1 Reply Latest reply on Sep 25, 2015 9:18 AM by vcornejo

    Where do I place jbpm.usergroup.callback.properties?

    schufty
    schufty Sep 15, 2015 5:03 PM

      I want to log in to business-central with LDAP credentials. I'm trying to connect BPM Suite to an ApacheDS ldap server. Both servers are running locally. According to the user guide, I can "create the jbpm.usergroup.callback.properties file in the root of your application". What does "root of your application" mean? I've tried placing it in $EAP-6.4.0/standalone/deployments/business-central.war as well as in the WEB-INF/classes directory. Neither worked. The user guide also says I can set a system property "-Djbpm.usergroup.callback.properties=<path to file>". That didn't work either. In all cases, business-central refuses to accept credentials from my ldap server, and continues to accept credentials from $EAP-6.4.0/standalone/configuration/application-users.properties. Where should this file go, or is there some other way I should be configuring my ldap connection?

       

      This is running JBoss BPM Suite 6.1 on EAP 6.4.0.

       

      I've attached my jbpm.usergroup.callback.properties in case that helps.

        • 1. Re: Where do I place jbpm.usergroup.callback.properties?
          vcornejo
          vcornejo Sep 25, 2015 9:18 AM (in response to schufty)

          Lance.

          There are two points to configure:

          1 By default the business-central security domain is "other" (that point to user.properties).

          You must define a new security domain "myLdapDomain" into EAP/standalone/configuration/standalone.xml, and point business-central/WEB-INF/jboss-web.xml to this.

          example:

          <security-domain name="myLdapDomain">

                              <authentication>

                                  <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">

                                      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>

                                      <module-option name="java.naming.provider.url" value="ldap://ldap_server_ip:389"/>

                                      <module-option name="bindDN" value="cn=queryUser,cn=Users,dc=mydomain,dc=com"/>

                                      <module-option name="bindCredential" value="queryUserPassword"/>

                                      <module-option name="baseCtxDN" value="cn=Users,dc=mydomain,dc=com"/>

                                      <module-option name="baseFilter" value="(userPrincipalName={0})"/>

                                      <module-option name="rolesCtxDN" value="cn=Users,dc=mydomain,dc=com"/>

                                      <module-option name="roleFilter" value="(userPrincipalName={0})"/>

                                      <module-option name="roleAttributeID" value="memberOf"/>

                                      <module-option name="roleNameAttributeID" value="cn"/>

                                      <module-option name="roleAttributeIsDN" value="true"/>

                                      <module-option name="allowEmptyPasswords" value="true"/>

                                      <module-option name="Context.REFERRAL" value="follow"/>

                                      <module-option name="throwValidateError" value="true"/>

                                      <module-option name="searchScope" value="SUBTREE_SCOPE"/>

                                  </login-module>

                                  <login-module code="org.jboss.security.auth.spi.RoleMappingLoginModule" flag="optional">

                                      <module-option name="rolesProperties" value="roles.properties"/>

                                      <module-option name="replaceRole" value="false"/>

                                  </login-module>

                              </authentication>

                          </security-domain>

          Doing this, business-central can authenticate users with Ldap server

          ---------------------------------------------------------------------------------------------------

          2 For some features related to querying the users-groups you must change the default UserGroupCallBack defined into business-central/WEB-INF/beans.xml

          <alternatives>

              <class>org.jbpm.services.cdi.producer.JAASUserGroupInfoProducer</class>

            </alternatives>

          change to

          <alternatives>

              <class>org.jbpm.services.cdi.producer.LDAPUserGroupInfoProducer</class>

            </alternatives>

           

          Additional you need to define the system property jbpm.usergroup.callback.properties and point to your propertie file (WEB-INF/jbpm.usergroup.callback.properties)

           

          That's all what I do to work with bpms and ldap.

            • Actions