LDAP authentication malfunctioning with valid credentials

Thanks, but it wasn’t of any help because it does not mention or even remotely touch the topic of my problem.

As said, company’s LDAP is already an existing, running and external instance. It is not OpenLDAP, it’s Microsoft AD.

@fiki574

When I was initially trying to get the flowable/all-in-one image to work with OpenLDAP I received a similar error message. After some trial and error I was able to resolve the issue by correctly setting the appropriate properties in my environment file and by creating an ldif file with two containers (users and groups) and one user (flowable):

Right, but unfortunately I don’t have time to set up OpenLDAP and do trial-n-error.

This looks like a trivial bug/problem/whatever and I can’t believe no one has a solution for it (even though I’ve seen other reports of this kind), so if anyone would have some concrete answers regarding the actual redirection issue upon successful authentication, I would be grateful.

@fiki574

The reason redirection isn’t working for you is because you haven’t successfully authenticated!

Try running the flowable/all-in-one image without LDAP, navigate to one of the Flowable UI Applications and you will be redirected to the Flowable Identity Management app. If you provide the appropriate credentials you will then be directed back to the Flowable UI app:

Ref:

This picture shows I’ve successfully authenticated and entered the IDM application under “/flowable-idm” URL: https://pasteboard.co/IZEtWy8.png

I’ve also attached the picture of HTTP requests, which get successful response codes before redirecting back to the login screen, regardless of the supposed successful authentication.

It just boggles me that it’s possible to authenticate for IDM app without any problem, but any other app authentication fails.

@fiki574

I can successfully sign into the Flowable apps when using LDAP:

docker run -d --name flowable \
  -p 8080:8080 \
  --env-file ./ldap-env.txt \
  flowable/all-in-one:6.5.0

and when not using LDAP:

docker run -d --name flowable \
  -p 8080:8080 \
  --env-file ./no-ldap-env.txt \
  flowable/all-in-one:6.5.0

ldap-env.txt:

#
# LDAP
#

...

#
# DEFAULT ADMINISTRATOR ACCOUNTS
#

FLOWABLE_IDM_APP_ADMIN_USER_ID=flowable
FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org

FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowable
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test

Note: If you don’t properly configure the default Administrator accounts you may be able to sign in to Flowable’s Identity Management application, however, you won’t be able to sign in to the other Flowable UI applications.

See: How To - Flowable and LDAP

I am building a new 10.3 test configuration consisting of an AD machine, a component server (CPM, PSM, etc.) and vault machine. This is supposed to be functionally the same as a configuration that I built several weeks ago, but I am building this new configuration because I am trying to clean up the installation procedures and my documentation.

My man, I understood it the first time you posted that you have it working with OpenLDAP. I replied that I have an Active Directory, and that authentication only works for IDM application, whereas other apps get redirected to the IDM login screen.

Hey everyone,

@fiki574, I don’t think that your tone is helpful to get your question answered.

Let’s analyse the problem a bit. Logging into the IDM Application, this means that the connection with LDAP is working and something else is the problem. So the problem is not whether it is OpenLDAP, or Microsoft AD or something completely different. It is related to the way the users are granted authorization for the Flowable UI applications.

If you read the Flowable IDM Application documentation you will see that there are 4 privileges:

  • access-idm: provides the privilege to manage users, groups and privileges
  • access-admin: allows the user to login to the Flowable Admin application, manage the Flowable engines and access the Actuator endpoints of all the applications
  • access-modeler: enables access to the Flowable Modeler application
  • access-task: provides the privilege to login to the Flowable Task application

These privileges control which user can see what. If we go into the source code of the IDM UI Application we can see:

This means that if no IDM privilege exists it would be created and assigned to the admin user, together with the privileges for the other applications. This happens only once on first start.

In your place I would go in the Privileges section of the IDM Application and have a look which user is assigned to which privilege.

Cheers,
Filip

Hey.

Sorry if the tone of my replies sound harsh, not my intention, just pointing out that fellow member Rob does not need to repeat himself since I understood him the first time, regardless of his replies kind of missing my specific problem.

Okay, so it’s not tied to whether I’m using OpenLDAP or Microsoft AD, neither specific versions of said two tools.

The snippet you posted contains a log message that does not show up for me. I also provided my LDAP env configuration, which contains the property you’re referencing to:

FLOWABLE_IDM_APP_ADMIN_USER_ID=svgbf01
FLOWABLE_COMMON_APP_IDM_ADMIN_USER=svgbf01

Do I also need to specify the password and email properties tied to the upper two?

The “svgbf01” user is my user, and it gets the authorization/privileges for all Flowable applications. And with that Admin user I can log in only into the IDM application, regardless of having rights to access the others, where I get constantly redirected to the login screen.

So the only log I get is this one, also mentioned before:

2020-03-23 08:28:59.523  WARN 1 --- [nio-8080-exec-2] o.f.l.LDAPConnectionUtil                 : Could not create InitialDirContext for LDAP connection: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1 ]

The credentials are 100% right, even though the log indicates otherwise.

That error can be shown when the user entering the password is incorrect (but you are saying that this is OK).

The other reason could be because

FLOWABLE_IDM_LDAP_USER=cn=OKDUser,ou=APP,dc=int,dc=svgroup,dc=net
FLOWABLE_IDM_LDAP_PASSWORD=<redacted>

Is not valid. Basically because you have LDAP enabled whenever the Flowable Identity Service is used to fetch users or groups it would use that user and password to query the LDAP. Can you please verify that those 2 properties are correct?

Hey, I found the solution in the meantime.

I needed to specify all these properties, and not only the two referencing my user:

FLOWABLE_IDM_APP_ADMIN_USER_ID=svgbf01
FLOWABLE_IDM_APP_ADMIN_PASSWORD=pass
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=name
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=surname
FLOWABLE_IDM_APP_ADMIN_EMAIL=mail@company.hr
FLOWABLE_COMMON_APP_IDM_ADMIN_USER=svgbf01
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=pass

All applications are now normally accessible.

Glad to hear it’s resolved. Thanks for reporting the outcome.

Cheers
Paul.

1 Like

I gave same configuration to my docker configuration file but not solving issue. Configuration:

.
.
.
- FLOWABLE_IDM_APP_ADMIN_USER_ID=flowLdap
- FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
- FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowLdap
- FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test
- FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
- FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
- FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org

Can you please help me for this?

@fiki574

I am facing same issue can you please help me to get sample docker configuration file with LDAP?

Hey, sorry, I didn’t notice your messages.

Make sure you have “flowLdap” user in the actual LDAP instance. Also make sure other entries in that list are equal to the configuration from the LDAP user. Everything must match. If the problem persists, I will pass you the complete configuration with AD.

@fiki574

Thanks for response. I already tried that and problem still exist. This will be helpful if you provide complete configuration with LDAP.

Okay so, this is part of my docker-compose.yml in charge of the Flowable All in One image and LDAP stuff. This works perfectly. However, I’m unable to give you any specific LDAP/AD info as I don’t administrate it nor have direct access to it. That part you have to preconfigure yourself.

container_name: flowable-bpm
image: flowable/all-in-one:latest
restart: unless-stopped
environment:
  FLOWABLE_CONTENT_STORAGE_ROOT-FOLDER: /data
  FLOWABLE_COMMON_APP_IDM-REDIRECT-URL: http://flowable.int.domain.net/flowable-idm
  FLOWABLE_COMMON_APP_IDM-URL: http://flowable.int.domain.net/flowable-idm
  SPRING_DATASOURCE_DRIVER-CLASS-NAME: org.postgresql.Driver
  SPRING_DATASOURCE_URL: jdbc:postgresql://flowable-postgres:5432/flowable
  SPRING_DATASOURCE_USERNAME: flowable
  SPRING_DATASOURCE_PASSWORD: flowable
  FLOWABLE_IDM_LDAP_ENABLED: "true"
  FLOWABLE_IDM_LDAP_SERVER: ldap://192.168.0.1
  FLOWABLE_IDM_LDAP_PORT: 389
  FLOWABLE_IDM_LDAP_USER: cn=${LDAPUSER},ou=APP,dc=int,dc=company,dc=net
  FLOWABLE_IDM_LDAP_PASSWORD: ${LDAPPASS}
  FLOWABLE_IDM_LDAP_BASE_DN: dc=int,dc=company,dc=net
  FLOWABLE_IDM_LDAP_USER_BASE_DN: ou=company,dc=int,dc=company,dc=net
  FLOWABLE_IDM_LDAP_GROUP_BASE_DN: cn=Users,dc=int,dc=company,dc=net
  FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID: (&(objectClass=user)(sAMAccountName={0}))
  FLOWABLE_IDM_LDAP_QUERY_ALL_USERS: (objectClass=user)
  FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE: (&(objectClass=user)(|({0}=*{1}*)({2}=*{3}*)))
  FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER: (&(objectClass=group)(member={0}))
  FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS: (objectClass=group)
  FLOWABLE_IDM_LDAP_QUERY_GROUP_BY_ID: (&(objectClass=group)(cn={0}))
  FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID: sAMAccountName
  FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME: givenName
  FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME: sn
  FLOWABLE_IDM_LDAP_ATTRIBUTE_EMAIL: mail
  FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID: cn
  FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME: cn
  FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE: 10000
  FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION: 180000
  FLOWABLE_IDM_APP_ADMIN_USER_ID: svgbf01
  FLOWABLE_IDM_APP_ADMIN_PASSWORD: ${REDACTED}
  FLOWABLE_IDM_APP_ADMIN_FIRST_NAME: Bruno
  FLOWABLE_IDM_APP_ADMIN_LAST_NAME: Fištrek
  FLOWABLE_IDM_APP_ADMIN_EMAIL: bruno.fistrek@company.hr
  FLOWABLE_COMMON_APP_IDM_ADMIN_USER: svgbf01
  FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD: ${REDACTED}

Thanks @fiki574. member attribute not define. Can you please tell me that what is member?

Is this sAMAccountName or cn?

Sorry for late response.

It should literally be “member” in the configuration. You have to check your AD/LDAP instance to find some of this info out.