LDAP authentication malfunctioning with valid credentials

Hello.

I’m in need of a help with specific LDAP error.

Company’s LDAP is already an existing, running and external instance. Flowable All in One is being run as a Docker container, on my laptop locally. I’ve successfully connected the two and I’m able to log in the IDM application, see the LDAP users and groups. No problem with that. However, if I want to use any other Flowable application (Task/Admin/Modeler), I get redirected to the IDM login form, where I once again input valid credentials just to be redirected back to the said login form. The logs show an error which indicates I’ve given invalid credentials, but the Google Chrome “Network” tab disagrees and shows that the authentication succeeded. To make everything clear, I’m attaching as much info as I can below.

IDM authentication succeeds with my domain account, successful retrieval of users and groups

Before Modeler login, even though I’m logged in the IDM application

After Modeler login, redirect to same page

image1919×677 80.5 KB

Authentication succeedes, but the log says otherwise

Could not create InitialDirContext for LDAP connection: [LDAP: error code 49 - 80090308: LdapErr: 
DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

LDAP configuration that I pass as environment file

FLOWABLE_IDM_LDAP_ENABLED=true
FLOWABLE_IDM_LDAP_SERVER=ldap://192.168.0.3
FLOWABLE_IDM_LDAP_PORT=389
FLOWABLE_IDM_LDAP_USER=cn=OKDUser,ou=APP,dc=int,dc=svgroup,dc=net
FLOWABLE_IDM_LDAP_PASSWORD=<redacted>
FLOWABLE_IDM_LDAP_BASE_DN=dc=int,dc=svgroup,dc=net
FLOWABLE_IDM_LDAP_USER_BASE_DN=ou=SVGroup,dc=int,dc=svgroup,dc=net
FLOWABLE_IDM_LDAP_GROUP_BASE_DN=cn=Users,dc=int,dc=svgroup,dc=net
FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID=(&(objectClass=user)(sAMAccountName={0}))
FLOWABLE_IDM_LDAP_QUERY_ALL_USERS=(objectClass=user)
FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE=(&(objectClass=user)(|(givenName={1})(sn={3})(sAMAccountName={3})))
FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER=(&(objectCategory=group)(member={0}))
FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS=(objectClass=group)
FLOWABLE_IDM_LDAP_QUERY_GROUP_BY_ID=(&(objectClass=group)(cn={0}))
FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID=sAMAccountName
FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME=givenName
FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME=sn
FLOWABLE_IDM_LDAP_ATTRIBUTE_EMAIL=mail
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID=cn
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME=cn
FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE=10000
FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION=180000
FLOWABLE_IDM_APP_ADMIN_USER_ID=svgbf01
FLOWABLE_COMMON_APP_IDM_ADMIN_USER=svgbf01

I can add more relevant stuff, if needed, but the “2 links, 1 image for new members” restrictions are really not helping.

Thanks in advance and best regards.

Any help whatsoever?

See: How To - Flowable and LDAP

Hi @Robinyo - I assume this is for general guidance and ideas for help, and not necessarilty a specific response?

Cheers
Paul.

Hi Paul,

I checked the forum this morning to see if there were any questions I might be able to help out with.

Any help whatsoever?

And, I thought that a working example (i.e., flowable/all-in-one & LDAP) would have been of some help.

Cheers
Rob

Thanks, but it wasn’t of any help because it does not mention or even remotely touch the topic of my problem.

As said, company’s LDAP is already an existing, running and external instance. It is not OpenLDAP, it’s Microsoft AD.

@fiki574

When I was initially trying to get the flowable/all-in-one image to work with OpenLDAP I received a similar error message. After some trial and error I was able to resolve the issue by correctly setting the appropriate properties in my environment file and by creating an ldif file with two containers (users and groups) and one user (flowable):

Right, but unfortunately I don’t have time to set up OpenLDAP and do trial-n-error.

This looks like a trivial bug/problem/whatever and I can’t believe no one has a solution for it (even though I’ve seen other reports of this kind), so if anyone would have some concrete answers regarding the actual redirection issue upon successful authentication, I would be grateful.

@fiki574

The reason redirection isn’t working for you is because you haven’t successfully authenticated!

Try running the flowable/all-in-one image without LDAP, navigate to one of the Flowable UI Applications and you will be redirected to the Flowable Identity Management app. If you provide the appropriate credentials you will then be directed back to the Flowable UI app:

image1524×907 61.3 KB

Ref:

• Getting started with Flowable
• How To: Flowable and LDAP
• Keycloak, Flowable and OpenLDAP
• Flowable OAuth2 Resource Server

This picture shows I’ve successfully authenticated and entered the IDM application under “/flowable-idm” URL: https://pasteboard.co/IZEtWy8.png

I’ve also attached the picture of HTTP requests, which get successful response codes before redirecting back to the login screen, regardless of the supposed successful authentication.

It just boggles me that it’s possible to authenticate for IDM app without any problem, but any other app authentication fails.

@fiki574

I can successfully sign into the Flowable apps when using LDAP:

docker run -d --name flowable \
  -p 8080:8080 \
  --env-file ./ldap-env.txt \
  flowable/all-in-one:6.5.0

and when not using LDAP:

docker run -d --name flowable \
  -p 8080:8080 \
  --env-file ./no-ldap-env.txt \
  flowable/all-in-one:6.5.0

Screen Shot 2020-03-21 at 11.22.191523×1415 297 KB

Screen Shot 2020-03-21 at 11.22.341523×1415 255 KB

ldap-env.txt:

#
# LDAP
#

...

#
# DEFAULT ADMINISTRATOR ACCOUNTS
#

FLOWABLE_IDM_APP_ADMIN_USER_ID=flowable
FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org

FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowable
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test

Note: If you don’t properly configure the default Administrator accounts you may be able to sign in to Flowable’s Identity Management application, however, you won’t be able to sign in to the other Flowable UI applications.

See: How To - Flowable and LDAP

I am building a new 10.3 test configuration consisting of an AD machine, a component server (CPM, PSM, etc.) and vault machine. This is supposed to be functionally the same as a configuration that I built several weeks ago, but I am building this new configuration because I am trying to clean up the installation procedures and my documentation.

My man, I understood it the first time you posted that you have it working with OpenLDAP. I replied that I have an Active Directory, and that authentication only works for IDM application, whereas other apps get redirected to the IDM login screen.

Hey everyone,

@fiki574, I don’t think that your tone is helpful to get your question answered.

Let’s analyse the problem a bit. Logging into the IDM Application, this means that the connection with LDAP is working and something else is the problem. So the problem is not whether it is OpenLDAP, or Microsoft AD or something completely different. It is related to the way the users are granted authorization for the Flowable UI applications.

If you read the Flowable IDM Application documentation you will see that there are 4 privileges:

• access-idm: provides the privilege to manage users, groups and privileges
• access-admin: allows the user to login to the Flowable Admin application, manage the Flowable engines and access the Actuator endpoints of all the applications
• access-modeler: enables access to the Flowable Modeler application
• access-task: provides the privilege to login to the Flowable Task application

These privileges control which user can see what. If we go into the source code of the IDM UI Application we can see:

This means that if no IDM privilege exists it would be created and assigned to the admin user, together with the privileges for the other applications. This happens only once on first start.

In your place I would go in the Privileges section of the IDM Application and have a look which user is assigned to which privilege.

Cheers,
Filip

Hey.

Sorry if the tone of my replies sound harsh, not my intention, just pointing out that fellow member Rob does not need to repeat himself since I understood him the first time, regardless of his replies kind of missing my specific problem.

Okay, so it’s not tied to whether I’m using OpenLDAP or Microsoft AD, neither specific versions of said two tools.

The snippet you posted contains a log message that does not show up for me. I also provided my LDAP env configuration, which contains the property you’re referencing to:

FLOWABLE_IDM_APP_ADMIN_USER_ID=svgbf01
FLOWABLE_COMMON_APP_IDM_ADMIN_USER=svgbf01

Do I also need to specify the password and email properties tied to the upper two?

The “svgbf01” user is my user, and it gets the authorization/privileges for all Flowable applications. And with that Admin user I can log in only into the IDM application, regardless of having rights to access the others, where I get constantly redirected to the login screen.

image1719×657 54.8 KB

So the only log I get is this one, also mentioned before:

2020-03-23 08:28:59.523  WARN 1 --- [nio-8080-exec-2] o.f.l.LDAPConnectionUtil                 : Could not create InitialDirContext for LDAP connection: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

The credentials are 100% right, even though the log indicates otherwise.

That error can be shown when the user entering the password is incorrect (but you are saying that this is OK).

The other reason could be because

FLOWABLE_IDM_LDAP_USER=cn=OKDUser,ou=APP,dc=int,dc=svgroup,dc=net
FLOWABLE_IDM_LDAP_PASSWORD=<redacted>

Is not valid. Basically because you have LDAP enabled whenever the Flowable Identity Service is used to fetch users or groups it would use that user and password to query the LDAP. Can you please verify that those 2 properties are correct?

Hey, I found the solution in the meantime.

I needed to specify all these properties, and not only the two referencing my user:

FLOWABLE_IDM_APP_ADMIN_USER_ID=svgbf01
FLOWABLE_IDM_APP_ADMIN_PASSWORD=pass
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=name
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=surname
FLOWABLE_IDM_APP_ADMIN_EMAIL=mail@company.hr
FLOWABLE_COMMON_APP_IDM_ADMIN_USER=svgbf01
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=pass

All applications are now normally accessible.

Glad to hear it’s resolved. Thanks for reporting the outcome.

Cheers
Paul.

I gave same configuration to my docker configuration file but not solving issue. Configuration:

.
.
.
- FLOWABLE_IDM_APP_ADMIN_USER_ID=flowLdap
- FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
- FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowLdap
- FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test
- FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
- FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
- FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org

Can you please help me for this?

@fiki574

I am facing same issue can you please help me to get sample docker configuration file with LDAP?