Hi Camunders
I’ve configured my application to authenticate using LDAP. Works great.
How do I configure it to only allow certain users administrative access to Camunda?
Thanks!
Niall, your hawk grants you super-human speed I say!
Thanks for that - but don’t I need to be logged in as an admin first to setup those authorizations? This is my problem - I’ve only got LDAP integration enabled; there’s no admin user to login as.
Depending on how you’ve setup camunda you could create the authorizations for the main admin using the REST API - this would by-pass the webapps.
Then i would suggest that you secure the REST API so it can’t be done again 
OK great - I’m using the Spring Boot method, so is this the course I should follow then?
Yup, you could also use the Java api if you like to create the authorizations on startup.
But considering this should only be a once off the REST API approch seems fine.
The authorization will then be stored in whatever data-source you’re using.
Cheers mate, will give that a try
1 Like
Hey @danny_xneelo,
I think what’s you’re missing is the Administrator Authorization Plugin: https://docs.camunda.org/manual/7.13/user-guide/process-engine/authorization-service/#the-administrator-authorization-plugin
You have to configure, which LDAP user or group should become admin.
Hope this helps, Ingo
1 Like
Hey Ingo
Ya I’m already using that plugin, but I’m not quite sure how it fits in. I can’t seem to configure which LDAP users are classified as admins.
The documentation doesn’t make this very clear. Is there an example somewhere I could reference?
Hi @danny_xneelo,
the documentation is written for the shared engine distro describing bpm-platform.xml as configuration file.
I havn’t used LDAP together with the camunda-bpm-spring-boot-starter, but the important configuration is either administratorUserName or administratorGroupName.
I’m not aware of an example, but I would try it as Felix described it here: Configure LDAP to connect to existing active directory, just using the AdministratorAuthorizationPlugin
Hope this helps, Ingo
Thanks for that @Ingo_Richtsmeier
In terms of the administratorUserName - I’ve tried aligning this with the LDAP user’s user ID attribute and the user name but neither of these work. It’s not clear to me what these properties really mean or how they relate to LDAP.
@Ingo_Richtsmeier @Niall just to close the loop, I appear to have made some headway.
I’ve created an LDAP group and configured the LDAP provider to search for it:
plugin.setGroupSearchBase("OU=Group");
plugin.setGroupIdAttribute("cn");
plugin.setGroupNameAttribute("cn");
plugin.setGroupMemberAttribute("memberUid");
plugin.setGroupSearchFilter("(objectclass=top)");
plugin.setAuthorizationCheckEnabled(true);
plugin.setSecurityAuthentication("simple");
plugin.setUsePosixGroups(true);
and enabled these settings:
camunda.bpm.authorization.enabled=true
camunda.bpm.authorization.enabled-for-custom-code=true
I then see:
And after I assigned my user to the group in LDAP, it comes through as expected:
I’ve used the admin authorization plugin
@Bean
public AdministratorAuthorizationPlugin administratorAuthorizationPlugin() {
AdministratorAuthorizationPlugin administratorAuthorizationPlugin = new AdministratorAuthorizationPlugin();
administratorAuthorizationPlugin.setAdministratorGroupName("camunda_admin");
return administratorAuthorizationPlugin;
}
which, I believe, produced these authorizations (amogst others):
I think where I was getting confused is that I was expecting the Admin dashboard to look like this:
(showing the “Create New User”, “Create New Tenant”, etc) options - but when using the LDAP provider, the IdentityService is set to read-only I believe.
Instead I see this:
Thanks for the assistance!
1 Like