we are using the org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin.
Configurations works, we can login, we see the groups and the memberships.
What we didn’t manage to configure is the membership of a user to hierarchical groups in LDAP.
Situation:
Group B is member of group A.
User X is member of group B.
Expected: User X is member of group A and group B.
Actually: User X is only member of group B
Is it possible to configure this plugin to achieve our wished behavior?
Or do we need to create own LDAP plugin?
First check if your ldap is configured to have for each group a set of attributes for example member (or check what is the actual attribute name) , which points to users. Then your configuration for the ldap plugin should look like:
…
ldapIdentityProviderPlugin.setGroupMemberAttribute(“member”);
…
This is example for Apache DS.
The groupMemberAttribute is set to the attribute name where users are added. It works.
It doesn’t work for groups set instead of user for this attribute.
In Apache it is possible to call “operational attributes” for a user. There you can see the “isMemberOf” attribute where all the groups are listed the user is member of.
Same I wish to see in camunda.
So now we need to add the user in every group explicitly to see it in camunda. We cannot use group of groups as a hierarchy resolved as a list of groups.