Hello,
I am having a bit of a tricky issue with using LDAP to log into the Camunda Webapps provided by the Spring Boot starter.
I am using spring-boot-starter-webapp/rest version 2.0.0 and camunda-identity-ldap version 7.6.0.
This is my current LDAP configuration for Camunda:
@Bean
public static AdministratorAuthorizationPlugin administratorAuthorizationPlugin() {
AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
plugin.setAdministratorUserName("admin");
return plugin;
}
@Bean
public static LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {
LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();
plugin.setServerUrl("ldap://<ldap-address>:389");
plugin.setManagerDn("cn=Administrator,dc=my,dc=domain,dc=net");
plugin.setManagerPassword("secret");
plugin.setBaseDn("dc=my,dc=domain,dc=net");
plugin.setUserSearchBase("ou=Benutzer");
plugin.setUserSearchFilter("(uid={0})");
plugin.setUserIdAttribute("uid");
plugin.setUserFirstnameAttribute("givenName");
plugin.setUserLastnameAttribute("sn");
plugin.setUserPasswordAttribute("userPassword");
plugin.setGroupSearchBase("ou=Gruppen");
plugin.setGroupSearchFilter("(member={0})");
plugin.setGroupIdAttribute("ou");
plugin.setGroupNameAttribute("cn");
plugin.setGroupMemberAttribute("member");
return plugin;
}
I am using the same configuration values for my normal Spring Security login and everything works fine,
but when trying to log the admin user into Camunda Tasklist for example, I get the following two errors:
Communication Error :
The application received an unexpected 405 response from the server. Try to refresh the page or login and out of the application.
Can not log in with those credentials.
Here is the debug log from a login attempt: https://pastebin.com/trhc69r4
Note that the warnings (line 38 and 58ff) about the 405 error also appear when using the built-in login.
Here’s what I’ve tried so far:
- Using Camunda built-in login (causes the same warnings, but still works)
- Turned CSRF protection off (same warnings still appear, same error)
- Ensured that all paths related to Camunda (/api, /app, /lib) are configured as permitAll in my SecurityConfiguration
So I guess my question is: does anyone have any experience with using LDAP for authentication for the embedded webapps and is able to point me in the right direction? Any tips would be greatly appreciated.
1 Like
Hi @ajesina,
is DEBUG logging enabled for org.camunda.bpm.identity.impl.ldap? Log from the pastebin is not really helpful at the moment, are you getting any exceptions?
Cheers,
Askar
Hey,
I didn’t enable it before since I assumed just setting the root log level in logback.xml to DEBUG would be enough; adding
logging.level.org.camunda.bpm.identity.impl.ldap=DEBUG
to my application.properties doesn’t cause any additional output from that package.
Unfortunately, there aren’t any exceptions either. I feel some step-by-step debugging coming on… I don’t really have enough insight into the Camunda source to know where to start with that though.
Could you (or anyone else) maybe point me to where the authentication process takes place in Camunda so that I might be able to better comprehend what the issue is?
Thanks in advance,
Andreas
Hi @ajesina,
I think following classes would be interesting for you:
- org.camunda.bpm.identity.impl.ldap.LdapUserQueryImpl
- org.camunda.bpm.engine.impl.IdentityServiceImpl
- org.camunda.bpm.engine.impl.cmd.CheckPassword
Hope that helps,
Askar
Thanks a lot, I’ll start investigating and get back here once I have something that actually looks like an error. 
1 Like
Hi,
the following configuration (bean method 2+3) worked fine within our environment (sensible attribute values have been anonymized):
@Configuration
public class CustomCamundaConfiguration {
@Bean
@Order(Ordering.DEFAULT_ORDER + 1)
public static ProcessEnginePlugin strongUUIDGenerator() {
return new ProcessEnginePlugin() {
@Override
public void preInit(ProcessEngineConfigurationImpl processEngineConfiguration) {
processEngineConfiguration.setIdGenerator(new StrongUuidGenerator());
}
@Override
public void postInit(ProcessEngineConfigurationImpl processEngineConfiguration) {
}
@Override
public void postProcessEngineBuild(ProcessEngine processEngine) {
}
};
}
@Bean
@Order(Ordering.DEFAULT_ORDER + 2)
public static LdapIdentityProviderPlugin ldapIdentityProviderPlugin(){
LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();
//TODO: konfigurierbar von auĂźen machen
plugin.setServerUrl("ldap://ldap.brezn.knoedel.info:089/");
plugin.setAcceptUntrustedCertificates(false);
plugin.setAllowAnonymousLogin(false);
//TODO: Nachschärfen
plugin.setUseSsl(false);
plugin.setSecurityAuthentication("simple");
// manager Einstellungen
plugin.setBaseDn("DC=kueche,DC=kochtopf,DC=de");
plugin.setManagerDn("CN=WeiĂźwurscht,OU=Kochtopf,OU=Kueche,OU=ErdgeschoĂź,DC=Haus,DC=Dahoam,DC=de");
plugin.setManagerPassword("MitVielSenfUndBittschönNurDasOriginal");
// user-spezifische Einstellungen
plugin.setUserSearchBase("ou=HungrigeLeid");
plugin.setUserSearchFilter("(objectclass=person)");
plugin.setUserIdAttribute("iBins");
plugin.setUserFirstnameAttribute("iBinDa");
plugin.setUserLastnameAttribute("SehrErfreut");
plugin.setUserEmailAttribute("schicksDoHi");
// gruppen-spezifische Einstellungen
plugin.setGroupSearchBase("ou=Alle,ou=Hungrigen,ou=Leid");
plugin.setGroupSearchFilter("(objectclass=group)");
plugin.setGroupIdAttribute("miaSans");
plugin.setGroupNameAttribute("soHoasMa");
plugin.setGroupMemberAttribute("hungrigeGeschellschaft");
return plugin;
}
@Bean
@Order(Ordering.DEFAULT_ORDER + 3)
public static AdministratorAuthorizationPlugin administratorAuthorizationPlugin(){
AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
plugin.setAdministratorGroupName("WeiĂźbier-Trinker"); //Group Name available in the ldap server
plugin.setAdministratorUserName("DaBreznSepp"); //User-id available in the ldap server
return plugin;
}
Having the ldap plugin active, the admin user configuration (camunda.bpm.admin-user, https://camunda.github.io/camunda-bpm-spring-boot-starter/docs/current/index.html#properties) has to be omitted. otherwise the application tries to access the identity service with write access. ldap identity service only has read access permission. Currently I cannot say if the former is a general restriction or if it is specific to our ldap environment (having ldap credentials with only read access to the Server).
Regards
Kristian
1 Like
nice to see it works, never tested this before.
Ok, after seeing the config posted by @Kristian (thanks for the laughs in your “anonymization” by the way ^^), I re-tried some things with my config and figured out what the issue was:
Apparently, Camunda and Spring Security treat their group search filters differently.
While Spring Security needs a group search filter to check for group membership (e.g. (uniqueMember={0})), Camunda assumes that the group search filter is used to search for the group itself (e.g. (objectclass=groupOfNames)).
After using different filters for my Camunda and Spring LDAP configs, everything works as expected now. Luckily, I avoided the step-by-step debugging.
Thanks all for your help!
