About Microsoft Active Directory integration with Camunda BPM

Hi All, I’m trying to integrate a Windows Active Directory 2008 R2 with Camunda BPM 7.4.0. I have followed the instructions in the documentation but unfortunately there is no way I can login with my AD users.

This is the configuration I have used:



org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin

      <property name="serverUrl">ldap://10.0.0.3:389/</property>
      <property name="acceptUntrustedCertificates">true</property>
      <property name="managerDn">CN=caseadmin,OU=MyDepartment,DC=my,DC=company,DC=com</property>
      <property name="managerPassword">********</property>

      <property name="baseDn">OU=MyDepartment,DC=my,DC=company,DC=com</property>

      <property name="userSearchBase">OU=MyDepartment,DC=my,DC=company,DC=com</property>
      <property name="userSearchFilter">(&amp;(memberOf=CN=MyApplicationUsers,OU=MyDepartment,DC=my,DC=company,DC=com))</property>

      <property name="userIdAttribute">objectGUID</property>
      <property name="userFirstnameAttribute">givenName</property>
      <property name="userLastnameAttribute">SN</property>
      <property name="userEmailAttribute">userPrincipalName</property>
      <property name="userPasswordAttribute">userPassword</property>

      <property name="groupSearchBase"></property>
      <property name="groupSearchFilter">(objectCategory=group)</property>
      <property name="groupIdAttribute">distinguishedName</property>
      <property name="groupNameAttribute">sAMAccountName</property>

      <property name="groupMemberAttribute">member</property>

    </properties>
  </plugin> 
 

  <!-- LDAP CONFIGURATION -->
  <!-- The following plugin allows you to grant administrator authorizations to an existing LDAP user -->
 <plugin>
    <class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
    <properties>
      <property name="administratorUserName">CN=caseadmin,OU=MyDepartment,DC=my,DC=company,DC=com</property>
    </properties>
  </plugin>

</plugins> 
The message I receive when I attempt to login is: 10-May-2016 10:05:29.554 SEVERE [http-nio-8080-exec-1] org.camunda.commons.logging.BaseLogger.logError ENGINE-16004 Exception while closing command context: Could not authenticate with LDAP server org.camunda.bpm.identity.impl.ldap.LdapAuthenticationException: Could not authenticate with LDAP server at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.openContext(LdapIdentityProviderSession.java:114) at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.ensureContextInitialized(LdapIdentityProviderSession.java:124) at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUserByQueryCriteria(LdapIdentityProviderSession.java:150) at org.camunda.bpm.identity.impl.ldap.LdapUserQueryImpl.executeList(LdapUserQueryImpl.java:49) at org.camunda.bpm.engine.impl.AbstractQuery.evaluateExpressionsAndExecuteList(AbstractQuery.java:186) at org.camunda.bpm.engine.impl.AbstractQuery.executeSingleResult(AbstractQuery.java:207) at org.camunda.bpm.engine.impl.AbstractQuery.singleResult(AbstractQuery.java:132) at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUserById(LdapIdentityProviderSession.java:131) at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.checkPassword(LdapIdentityProviderSession.java:280) at org.camunda.bpm.engine.impl.cmd.CheckPassword.execute(CheckPassword.java:37) at org.camunda.bpm.engine.impl.cmd.CheckPassword.execute(CheckPassword.java:24) at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24) at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:95) at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30) at org.camunda.bpm.engine.impl.IdentityServiceImpl.checkPassword(IdentityServiceImpl.java:100) at org.camunda.bpm.webapp.impl.security.auth.UserAuthenticationResource.doLogin(UserAuthenticationResource.java:93) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:606) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167) at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222) at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211) at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50) at javax.servlet.http.HttpServlet.service(HttpServlet.java:729) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67) at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:59) at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56) at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:38) at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79) at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518) at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091) at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1527) at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1484) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) at java.lang.Thread.run(Thread.java:724) Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 ] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749) at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:316) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193) at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211) at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154) at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84) at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684) at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307) at javax.naming.InitialContext.init(InitialContext.java:242) at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:153) at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.openContext(LdapIdentityProviderSession.java:111) ... 64 more

10-May-2016 10:05:29.838 WARNING [http-nio-8080-exec-1] org.camunda.bpm.engine.rest.exception.ExceptionHandler.toResponse org.camunda.bpm.identity.impl.ldap.LdapAuthenticationException: Could not authenticate with LDAP server
at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.openContext(LdapIdentityProviderSession.java:114)
at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.ensureContextInitialized(LdapIdentityProviderSession.java:124)
at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUserByQueryCriteria(LdapIdentityProviderSession.java:150)
at org.camunda.bpm.identity.impl.ldap.LdapUserQueryImpl.executeList(LdapUserQueryImpl.java:49)
at org.camunda.bpm.engine.impl.AbstractQuery.evaluateExpressionsAndExecuteList(AbstractQuery.java:186)
at org.camunda.bpm.engine.impl.AbstractQuery.executeSingleResult(AbstractQuery.java:207)
at org.camunda.bpm.engine.impl.AbstractQuery.singleResult(AbstractQuery.java:132)
at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.findUserById(LdapIdentityProviderSession.java:131)
at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.checkPassword(LdapIdentityProviderSession.java:280)
at org.camunda.bpm.engine.impl.cmd.CheckPassword.execute(CheckPassword.java:37)
at org.camunda.bpm.engine.impl.cmd.CheckPassword.execute(CheckPassword.java:24)
at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:24)
at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:95)
at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:30)
at org.camunda.bpm.engine.impl.IdentityServiceImpl.checkPassword(IdentityServiceImpl.java:100)
at org.camunda.bpm.webapp.impl.security.auth.UserAuthenticationResource.doLogin(UserAuthenticationResource.java:93)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:606)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:167)
at org.jboss.resteasy.core.ResourceMethod.invokeOnTarget(ResourceMethod.java:257)
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:222)
at org.jboss.resteasy.core.ResourceMethod.invoke(ResourceMethod.java:211)
at org.jboss.resteasy.core.SynchronousDispatcher.getResponse(SynchronousDispatcher.java:542)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:524)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:126)
at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:208)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:55)
at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:50)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:729)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:291)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.camunda.bpm.engine.rest.filter.CacheControlFilter.doFilter(CacheControlFilter.java:41)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilterSecure(SecurityFilter.java:67)
at org.camunda.bpm.webapp.impl.security.filter.SecurityFilter.doFilter(SecurityFilter.java:51)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:59)
at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter$1.execute(AuthenticationFilter.java:56)
at org.camunda.bpm.webapp.impl.security.SecurityActions.runWithAuthentications(SecurityActions.java:38)
at org.camunda.bpm.webapp.impl.security.auth.AuthenticationFilter.doFilter(AuthenticationFilter.java:56)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:239)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:106)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:502)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:142)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:79)
at org.apache.catalina.valves.AbstractAccessLogValve.invoke(AbstractAccessLogValve.java:617)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:88)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:518)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1091)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:668)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1527)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1484)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:724)
Caused by: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db0 ]
at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3087)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3033)
at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2835)
at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2749)
at com.sun.jndi.ldap.LdapCtx.(LdapCtx.java:316)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURL(LdapCtxFactory.java:193)
at com.sun.jndi.ldap.LdapCtxFactory.getUsingURLs(LdapCtxFactory.java:211)
at com.sun.jndi.ldap.LdapCtxFactory.getLdapCtxInstance(LdapCtxFactory.java:154)
at com.sun.jndi.ldap.LdapCtxFactory.getInitialContext(LdapCtxFactory.java:84)
at javax.naming.spi.NamingManager.getInitialContext(NamingManager.java:684)
at javax.naming.InitialContext.getDefaultInitCtx(InitialContext.java:307)
at javax.naming.InitialContext.init(InitialContext.java:242)
at javax.naming.ldap.InitialLdapContext.(InitialLdapContext.java:153)
at org.camunda.bpm.identity.impl.ldap.LdapIdentityProviderSession.openContext(LdapIdentityProviderSession.java:111)
… 64 more

I have tested several configurations for the AD properties but still I can’t connect. I’m sure the user and password are correct too.

I would appreciate some help with this.

Thanks in advance.

Hi,

Did you already look into this discussion? https://groups.google.com/forum/#!searchin/camunda-bpm-users/active$20directory/camunda-bpm-users/Mw8SsG_4QcM/iR-3mZsZCgAJ

Cheers,
Thorben

I have found that I can just use the user name in the administratorUserName, rather than the user’s DN.

1 Like

Hello @Brent_Fisher,

I want to integrate Azure AD authentication with Camunda DMN.
I have created DMN table and want to use that though Postman but using Azure AD authentication. I have deployed this DMN on using community camunda-bpm-tomcat-7.12.0_Server using rest api on postman.

Can you please tell me steps to achieve Azure AD authentication.
Thanks.

Hi,

Error “Wrong credentials or missing access rights to application”.

I have same issue with MS Active Directoy Intergration with Tomcat 9.0.36. Did you fixed it already?
Or Is there anyone help me.

Thanks in Advance.

Cheers,
EMS IT