Integration with LDAP

There is no such thing as a Share Connector for Flowable yet. If you want to integrate Alfresco CE with Flowable, you’ll have to write the various integration points. I’ve done some work on this lately. I will update my post on the subject.

Hi Jeff,

facilitating such a professional as you will greatly help Flowable community in this issue!
Also thanks for your great Blog.

Thank you!

Hi Jeff,

Yes indeed, there was a bit more involved. In the updated user guide you can find a description on how to setup LDAP for the UI apps (see https://github.com/flowable/flowable-engine/blob/master/userguide/src/en/ch13-UI.adoc in the Flowable IDM application section).

Best regards,

Tijs

I’ve checked out from head and done a build (BTW, I must be missing something because mvn install -Dcheck does not build every UI app and their depedencies).

Once the build was complete and I placed my props file in $TOMCAT_HOME/lib I successfully authenticated against my local Apache Directory Suite server. However, I can only auth against idm. It is as if the privileges are not coming back correctly.

I made sure to place one of my LDAP users in admin.email. I had to use their uid for this, not their actual email address. Out of my five test users in LDAP, only this user can authenticate.

I realized that the reason my other test users could not authenticate was that I had to manually add them to each of the four privilege lists. Once I did that they can authenticate against the IDM app.

However, the problem still stands that none of my users can authenticate against anything other than IDM.

Also, I noticed email wasn’t coming back so I added that. Here’s the PR.

Hi Tijs,

I have checked the instruction concerning ‘LDAP integration’ but for me it is not working.

To check the instructions showed in the User Manual I used ‘Apache Directory Studio which include ApacheDS’.
I have created new user - ‘zholaman’ and add the following options to the file: /opt/tomcat/webapps/flowable-idm/WEB-INF/classes/META-INF/flowable-ui-app/ flowable-ui-app.properties

After above steps I have tried to authenticate on flowable-idm but no success (Invalid credentials).

My LDAP options almost the same as showed in the User Guide:

    ldap.enabled=true
    ldap.server=ldap://192.168.0.14
    ldap.port=10389
    ldap.user=uid=admin, ou=system
    ldap.password=secret
    ldap.basedn=o=system
    ldap.query.userbyid=(&(objectClass=inetOrgPerson)(uid={0}))
    ldap.query.userbyname=(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))
    ldap.query.userall=(objectClass=user)
    ldap.query.groupsforuser=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
    ldap.query.groupall=(objectClass=groupOfUniqueNames)
    ldap.attribute.userid=uid
    ldap.attribute.firstname=cn
    ldap.attribute.lastname=sn
    ldap.attribute.groupid=cn
    ldap.attribute.groupname=cn
    ldap.cache.groupsize=10000
    ldap.cache.groupexpiration=180000

In according above let me ask where and what log file I should to check to find information about LDAP authentication/synchronizations and LDAP fails ? And may be you have some ideas about what I am doing or did wrong.

Thank you!

@jpotts What’s the result you get when authenticating against the Flowable Modeler for example, with one of the other four users? Bad credentials? I think I tried the same scenario and that worked fine for me, but I’ll do another validation to be sure.

@Zholaman make sure the zholaman user has the 4 privileges. When logging in with the admin user to the Flowable IDM application, you can add the privileges to the users found in LDAP.

Best regards,

Tijs

Dear Tijs,

I tried to provide to the ‘zholaman’ user some privileges but flowable-idm didn’t found him in the list of users on the User tab in flowable-idm.

Left side column of User tab in flowable-idm is empty. If I understand correctly after LDAP synchronizing the flowable-idm should contains a list of LDAP users is not it ?

JYI
I have used LDAP DB provided by ApacheDS as example.
Version of Apache Directory Studio is: 2.0.0.v20161101-M12 (http://directory.apache.org/studio/download/download-windows.html)

Best regards,
Zholaman

Hi Zholaman,

You are using the flowable-idm application from Github master right?
The ldap.query.userall=(objectClass=inetOrgPerson) property defines the query that is performed on LDAP to retrieve the users. I used the latest stable version of the Apache Directory Studio to test with (1.5.x).

Best regards,

Tijs

Dear Tijs,

I am using the ‘Flowable’ which I got by the link: http://www.flowable.org/downloads.html

So let me ask is there some difference between above link and current master reporsitory ?

Best regards
Zholaman

Hi Zholaman,

Yes, we’ve made some changes to the UI apps and the LDAP logic.
The link to the update userguide is therefore also the Github master version and not the userguide on the website.
If you run Ant from the distro folder on the Github master version, a full Flowable distribution is build and all the UI app WARs are created for you. We’ll also release a 6.0.1 version within the next few weeks including the LDAP fixes.

Best regards,

Tijs

Hi Tijs,

could you give me an advice please! I did not use ‘Ant’ before but this is not a problem (I can get info how to work with Ant from the Internet). I just do not know what the IDE package from the below list will be appropriate to compile/build ‘Flowable’ from the source code ?

The list of different packages of Eclipse Neon IDE .
The list of different packages of NetBeans IDE 8.2.

Best regards,
Zholaman

Hi,

If you are not familiar with Apache Ant, then it’s probably best to wait for the 6.0.1 release.
Or read more about Ant on http://ant.apache.org

Best regards,

Tijs

Dear Tijs,

Eclipse comes pre bundled with the Ant plugin, ready to use.

I have downloaded the source code as zip file and extracted it to the local folder. So let me ask what I need to do next ?

I am sorry for my silly questions but I have no information about structure of ‘Flowable’ project source code. I have found Ant project file - build.xml in flowable-engine-master\distro\build.xml but it does not contains javac task.

P.S.
I have been working with simple Java projects. But I have never working with big projects like ‘Flowable’. If ‘Flowable’ building takes lot of steps and you have not a time to explain how to do that, I will be wait the next versions (6.0.1) of Flowable.

Thanks!

Best regards,
Zholaman

Hi Jeff,

We did some testing and the likely cause why it isn’t working for you are the following properties:

idm.app.url=http://localhost:8080/flowable-idm
idm.admin.user=admin
idm.admin.password=test

The other UI apps will do a REST call to the IDM app to fetch user info. Here you have to configure a valid user (from LDAP). If the user is not valid, the user info fetching fails and you can’t login to the UI app.

Best regards,

Tijs

Is there a timing on when 6.0.1 will be released?

We are aiming to release a new version (6.0.1) next week or the week after.

Best regards,

Tijs

Dear Tijs,

Let me ask was there tested the new version of Flowable with MS AD ?

Hi,

No, a couple of people mentioned they would do some testing with MS AD, but don’t think there has been feedback on the forum about this.

Best regards,

Tijs

Dear Tijs,

One of this couple people I was. So let me ask you advice/help me what I need to build the Flowable from the source ? I am ready to help but can’t due lack of expirience. So as I told early I know how to build a small Java projects. Give me a chance to help to the Flowable project with testing MS AD integration possibility.

Best regards,
Zholaman