruction created by me.

Best regards,
Zholaman

Hi Zholaman.

Do you know of a step-by-step Ubuntu way? :slight_smile:

Dear Sebastiaan,

Yes of course, my last Flowable I build under Ubuntu Server 16.04.2 LTS :slight_smile:

I need about 2-4 hours to prepare a new instruction, running ahead I will say that the sequence is about the same as under Windows.

I’ll let you know when new instruction has been prepared. I’ll try to do it until tomorrow.

Best regards,
Zholaman

Dear Sebastiaan,

instruction is ready. Link.

Best regards,
Zholaman

Hi Zholaman,

Guess I have no excuses now :slight_smile:
Give me a few days to build a virtual test environment. I’ll try to have something by the end of the weekend.

Dear Sebastiaan,

OK, thanks :slight_smile:

Best regards,
Zholaman

Well Zholaman,

I have no need for an AD implementation since we since we use Openldap at work.

I’ll know more this weekend, but I think a java developer with AD/LDAP knowledge should be able to resolve this.

Sebastiaan

Dear Sebastiaan,

no problem I will try to find a solution by myself.

In any way thanks for your effort!

Best regards,
Zholaman

For anybody who intersted to integrate with MS AD, I found the correct configuration option for MS AD.