LDAP Setup -Could not connect to LDAP server

Trying to test out the camunda LDAP with a free server available online : Online LDAP Test Server - Forum Systems

Made the changes in the xml to enabled LDAP Service. Here is the XML snippet :

<plugin>
        <class>org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin</class>
        <properties>

          <property name="serverUrl">ldap.forumsys.com:389/</property>
          <property name="acceptUntrustedCertificates">false</property>
          <property name="managerDn">cn=read-only-admin,dc=example,dc=com</property>
          <property name="managerPassword">password</property>

          <property name="baseDn"></property>

          <property name="userSearchBase"></property>
          <property name="userSearchFilter">(objectclass=person)</property>

          <property name="userIdAttribute">uid</property>
          <property name="userFirstnameAttribute">cn</property>
          <property name="userLastnameAttribute">sn</property>
          <property name="userEmailAttribute">mail</property>
          <property name="userPasswordAttribute">userpassword</property>

          <property name="groupSearchBase"></property>
          <property name="groupSearchFilter">(objectclass=groupOfNames)</property>
          <property name="groupIdAttribute">cn</property>
          <property name="groupNameAttribute">cn</property>

          <property name="groupMemberAttribute">member</property>
          <property name="sortControlSupported">false</property>

        </properties>
      </plugin>
      

      <!-- LDAP CONFIGURATION -->
      <!-- The following plugin allows you to grant administrator authorizations to an existing LDAP user -->
      
      <plugin>
        <class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
        <properties>
          <property name="administratorUserName">admin</property>
        </properties>
      </plugin>

I have tried querying the LDAP using the ldapsearch command and it returns the result.

I am not sure what is going wrong. Can someone please have a look and let me know.

Hi,

Those two lines should be changed:

  <property name="serverUrl">ldap://ldap.forumsys.com:389/</property>
  <property name="baseDn">dc=example,dc=com</property>

BR,
Ilya

Thanks for the quick reply. A couple of follow up questions:

How does it affect REST Engine? How the rest API calls need to be authenticated when LDAP is enabled. Also, what if the LDAP Server is not responding, how can fallbacks be designed?

Hi mayank13,

We recently switched to LDAP in our experiments, while REST was not requiring authorisation (as in default config) - I haven’t spotted any suspicious behaviour at the moment.

I think this question on LDAP availability has already been asked on the forum and the answer was to rely on high-availability LDAP option which makes a perfect sense to me as when you introduce LDAP identity management on an enterprise level you immediately generate a single source of fault that should be somehow managed.

Best regards,
Ilya

Thanks! Makes sense. Another question - I am trying to login to cockpit and tasklist with LDAP but access rights are not there. How do I manage authorisations now?

Hi,

You can enable LDAP admin plugin and provide LDAP admin group or admin account from LDAP. The only thing I could not figure out how to configure a list of LDAP admin accounts:

  <plugin>
    <class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
    <properties>
      <!-- <property name="administratorUserName">user</property> -->
      <property name="administratorGroupName">camunda_admins</property>
    </properties>
  </plugin>

BR,
Ilya

Hi,

I have used a similar setup, however once the spring boot application launches I am redirected to create user pane. I am also not hitting any breakpoint on the org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin

image855×619 67.6 KB

I am running
Spring-Boot: (v2.2.5.RELEASE)
Camunda BPM: (v7.12.0)
Camunda BPM Spring Boot Starter: (v3.4.2)