First, I launch OpenLDAP:
# docker pull osixia/openldap
docker run --detach --name openldap \
--publish 10389:389 \
--publish 10636:636 \
--volume ~/workspace/Robinyo/serendipity:/serendipity \
--env LDAP_ORGANISATION="flowable" \
--env LDAP_DOMAIN="flowable.org" \
--env LDAP_ADMIN_PASSWORD="secret" \
osixia/openldap:1.2.3
Then, I update OpenLDAP:
# In the project directory: /serendipity
docker exec openldap ldapadd \
-x -H ldap://localhost \
-D "cn=admin,dc=flowable,dc=org" \
-w secret \
-f ./serendipity/flowable/flowable.ldif
flowable.ldif describes Flowable’s users and groups:
# flowable.org
# dn: dc=flowable,dc=org
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: flowable
# dc: flowable
# admin, flowable.org
# dn: cn=admin,dc=flowable,dc=org
# objectClass: simpleSecurityObject
# objectClass: organizationalRole
# cn: admin
# description: LDAP administrator
# userPassword:: e1NTSEF9TFFqN05uYzcydWVpcUREUHdxQ0xoMlNwRHB5V2FzaDY=
# Users root
dn: ou=users, dc=flowable,dc=org
ou: users
description: All users in the organisation
objectclass: organizationalUnit
objectClass: extensibleObject
objectClass: top
# Groups root
dn: ou=groups, dc=flowable,dc=org
ou: groups
description: All groups in the organisation
objectclass: organizationalUnit
objectClass: extensibleObject
objectClass: top
# Actual users
dn: cn=Flowable, ou=users,dc=flowable,dc=org
objectclass: inetOrgPerson
cn: Flowable
sn: Administrator
uid: flowable
userPassword:: dGVzdA==
# REST API Basic Auth user
dn: cn=Flowable Rest API, ou=users,dc=flowable,dc=org
objectclass: inetOrgPerson
cn: Flowable Rest API
sn: Administrator
uid: flowable-rest
userPassword:: dGVzdA==
When I launch the flowable/all-in-one image:
# docker pull flowable/all-in-one
docker run -d --name flowable \
-p 8080:8080 \
--env-file ldap-env.txt \
flowable/all-in-one
I use an environment file (ldap-env.txt) to pass properties to the Docker container:
#
# https://docs.spring.io/spring-boot/docs/2.0.7.RELEASE/reference/html/boot-features-external-config.html#boot-features-external-config-relaxed-binding
# Note: Upper case format is recommended when using system environment variables
#
#
# LDAP
#
FLOWABLE_IDM_LDAP_ENABLED=true
FLOWABLE_IDM_LDAP_SERVER=ldap://host.docker.internal
FLOWABLE_IDM_LDAP_PORT=10389
FLOWABLE_IDM_LDAP_USER=cn=admin,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_PASSWORD=secret
FLOWABLE_IDM_LDAP_BASE_DN=dc=flowable,dc=org
FLOWABLE_IDM_LDAP_USER_BASE_DN=ou=users,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_GROUP_BASE_DN=ou=groups,dc=flowable,dc=org
FLOWABLE_IDM_LDAP_QUERY_USER_BY_ID=(&(objectClass=inetOrgPerson)(uid={0}))
FLOWABLE_IDM_LDAP_QUERY_USER_BY_FULL_NAME_LIKE=(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))
FLOWABLE_IDM_LDAP_QUERY_ALL_USERS=(objectClass=inetOrgPerson)
FLOWABLE_IDM_LDAP_QUERY_GROUPS_FOR_USER=(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))
FLOWABLE_IDM_LDAP_QUERY_ALL_GROUPS=(objectClass=groupOfUniqueNames)
FLOWABLE_IDM_LDAP_QUERY_GROUP_BY_ID=(&(objectClass=groupOfUniqueNames)(uniqueId={0}))
FLOWABLE_IDM_LDAP_ATTRIBUTE_USER_ID=uid
FLOWABLE_IDM_LDAP_ATTRIBUTE_FIRST_NAME=cn
FLOWABLE_IDM_LDAP_ATTRIBUTE_LAST_NAME=sn
FLOWABLE_IDM_LDAP_ATTRIBUTE_EMAIL=mail
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_ID=cn
FLOWABLE_IDM_LDAP_ATTRIBUTE_GROUP_NAME=cn
FLOWABLE_IDM_LDAP_CACHE_GROUP_SIZE=10000
FLOWABLE_IDM_LDAP_CACHE_GROUP_EXPIRATION=180000
#
# DEFAULT ADMINISTRATOR ACCOUNTS
#
FLOWABLE_IDM_APP_ADMIN_USER_ID=flowable
FLOWABLE_IDM_APP_ADMIN_PASSWORD=test
FLOWABLE_IDM_APP_ADMIN_FIRST_NAME=Flowable
FLOWABLE_IDM_APP_ADMIN_LAST_NAME=Administrator
FLOWABLE_IDM_APP_ADMIN_EMAIL=admin@flowable.org
FLOWABLE_COMMON_APP_IDM_ADMIN_USER=flowable
FLOWABLE_COMMON_APP_IDM_ADMIN_PASSWORD=test
#
# DEFAULT REST API ACCOUNTS
#
FLOWABLE_REST_APP_ADMIN_USERID=flowable-rest
FLOWABLE_REST_APP_ADMIN_PASSWORD=test
FLOWABLE_REST_APP_ADMIN_FIRSTNAME=Flowable Rest API
FLOWABLE_REST_APP_ADMIN_LASTNAME=Administrator
The REST API environment variables are set correctly, for example:
docker exec flowable sh -c 'echo "$FLOWABLE_REST_APP_ADMIN_USERID"'
Sample output:
flowable-rest
And the flowable-rest
user has been created in OpenLDAP:
docker exec openldap ldapsearch -x -H ldap://localhost -b dc=flowable,dc=org -D "cn=admin,dc=flowable,dc=org" -w secret
Sample output:
...
# Flowable Rest API, users, flowable.org
dn: cn=Flowable Rest API,ou=users,dc=flowable,dc=org
objectClass: inetOrgPerson
cn: Flowable Rest API
sn: Administrator
userPassword:: dGVzdA==
uid: flowable-rest
However, the REST API default user (flowable-rest
) has not been granted the access-rest-api
privilege:
Ref: Serendipity’s Developer Documentation