LDAP Login only works for IDM-App

Hi,

I have a problem getting LDAP (active directory) Authentication to work properly. With my current config, I can only login to the IDM-App. When I try to login to task/modeler/admin-App, I get redirected to the IDM-App where I enter my credentials and after hitting enter it says username/password incorrect. The same account and password works if I open the IDM-App itself, without redirect. It also shows me the users/groups from LDAP.

What have I done?

  • Cloned Repo from Github
  • customized the environment variables in flowable-engine/docker/config/all-in-one-postgres.yml (see below)
  • ran flowable-engine/docker/all-in-one-postgres.sh start

This is my flowable-engine/docker/config/all-in-one-postgres.yml file:

version: ‘3.6’
services:
flowable:
image: flowable/all-in-one:6.4.0
depends_on:
- flowable-db
environment:
- SERVER_PORT=9977
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://[my-external-url]:10000/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN_USER=[my-ldap-user]
- FLOWABLE_IDM_APP_ADMIN_USER_ID=[my-ldap-user]
- FLOWABLE_COMMON_APP_IDM-ADMIN_PASSWORD=test
- FLOWABLE_IDM_LDAP_ENABLED=true
- FLOWABLE_IDM_LDAP_SERVER=ldap://[my-dc]
- FLOWABLE_IDM_LDAP_PORT=389
- FLOWABLE_IDM_LDAP_USER=[cn of my ldap service account]
- FLOWABLE_IDM_LDAP_PASSWORD=[pwd for ldap service account]
- FLOWABLE_IDM_LDAP_BASE_DN=[my base]
- FLOWABLE_IDM_LDAP_USER_BASE_DN=[ou where my users are]
- FLOWABLE_IDM_LDAP_GROUP_BASE_DN=[ou of my groups]
- FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID=(&(objectClass=user)(sAMAccountName={0}))
- FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE=(& (objectClass=user) (| (givenName={1}) (sn={3}) (sAMAccountName={3}) ) )
- FLOWABLE_IDM_LDAP_QUERY_ALL_USERS=(objectClass=user)
- FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER=(&(objectCategory=group)(member={0}))
- FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS=(objectClass=group)
- FLOWABLE-IDM_LDAP_QUERY_GROUP_BY_ID=(&(objectClass=group)(cn={0}))
- FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID=sAMAccountName
- FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME=givenName
- FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME=sn
- FLOWABLE_IDM_LDAP_ATTRIBUTE_EMAIL=mail
- FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID=cn
- FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME=cn
- FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE=10000
- FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION=180000
ports:
- 10000:8080
entrypoint: ["/wait-for-something.sh", “flowable-db”, “5432”, “PostgreSQL”, “/opt/tomcat/bin/catalina.sh”, “run”]
flowable-db:
image: postgres:9.6-alpine
container_name: flowable-postgres
environment:
- POSTGRES_PASSWORD=flowable
- POSTGRES_USER=flowable
- POSTGRES_DB=flowable
ports:
- 5433:5432
volumes:
- all-in-one_pgdata:/var/lib/postgresql/data
command: postgres
volumes:
all-in-one_pgdata:

Then I edited the file flowable-engine/modules/flowable-ldap/src/main/java/org/flowable/ldap/LDAPConnectionUtil.java to print the variables used to connect to ldap like this:

InitialDirContext context;
try {
context = new InitialDirContext(properties);
} catch (NamingException e) {
LOGGER.warn(“Could not create InitialDirContext for LDAP connection : {}”, e.getMessage());
//###############################################################
// I added this line
LOGGER.warn("Server: " + ldapConfigurator.getServer() + “:” + ldapConfigurator.getPort() + " Sec: " + ldapConfigurator.getSecurityAuthentication() + " Principal: " + principal + " creds: " + credentials);
//###############################################################
throw new FlowableException("Could not create InitialDirContext for LDAP connection : " + e.getMessage(), e);
}

I built that from the master branch with ant, created a new docker image with the changed war files.

The interesting thing is that now I can see, that whenever I try to login into other flowable apps besides the IDM-App, the connection paramters to LDAP are correct except the used password. The password is always “test”, though that is not the password I entered in the login mask. The principal is the complete LDAP path to my user CN.
Still the login into the IDM-App, if opened directly not when redirected from other apps, works fine with the LDAP user and it shows me all LDAP users.

Any Ideas on this?

See:

Hi Robinyo,

thanks for your reply, but the problem is not the LDAP/Active Direcory authentication itself but what happens when I get redirected from Modeler/Task/Admin Application to the IDM App. LDAP authentication on the IDM App works just fine.

@kroko

Authentication via LDAP (OpenLDAP) works for me.

As does signing into (via the redirect to Flowable IDM) the Flowable Web (Modeller, Task and Admin) Apps.

Were you able to fix your problem? I have the same issue.

I seem to be having the same issue. I used tcpdump and Wireshark to check what LDAP messages are been sent. What I noticed was that the Flowable sends one LDAP search request with sAMAccountName having a value of “admin”. Of course that doesn’t return anything, because we don’t have such a user in our LDAP. Could that be the reason, why the login to other Flowable apps fail?
I tested this with Admin app. I tried to change every “admin” accounts in configurations to something else, but it didn’t change the outcome. I also changed the default user-id in the database to something else, and that didn’t either help. So, where does that “admin” account come from and why does Flowable try to find it in the LDAP directory?