Identity service implementation is read-only error while editing user profile

Dear Team,

I have getting the below error while using ldap identity service having enabled the authorization plugin.
Below is my camunda.cfg.xml

<?xml version="1.0" encoding="UTF-8"?>

<bean id="ldapIdentityProviderPlugin"
	class="org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin">

	<property name="serverUrl" value="ldap://localhost:10389/" />
	<property name="managerDn" value="cn=Sundar S,ou=users,o=camunda" />
	<property name="managerPassword" value="pass" />
	<property name="baseDn" value="o=camunda" />

	<property name="userSearchBase" value="ou=users" />
	<property name="userSearchFilter" value="(objectclass=person)" />
	<property name="userIdAttribute" value="uid" />
	<property name="userFirstnameAttribute" value="cn" />
	<property name="userLastnameAttribute" value="sn" />
	<property name="userEmailAttribute" value="mail" />
	<property name="userPasswordAttribute" value="userPassword" />

	<property name="groupSearchBase" value="ou=groups" />
	<property name="groupSearchFilter" value="(objectclass=groupOfUniqueNames)" />
	<property name="groupIdAttribute" value="ou" />
	<property name="groupNameAttribute" value="cn" />
	<property name="groupMemberAttribute" value="member" />

	<property name="authorizationCheckEnabled" value="true" />

</bean>

<bean id="administratorAuthorizationPlugin"
	class="org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin">
	<property name="administratorGroupName" value="Admin" />
	<property name="administratorUserName" value="sundar" />

</bean>

Any help is appreciated!

Thanks
Sundar

You can’t update user or group profiles via Camunda when using LDAP, because Camunda does not manage the users. Do that directly in your LDAP interface.

1 Like

@thorben
@Sundar i tried to implement from ldap interface it didn’t work
let me show u my config file
serverurl: *************
acceptuntrustedcertificates: true
allowAnonymousLogin: false
securityauthentication: simple
basedn: DC=***,DC=***,DC=Com
managerdn: CN=US_ifs_BOS_Hub_d001,OU=Applications,DC=***,DC=***,DC=com
managerpassword: *******
usersearchbase: OU=Internal,OU=Users
usersearchfilter: (objectClass=person)
useridattribute: cn
userfirstnameattribute: givenName
userlastnameattribute: sn
useremailattribute: mail
userpasswordattribute: userpassword
groupsearchbase: OU=Internal Groups
groupsearchfilter: (CN=bos-pif)
groupidattribute: cn
groupnameattribute: cn
groupmemberattribute: member
usessl: true
sortcontrolsupported: false

am not see any persons in my group even we added from Ldap interface

It looks like I encountered the same issue using v7.12 and SringBoot.
I declared a following bean, putting simply server url to get rid of null pointer exception

    public static LdapIdentityProviderPlugin ldapIdentityProviderPlugin(){

        LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();
        plugin.setServerUrl("ldap://localhost:10389");
        return plugin;
    }

An the famous exception is being thrown:

ngframework.beans.factory.UnsatisfiedDependencyException: Error creating bean with name 'org.camunda.bpm.engine.spring.SpringProcessEngineServicesConfiguration': Unsatisfied dependency expressed through field 'processEngine'; nested exception is org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'processEngineFactoryBean': FactoryBean threw exception on object creation; nested exception is java.lang.UnsupportedOperationException: This identity service implementation is read-only.
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:643) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.annotation.InjectionMetadata.inject(InjectionMetadata.java:130) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor.postProcessProperties(AutowiredAnnotationBeanPostProcessor.java:399) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.populateBean(AbstractAutowireCapableBeanFactory.java:1422) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.doCreateBean(AbstractAutowireCapableBeanFactory.java:594) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.createBean(AbstractAutowireCapableBeanFactory.java:517) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.lambda$doGetBean$0(AbstractBeanFactory.java:323) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultSingletonBeanRegistry.getSingleton(DefaultSingletonBeanRegistry.java:222) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:321) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.preInstantiateSingletons(DefaultListableBeanFactory.java:879) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.finishBeanFactoryInitialization(AbstractApplicationContext.java:878) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.context.support.AbstractApplicationContext.refresh(AbstractApplicationContext.java:550) ~[spring-context-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.boot.web.servlet.context.ServletWebServerApplicationContext.refresh(ServletWebServerApplicationContext.java:141) ~[spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
	at org.springframework.boot.SpringApplication.refresh(SpringApplication.java:747) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
	at org.springframework.boot.SpringApplication.refreshContext(SpringApplication.java:397) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:315) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1226) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
	at org.springframework.boot.SpringApplication.run(SpringApplication.java:1215) [spring-boot-2.2.5.RELEASE.jar:2.2.5.RELEASE]
	at com.lingaro.hrApp.Application.main(Application.java:11) [classes/:na]
Caused by: org.springframework.beans.factory.BeanCreationException: Error creating bean with name 'processEngineFactoryBean': FactoryBean threw exception on object creation; nested exception is java.lang.UnsupportedOperationException: This identity service implementation is read-only.
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:178) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.getObjectFromFactoryBean(FactoryBeanRegistrySupport.java:101) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getObjectForBeanInstance(AbstractBeanFactory.java:1818) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractAutowireCapableBeanFactory.getObjectForBeanInstance(AbstractAutowireCapableBeanFactory.java:1266) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.doGetBean(AbstractBeanFactory.java:260) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.AbstractBeanFactory.getBean(AbstractBeanFactory.java:202) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.config.DependencyDescriptor.resolveCandidate(DependencyDescriptor.java:276) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.addCandidateEntry(DefaultListableBeanFactory.java:1510) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.findAutowireCandidates(DefaultListableBeanFactory.java:1467) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.doResolveDependency(DefaultListableBeanFactory.java:1250) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.support.DefaultListableBeanFactory.resolveDependency(DefaultListableBeanFactory.java:1207) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.springframework.beans.factory.annotation.AutowiredAnnotationBeanPostProcessor$AutowiredFieldElement.inject(AutowiredAnnotationBeanPostProcessor.java:640) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	... 19 common frames omitted
Caused by: java.lang.UnsupportedOperationException: This identity service implementation is read-only.
	at org.camunda.bpm.engine.impl.cmd.AbstractWritableIdentityServiceCmd.execute(AbstractWritableIdentityServiceCmd.java:37) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandExecutorImpl.execute(CommandExecutorImpl.java:28) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.impl.interceptor.CommandContextInterceptor.execute(CommandContextInterceptor.java:110) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.spring.SpringTransactionInterceptor$1.doInTransaction(SpringTransactionInterceptor.java:46) ~[camunda-engine-spring-7.12.0.jar:7.12.0]
	at org.springframework.transaction.support.TransactionTemplate.execute(TransactionTemplate.java:140) ~[spring-tx-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	at org.camunda.bpm.engine.spring.SpringTransactionInterceptor.execute(SpringTransactionInterceptor.java:44) ~[camunda-engine-spring-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.impl.interceptor.ProcessApplicationContextInterceptor.execute(ProcessApplicationContextInterceptor.java:70) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.impl.interceptor.LogInterceptor.execute(LogInterceptor.java:33) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.impl.IdentityServiceImpl.newUser(IdentityServiceImpl.java:94) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.spring.boot.starter.configuration.impl.custom.CreateAdminUserConfiguration.createUser(CreateAdminUserConfiguration.java:102) ~[camunda-bpm-spring-boot-starter-3.4.2.jar:3.4.2]
	at org.camunda.bpm.spring.boot.starter.configuration.impl.custom.CreateAdminUserConfiguration.postProcessEngineBuild(CreateAdminUserConfiguration.java:64) ~[camunda-bpm-spring-boot-starter-3.4.2.jar:3.4.2]
	at org.camunda.bpm.engine.impl.cfg.CompositeProcessEnginePlugin.postProcessEngineBuild(CompositeProcessEnginePlugin.java:107) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.invokePostProcessEngineBuild(ProcessEngineConfigurationImpl.java:1080) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.impl.cfg.ProcessEngineConfigurationImpl.buildProcessEngine(ProcessEngineConfigurationImpl.java:816) ~[camunda-engine-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.spring.SpringTransactionsProcessEngineConfiguration.buildProcessEngine(SpringTransactionsProcessEngineConfiguration.java:63) ~[camunda-engine-spring-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:55) ~[camunda-engine-spring-7.12.0.jar:7.12.0]
	at org.camunda.bpm.engine.spring.ProcessEngineFactoryBean.getObject(ProcessEngineFactoryBean.java:34) ~[camunda-engine-spring-7.12.0.jar:7.12.0]
	at org.springframework.beans.factory.support.FactoryBeanRegistrySupport.doGetObjectFromFactoryBean(FactoryBeanRegistrySupport.java:171) ~[spring-beans-5.2.4.RELEASE.jar:5.2.4.RELEASE]
	... 30 common frames omitted


Process finished with exit code 1

Can anyone provide more detailed instruction how to configure LDAP? I’m going to search for community projects, but I would be grateful for hints or snippets.

This happens when your app is trying to create the admin user usually. Dont forget to comment out the below stanza in your application.yaml file.
camunda.bpm:

admin-user:

id: demo

password: demo

firstName: Demo

lastName: Demo