2 Replies Latest reply on Jan 31, 2013 9:23 PM by Hung Phan

    LDAP UserGroupCallback with bind credentials

    Asha M Newbie

      Hi,

      We integrated our human task service with LDAP. But my Active Directory server does not allow anonymous access.

      So, we configured the ldap.bind.user and ldap.bind.pwd in jbpm.usergroup.callback.properties and jbpm.user.info.properties

       

      But the search does not bind with the credentials passed in the properties file and hence we get a LDAP error stating " In order to perform this operation a successful bi nd must be completed on the connection."

       

      When I checked the LDAPUserGroupCallback implementation, the InitialContext did not use the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS for the values passed in the properties.

      Should we customize the class, to include these values while building the initial context.

       

      Also, is it possible to take the bind credentials from the values that we used for login to jbpm-console (which is also integrated to LDAP) (like how LDAPLoginModule works - uses the login id and password itself as the bind credentials)

        • 1. Re: LDAP UserGroupCallback with bind credentials
          Maciej Swiderski Master

          This is certainly a bug, could you please file a jira for this, if you would like to contribute you could submit a patch by doing pull request

           

          Thanks for bringing this up!

           

          Cheers

          • 2. Re: LDAP UserGroupCallback with bind credentials
            Hung Phan Newbie

            Have you tried using the 'java.naming.security.principal' and 'java.naming.security.credentials' in your properties file?  They worked for me (thank you for the hints). 

             

            Also, what is the correct configurations to get just the CN for a user's groups (e.g. just 'user', or 'admin') into the task.OrganizationalEntity table?  Below is a section of my current configuration, which results ininserting the entire string 'CN=admin,CN=Users,DC=...' as the 'Group' id.  Thanks in advance.

            -------------

            # Filter that will be used to search for user information,

            # usually will contain substitution keys {0} to be replaced with parameters

            # (mandatory)

            ldap.user.filter=(sAMAccountName\={0})

             

            # Attribute name of the user id in Active Directory

            ldap.user.attr.id=sAMAccountName

             

            # Filter that will be used to search for group/role information,

            # usually will contain substitution keys {0} to be replaced with parameters

            # (mandatory)

            ldap.role.filter=(sAMAccountName\={0})

             

            # Filter that will be used to search for user group/role membership information,

            # usually will contain substitution keys {0} to be replaced with parameters

            # (mandatory)

            ldap.user.roles.filter=(sAMAccountName\={0})

             

            # Attribute name of the group/role id in Active Directory

            # (optional, if not given 'cn' will be used)

            ldap.roles.attr.id=memberOf

             

            # User id a DN, instructs the callback to query for user DN

            # before searching for roles (optional, default false)

            ldap.user.id.dn=true

            -------------------

             

            Found the answer on my own (due to my AD setup: both users and groups are under CN=Users, login user id is not DN):

             

            # Filter that will be used to search for user group/role membership information,

            # usually will contain substitution keys {0} to be replaced with parameters

            # (mandatory)

            ldap.user.roles.filter=(&objectclass\=group) (sAMAccountName\={0}))

             

            # Attribute name of the group/role id in Active Directory

            # (optional, if not given 'cn' will be used)

            ldap.roles.attr.id=cn

             

            # User id a DN, instructs the callback to query for user DN

            # before searching for roles (optional, default false)

            ldap.user.id.dn=false