Hi,
I have a problem getting LDAP (active directory) Authentication to work properly. With my current config, I can only login to the IDM-App. When I try to login to task/modeler/admin-App, I get redirected to the IDM-App where I enter my credentials and after hitting enter it says username/password incorrect. The same account and password works if I open the IDM-App itself, without redirect. It also shows me the users/groups from LDAP.
What have I done?
- Cloned Repo from Github
- customized the environment variables in flowable-engine/docker/config/all-in-one-postgres.yml (see below)
- ran flowable-engine/docker/all-in-one-postgres.sh start
This is my flowable-engine/docker/config/all-in-one-postgres.yml file:
version: ‘3.6’
services:
flowable:
image: flowable/all-in-one:6.4.0
depends_on:
- flowable-db
environment:
- SERVER_PORT=9977
- SPRING_DATASOURCE_DRIVER-CLASS-NAME=org.postgresql.Driver
- SPRING_DATASOURCE_URL=jdbc:postgresql://flowable-db:5432/flowable
- SPRING_DATASOURCE_USERNAME=flowable
- SPRING_DATASOURCE_PASSWORD=flowable
- FLOWABLE_COMMON_APP_IDM-URL=http://flowable:8080/flowable-idm
- FLOWABLE_COMMON_APP_IDM-REDIRECT-URL=http://[my-external-url]:10000/flowable-idm
- FLOWABLE_COMMON_APP_IDM-ADMIN_USER=[my-ldap-user]
- FLOWABLE_IDM_APP_ADMIN_USER_ID=[my-ldap-user]
- FLOWABLE_COMMON_APP_IDM-ADMIN_PASSWORD=test
- FLOWABLE_IDM_LDAP_ENABLED=true
- FLOWABLE_IDM_LDAP_SERVER=ldap://[my-dc]
- FLOWABLE_IDM_LDAP_PORT=389
- FLOWABLE_IDM_LDAP_USER=[cn of my ldap service account]
- FLOWABLE_IDM_LDAP_PASSWORD=[pwd for ldap service account]
- FLOWABLE_IDM_LDAP_BASE_DN=[my base]
- FLOWABLE_IDM_LDAP_USER_BASE_DN=[ou where my users are]
- FLOWABLE_IDM_LDAP_GROUP_BASE_DN=[ou of my groups]
- FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID=(&(objectClass=user)(sAMAccountName={0}))
- FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE=(& (objectClass=user) (| (givenName={1}) (sn={3}) (sAMAccountName={3}) ) )
- FLOWABLE_IDM_LDAP_QUERY_ALL_USERS=(objectClass=user)
- FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER=(&(objectCategory=group)(member={0}))
- FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS=(objectClass=group)
- FLOWABLE-IDM_LDAP_QUERY_GROUP_BY_ID=(&(objectClass=group)(cn={0}))
- FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID=sAMAccountName
- FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME=givenName
- FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME=sn
- FLOWABLE_IDM_LDAP_ATTRIBUTE_EMAIL=mail
- FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID=cn
- FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME=cn
- FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE=10000
- FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION=180000
ports:
- 10000:8080
entrypoint: [“/wait-for-something.sh”, “flowable-db”, “5432”, “PostgreSQL”, “/opt/tomcat/bin/catalina.sh”, “run”]
flowable-db:
image: postgres:9.6-alpine
container_name: flowable-postgres
environment:
- POSTGRES_PASSWORD=flowable
- POSTGRES_USER=flowable
- POSTGRES_DB=flowable
ports:
- 5433:5432
volumes:
- all-in-one_pgdata:/var/lib/postgresql/data
command: postgres
volumes:
all-in-one_pgdata:
Then I edited the file flowable-engine/modules/flowable-ldap/src/main/java/org/flowable/ldap/LDAPConnectionUtil.java to print the variables used to connect to ldap like this:
InitialDirContext context;
try {
context = new InitialDirContext(properties);
} catch (NamingException e) {
LOGGER.warn(“Could not create InitialDirContext for LDAP connection : {}”, e.getMessage());
//###############################################################
// I added this line
LOGGER.warn("Server: " + ldapConfigurator.getServer() + “:” + ldapConfigurator.getPort() + " Sec: " + ldapConfigurator.getSecurityAuthentication() + " Principal: " + principal + " creds: " + credentials);
//###############################################################
throw new FlowableException("Could not create InitialDirContext for LDAP connection : " + e.getMessage(), e);
}
I built that from the master branch with ant, created a new docker image with the changed war files.
The interesting thing is that now I can see, that whenever I try to login into other flowable apps besides the IDM-App, the connection paramters to LDAP are correct except the used password. The password is always “test”, though that is not the password I entered in the login mask. The principal is the complete LDAP path to my user CN.
Still the login into the IDM-App, if opened directly not when redirected from other apps, works fine with the LDAP user and it shows me all LDAP users.
Any Ideas on this?