Integration with Microsoft Active Directory

Hi,

‘Flowable’ has been success integrated with LDAP integration BUT still there is issue with MS AD integration. An information about LDAP Integration you can find here.

Does anyone have any ideas on how to solve this issue?

Best regards,
Zholaman

Hi Zholaman,

I have a working configuration from flowable to Active Directory. I find that other LDAP thread quite long and a bit hard to follow.
Which problems are you still having?

Regards,
Paul

Hi pstapleton,

The following configurations is correct and good working for ApacheDS LDAP Server but do not for MS AD. My LDAP settings (in flowable-ui-app.properties of flowable-idm) almost the same as showed in the User Guide:

ldap.enabled=true
ldap.server=ldap://192.168.0.14
ldap.port=10389
ldap.user=uid=admin, ou=system
ldap.password=secret
ldap.basedn=o=system
ldap.query.userbyid=(&(objectClass=inetOrgPerson)(uid={0}))
ldap.query.userbyname=(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))
ldap.query.userall=(objectClass=user)
ldap.query.groupsforuser=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
ldap.query.groupall=(objectClass=groupOfUniqueNames)
ldap.attribute.userid=uid
ldap.attribute.firstname=cn
ldap.attribute.lastname=sn
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn
ldap.cache.groupsize=10000
ldap.cache.groupexpiration=180000

So I can’t understand what I need to do to resolve this issue.

I also have the following questions:

  1. In flowable-ui-app.properties (flowable-idm module) we have the option - “ldap.user=uid=admin” so what ‘uid’ is, can we use different indetificator insteed it ? For example, in MS AD we do not have ‘uid’, but there are two identificator what we can to use:

a) cn (like ‘John Deep’, with space character between first and last names);
b) sAMAccountName (like 'john.deep’, without space character)

  1. What type of data and in what format we need to return to the following two variables:

ldap.query.userbyid=?
ldap.query.userbyname=?

  1. If we do not have ‘uid’ identificator in MS AD, what exactly we need to change in the following LDAP query or if we need to change only ‘uid’ parameter then what we should to use instead ‘uid’:

ldap.query.userbyid=(&(objectClass=person)(uid={0}))`

Best regards,
Zholaman

Hi Zholaman,

Here is my configuration. I am not an AD expert and I found this via trial and error (by poking around AD with an explorer tool), I would imagine that there are difference between your AD setup and mine.
I also run Flowable-6.0.0 which does not have the same LDAP solution as it seems the next release will have, and I have needed to make a few modifications to get things to work. As such I have not got all the same properties defined as you give above.

I use sAMAccountName instead of uid and my object class is user instead of inetOrgPerson. Other than that most parameters are similar to the example.

ldap.enabled=true
ldap.server=ldap://myldapserver
ldap.port=389
ldap.user=CN=admin, OU=system, DC=mydomain
ldap.password=secret
ldap.basedn=DC=mydomain
ldap.userBaseDn=
ldap.groupBaseDn=OU=Groups
ldap.query.userbyid=(&(sAMAccountName={0})(objectClass=user))
ldap.query.userbyname=
ldap.query.userall=
ldap.query.groupsforuser=
ldap.query.groupall=
ldap.attribute.userid=sAMAccountName
ldap.attribute.firstname=givenName
ldap.attribute.lastname=sn
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn

I hope that this provides some help to you anyway.

/Paul

Dear pstapleton,

thank you a lot for your configuration I will try to use it.

JYI
If you want to build Flowable from the sources I have prepared two step-by-step instructions how to build it under Windows 7 and Ubuntu Server 16.04.

Let me clarify 3 moments:

  1. How to get all users, how looks your query (ldap.query.userall=) ?
  2. The same as above but for groups (ldap.query.groupall=) ?
  3. What about this parameter ldap.userBaseDn= , we should point to users’ OU is not it ?

Best regards,
Zholaman

Hi, I have built Flowable-6.0.1-SNAPSHOT from source now and got the configuration to work. Here is my final configuration:

ldap.enabled=true
ldap.server=ldap://myldapserver
ldap.port=389
ldap.user=CN=admin, OU=organisation, DC=mydomain
ldap.password=secret
ldap.basedn=DC=mydomain
# I have added these two properties see below
ldap.userbasedn=OU=organisation,DC=mydomain
ldap.groupbasedn=OU=organisation,DC=mydomain

ldap.query.userbyid=(&(sAMAccountName={0})(objectClass=user))
# The memberOf is used to limit the search to the same Groups as groupall Query, and not search everyone in AD (which takes a long time)
ldap.query.userbyname=(&(objectClass=user)(memberOf\=CN\=MyFlowableGroup,OU\=organisation,DC\=mydomain)(|({0}=*{1}*)({2}=*{3}*)))
ldap.query.userall=(&(objectclass\=user)(memberOf\=CN\=MyFlowableGroup,OU\=organisation,DC\=mydomain))
ldap.query.groupsforuser=(member={0})
ldap.query.groupall=(&(objectClass=group)(cn=MyFlowableGroup))
ldap.attribute.userid=sAMAccountName
ldap.attribute.firstname=givenName
ldap.attribute.lastname=sn
ldap.attribute.email=mail
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn
ldap.cache.groupsize=10000
ldap.cache.groupexpiration=180000

# Also dont forget to set the Admin user in LDAP. This is used when bootstrapping flowable-idm so that someone can log in
admin.userid=my-account

When I originally ran I had problem with an exception -
javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name DC=mydomain

This is something to do with the AD setup that I dont fully understand. I can fix this by not searching as the base and instead setting the userBaseDn and groupBaseDn.
I did this by modifying in org.flowable.app.conf.FlowableIdmEngineConfiguration and this fixed the issue

public class FlowableIdmEngineConfiguration {

...
    
    protected void initializeLdap(SpringIdmEngineConfiguration idmEngineConfiguration) {
...
        
        ldapConfiguration.setBaseDn(environment.getRequiredProperty("ldap.basedn"));
        # Added these 2 lines
        ldapConfiguration.setUserBaseDn(environment.getRequiredProperty("ldap.userbasedn"));
        ldapConfiguration.setGroupBaseDn(environment.getRequiredProperty("ldap.groupbasedn"));

        ldapConfiguration.setQueryUserByUserId(environment.getRequiredProperty("ldap.query.userbyid"));
        ldapConfiguration.setQueryUserByFullNameLike(environment.getRequiredProperty("ldap.query.userbyname"));
        ldapConfiguration.setQueryAllUsers(environment.getRequiredProperty("ldap.query.userall"));
        ldapConfiguration.setQueryGroupsForUser(environment.getRequiredProperty("ldap.query.groupsforuser"));
        ldapConfiguration.setQueryAllGroups(environment.getRequiredProperty("ldap.query.groupall"));
...
    }
...
}

After that I could log into flowable-idm using the sAMAccountName I specified earlier -> ‘my-account’. I havent tested that all features of flowable-idm work with this configuration, so its possible I have some error above. But I hope you find this helpful.

Regards,
Paul

Dear Paul,

thanks for your very usefull and extend answer/explanation !!!

Let me clarify one moment, you wrote that modified the “FlowableIdmEngineConfiguration”, do I also modify/apply these changes to my sources or not ?

Also, my Flowable seems to be connect to MS AD but I can’t log into flowable-idm using the sAMAccountName specified in admin.userid=my-account. So let me ask where we can find log messages about authentication/authorization activity of Flowable.

In catalina.out I found the following message:
12:03:58,007 [http-nio-8080-exec-299] WARN org.flowable.ldap.LDAPConnectionUtil - Could not create InitialDirContext for LDAP connection: 192.168.0.1:389

Best regards,
Zholaman

Hi,

The Changes in FlowableIdmEngineConfiguration are only needed if you see the exception javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name DC=mydomain and want to know how I solved it. I Think this is related to my AD setup but I am not an expert in this. I only mentioned incase you have the same issue. I Believe that by default the userBaseDn/groupBaseDn is the same as the baseDn.

The error

12:03:58,007 [http-nio-8080-exec-299] WARN org.flowable.ldap.LDAPConnectionUtil - Could not create InitialDirContext for LDAP connection: 192.168.0.1:389

means that the LDAP Connection could not be made.for some reason. Without a full stack trace its hard to say why, but its probably a wrong IP, port, username or password (or a network issue). I’d fix the configuration so that this message disappears first.

Regards,
Paul

Dear Paul,

I have checked IP address, login and password by AD Explorer they are all correct and I have found no any inconsistency.

You have mentioned that it is hard to say the reason of my problem without stack trace so let me provide my stack for your investigation. Below message are risen every time when I try to login in Flowable.

Please review this stack when you will have a time:

03:37:19,031 [http-nio-8080-exec-22] WARN  org.flowable.ldap.LDAPConnectionUtil  - Could not create InitialDirContext for LDAP connection : 192.160.0.1:389
03:37:19,036 [http-nio-8080-exec-22] INFO  org.flowable.ldap.LDAPTemplate  - Could not create LDAP connection : Could not create InitialDirContext for LDAP connection : 192.160.0.1:389
org.flowable.engine.common.api.FlowableException: Could not create InitialDirContext for LDAP connection : 192.160.0.1:389
    at org.flowable.ldap.LDAPConnectionUtil.createDirectoryContext(LDAPConnectionUtil.java:57)
    at org.flowable.ldap.LDAPConnectionUtil.creatDirectoryContext(LDAPConnectionUtil.java:35)
    at org.flowable.ldap.LDAPTemplate.execute(LDAPTemplate.java:38)
    at org.flowable.ldap.LDAPIdentityServiceImpl.executeCheckPassword(LDAPIdentityServiceImpl.java:147)
    at org.flowable.ldap.LDAPIdentityServiceImpl.checkPassword(LDAPIdentityServiceImpl.java:64)
    at org.flowable.app.security.CustomLdapAuthenticationProvider.authenticate(CustomLdapAuthenticationProvider.java:47)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
    at org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
    at org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
    at org.flowable.app.web.CustomUsernamePasswordAuthenticationFilter.attemptAuthentication(CustomUsernamePasswordAuthenticationFilter.java:39)
    at org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
    at org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
    at org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
    at org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
    at org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
    at org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
    at org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:192)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:165)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:198)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:96)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:140)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:80)
    at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:624)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:87)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:341)
    at org.apache.coyote.http11.Http11Processor.service(Http11Processor.java:799)
    at org.apache.coyote.AbstractProcessorLight.process(AbstractProcessorLight.java:66)
    at org.apache.coyote.AbstractProtocol$ConnectionHandler.process(AbstractProtocol.java:861)
    at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1455)
    at org.apache.tomcat.util.net.SocketProcessorBase.run(SocketProcessorBase.java:49)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
    at java.lang.Thread.run(Thread.java:745)
Caused by: javax.naming.CommunicationException: 192.168.0.1:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:226)
    at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137)
    at com.sun.jndi.ldap.LdapClient.getInstance(LdapClient.java:1614)
    at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2746)
    at com.sun.jndi.ldap.LdapCtx.<init>(LdapCtx.java:319)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:192)
    at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:210)
    at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:153)
    at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:83)
    at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
    at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:313)
    at javax.naming.InitialContext.init(InitialContext.java:244)
    at javax.naming.InitialContext.<init>(InitialContext.java:216)
    at javax.naming.directory.InitialDirContext.<init>(InitialDirContext.java:101)
    at org.flowable.ldap.LDAPConnectionUtil.createDirectoryContext(LDAPConnectionUtil.java:54)
    ... 43 more
Caused by: java.net.ConnectException: Connection timed out (Connection timed out)
    at java.net.PlainSocketImpl.socketConnect(Native Method)
    at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)
    at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)
    at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)
    at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
    at java.net.Socket.connect(Socket.java:589)
    at java.net.Socket.connect(Socket.java:538)
    at java.net.Socket.<init>(Socket.java:434)
    at java.net.Socket.<init>(Socket.java:211)
    at com.sun.jndi.ldap.Connection.createSocket(Connection.java:363)
    at com.sun.jndi.ldap.Connection.<init>(Connection.java:203)
    ... 57 more

My current configurations is:

ldap.enabled=true
ldap.server=ldap://192.160.0.1
ldap.port=389
ldap.user=CN=admin1,CN=Users,DC=domain,DC=company,DC=kz
ldap.password=pass
ldap.basedn=CN=Users,DC=domain,DC=company,DC=kz
ldap.userbasedn=
ldap.groupbasedn=
ldap.query.userbyid=(&(sAMAccountName={0})(objectClass=user))
ldap.query.userbyname=(&(objectClass=user)(memberOf\=CN\=Users,DC\=domain,DC\=company,DC\=kz)(|({0}=*{1}*)({2}=*{3}*)))
ldap.query.userall=(&(objectclass=user)(memberOf\=CN\=Users,DC\=domain,DC\=company,DC\=kz))
ldap.query.groupsforuser=(member={0})
ldap.query.groupall=(&(objectClass=group)(cn=Users))
ldap.attribute.userid=sAMAccountName
ldap.attribute.firstname=givenName
ldap.attribute.lastname=sn
ldap.attribute.email=mail
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn
ldap.cache.groupsize=10000
ldap.cache.groupexpiration=180000

admin.userid=admin1

I also tried change the following but no success:

ldap.userbasedn=CN=Users,DC=domain.company.kz
ldap.groupbasedn=CN=Users,DC=domain.company.kz
or
ldap.userbasedn=CN=Users,DC=domain,DC=company,DC=kz
ldap.groupbasedn=CN=Users,DC=domain,DC=company,DC=kz

I also tried to use the following configurations BUT also no success I can’t authentication/authorization in flowable-idm (by login: admin1):

ldap.enabled=true
ldap.server=ldap://192.160.0.1
ldap.port=389
ldap.user=CN=admin1,CN=Users,DC=domain.company.kz (also used:  CN=Users,DC=domain,DC=company,DC=kz)
ldap.password=pass
ldap.basedn=CN=Users,DC=domain.company.kz (also used:  CN=Users,DC=domain,DC=company,DC=kz)
ldap.userbasedn=
ldap.groupbasedn=CN=Users
ldap.query.userbyid=(&(sAMAccountName={0})(objectClass=user))
ldap.query.userbyname=
ldap.query.userall=
ldap.query.groupsforuser=
ldap.query.groupall=
ldap.attribute.userid=sAMAccountName
ldap.attribute.firstname=givenName
ldap.attribute.lastname=sn
ldap.attribute.email=mail
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn
ldap.cache.groupsize=10000
ldap.cache.groupexpiration=180000

This is the answer on POST request (to http://192.168.0.90:8080**/flowable-idm/app/authentication**) from the flowable-idm Login page (http://192.168.0.90:8080**/flowable-idm/#/login**):

<!doctype html><html lang="en"><head><title>HTTP Status 500 – Internal Server Error</title><style type="text/css">h1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} h2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} h3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} body {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} b {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} p {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;} a {color:black;} a.name {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 500 – Internal Server Error</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Description</b> The server encountered an unexpected condition that prevented it from fulfilling the request.</p><p><b>Exception</b></p><pre>java.lang.NullPointerException
	org.flowable.ldap.LDAPConnectionUtil.closeDirectoryContext(LDAPConnectionUtil.java:64)
	org.flowable.ldap.LDAPTemplate.execute(LDAPTemplate.java:43)
	org.flowable.ldap.LDAPIdentityServiceImpl.executeCheckPassword(LDAPIdentityServiceImpl.java:147)
	org.flowable.ldap.LDAPIdentityServiceImpl.checkPassword(LDAPIdentityServiceImpl.java:64)
	org.flowable.app.security.CustomLdapAuthenticationProvider.authenticate(CustomLdapAuthenticationProvider.java:47)
	org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:167)
	org.springframework.security.authentication.ProviderManager.authenticate(ProviderManager.java:192)
	org.springframework.security.web.authentication.UsernamePasswordAuthenticationFilter.attemptAuthentication(UsernamePasswordAuthenticationFilter.java:93)
	org.flowable.app.web.CustomUsernamePasswordAuthenticationFilter.attemptAuthentication(CustomUsernamePasswordAuthenticationFilter.java:39)
	org.springframework.security.web.authentication.AbstractAuthenticationProcessingFilter.doFilter(AbstractAuthenticationProcessingFilter.java:217)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.authentication.logout.LogoutFilter.doFilter(LogoutFilter.java:120)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.header.HeaderWriterFilter.doFilterInternal(HeaderWriterFilter.java:64)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.context.SecurityContextPersistenceFilter.doFilter(SecurityContextPersistenceFilter.java:91)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.context.request.async.WebAsyncManagerIntegrationFilter.doFilterInternal(WebAsyncManagerIntegrationFilter.java:53)
	org.springframework.web.filter.OncePerRequestFilter.doFilter(OncePerRequestFilter.java:107)
	org.springframework.security.web.FilterChainProxy$VirtualFilterChain.doFilter(FilterChainProxy.java:330)
	org.springframework.security.web.FilterChainProxy.doFilterInternal(FilterChainProxy.java:213)
	org.springframework.security.web.FilterChainProxy.doFilter(FilterChainProxy.java:176)
	org.springframework.web.filter.DelegatingFilterProxy.invokeDelegate(DelegatingFilterProxy.java:346)
	org.springframework.web.filter.DelegatingFilterProxy.doFilter(DelegatingFilterProxy.java:262)
</pre><p><b>Note</b> The full stack trace of the root cause is available in the server logs.</p><hr class="line" /><h3>Apache Tomcat/8.5.13</h3></body></html>

Thank you in advance !

Best regards,
Zholaman

Hi,

The underlying problem is still that Flowable cannot connect to AD. i.e. it is a networking issue.

Caused by: javax.naming.CommunicationException: 192.168.0.1:389 [Root exception is java.net.ConnectException: Connection timed out (Connection timed out)]

I noticed that in your configuration you have IP address 192.160.0.1, but the error message is for another IP address 192.168.0.1. Not sure why its not the same, but check that there aren’t multiple properties file on the classpath, and that the configuration is as you expect.

The NullPointerException is a consequence of the LDAP Connection failing - the LDAP context has not been created.

When you run AD Explorer is it from the same machine as Flowable runs?

/ Paul

Dear Paul,

Above IP address was mistaking due this mistake I could not connect to MS AD.

Now I have connected to MS AD and authorized in Flowable (by AD user login: admin1), but I have faced with other challenge I no see a list of AD users in WEB UI of flowable-idm. What I need to do to get AD user list in flowable-idm.

Thank you in advance!

Best regards,
Zholaman

Hi,

I would guess that the query for ldap.query.userall is not properly defined or is returning 0 results.
You should check that the Query is correct and returns all the users that should have access to Flowable.

Regards,
Paul

Hi Paul,

I have found the correct queries, to get this I have used VTLDAPQuery tool.

The correct query for getting list of users:
ldap.query.userall=(objectclass=user)

query for groups:
ldap.query.groupall=(objectClass=group)


The last challenge is how to assign Privileges to AD user. I can’t find a way how to do this by WEB GUI of flowable-idm.

'Add a user ’ on the Privileges->Users tab of WEB GUI of flowable-idm didn’t show AD users - screenshot. Also I can’t assign a privileges to a group. When I select group it do not appeare in the general list within this ‘Goups’ tab - screenshot.

I have made a litle investigation. When we click on ‘Add a user’ we get ‘Select user’ dialog window that is making request to http://192.168.0.78:8080/flowable-idm/app/rest/admin/users, return the error.

My current LDAP configurations is:

ldap.enabled=true
ldap.server=ldap://192.168.0.1
ldap.port=389
ldap.user=CN=admin1,OU=deps,DC=domain,DC=company,DC=kz
ldap.password=pass
ldap.basedn=OU=deps,DC=domain,DC=company,DC=kz
ldap.userbasedn=OU=deps,DC=domain,DC=company,DC=kz
ldap.groupbasedn=OU=deps,DC=domain,DC=company,DC=kz
ldap.query.userbyid=(&(sAMAccountName={0})(objectClass=user))
ldap.query.userbyname=((objectClass=user)(|({0}=*{1}*)({2}=*{3}*)))
ldap.query.userall=(objectclass=user)
ldap.query.groupsforuser=(&(objectCategory=group)(member=cn={0},ou=deps,dc=domain,dc=company,dc=kz))
ldap.query.groupall=(objectClass=group)
ldap.attribute.userid=sAMAccountName
ldap.attribute.firstname=givenName
ldap.attribute.lastname=sn
ldap.attribute.email=mail
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn
ldap.cache.groupsize=10000
ldap.cache.groupexpiration=180000

#
# DEFAULT ADMINISTRATOR ACCOUNT
#

admin.userid=admin1

Thank you in advance!

Best regards,
Zholaman

Hi,

I Believe that the error you are seeing - NullPointerException - occurs due to some other AD related error.
In some cases when accessing AD any errors that occur are only logged at debug level and a null is returned. This can then cause a NullPointerException later on.

I would turn up the logging in org.flowable.ldap to DEBUG and see if there is some other error reported in the server log.

Regards,
Paul

Hi pstapleton,

  1. Let me ask how to turn up the logging in org.flowable.ldap to DEBUG ?

  2. At the current moment I have no problem with getting list of MS AD users in Flowable. But there is a different challenge/problem. As I mentioned above I can’t assign Privileges to AD user or group by WEB GUI of flowable-idm. So could you tell me please if you know, how this problem can be relates to LDAP ? For me this error can be considered as Flowable’s internal error.

Thanks!

Best regards,
Zholaman

  1. This may vary depending on how you deploy the flowable-idm.war file, but in Tomcat there is a log4j configuration file at $CATALINA_HOME/webapps/flowable-idm/WEB-INF/classes/log4j.properties. Modify this and add the line

log4j.logger.org.flowable.ldap=DEBUG

Then restart Tomcat and you should get debug logging in the LDAP module.

  1. I suspect that one of your queries is still incorrect or you are experiencing some other problem. The error you report is most likely cause by an earlier error. If you examine the source code for the LDAP module you’ll see that in some places LDAP errors are printed to DEBUG logging and a null is returned. In some cases this null value is incorrectly handled.
    This is why you need to run with debug logging - to see what the original error was.

/Paul

Dear pstapleton,

all clear, thank you a lot!

Best regards,
Zholaman

For anybody who need to configure Flowable with MS AD, you can use this example config:

ldap.enabled=true
ldap.server=ldap://192.168.0.1
ldap.port=389
ldap.user=CN=admin1,OU=deps,DC=company,DC=domain,DC=kz
ldap.password=pass
ldap.basedn=OU=deps,DC=company,DC=domain,DC=kz
ldap.userbasedn=OU=deps,DC=company,DC=domain,DC=kz
ldap.groupbasedn=OU=deps,DC=company,DC=domain,DC=kz
ldap.query.userbyid=(&(objectClass=user)(sAMAccountName={0}))
ldap.query.userbyname=(&(objectClass=user)(|({0}=*{1}*)({2}=*{3}*)))
ldap.query.userall=(objectclass=user)
ldap.query.groupsforuser=(&(objectCategory=group)(member={0}))
ldap.query.groupall=(objectClass=group)
ldap.attribute.userid=sAMAccountName
ldap.attribute.firstname=givenName
ldap.attribute.lastname=sn
ldap.attribute.email=mail
ldap.attribute.groupid=cn
ldap.attribute.groupname=cn
ldap.cache.groupsize=10000
ldap.cache.groupexpiration=180000

#
# DEFAULT ADMINISTRATOR ACCOUNT
#

admin1.userid=admin1

but I not sure about correctness of this query:
ldap.query.groupsforuser=(&(objectCategory=group)(member={0}))

@Zholaman & @pstapleton thanks for your valuable contributions.
I’m finally able to connect to AD thanks to your comments.

I’m having issue now with LDAP: error code 4 - Sizelimit Exceeded.
I’m not sure how to implement pagination in LDAP. I was assuming its being handled by flowable-ldap lib.

Anyone facing same issue?

I increased maxPageSize from the server size on AD server and its working now.
The problem now is to enable pagination on flowable-ui-idm User’s page.