Active Directory: Login Failed : Wrong credentials or missing access rights to application


#1

I have configured the bpm-platfrom.xml to connect to the company AD

I check the AD logs which says “successfully logged on”, but the admin or even wellcome app login says “Login Failed : Wrong credentials or missing access rights to application”

What am I missing?

org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin
      <!--property name="serverUrl">ldap://dc:4334/</property-->
	  <property name="serverUrl">ldap://dc.company.local:389/</property>
	  <property name="managerDn">dom-adm-si@company.local</property>
      <!--property name="managerDn">CN=dom-adm-si,CN=Users,DC=company,DC=local</property-->
	 
      <property name="managerPassword">******</property>

      <property name="baseDn">DC=company</property>
	
	<property name="userSearchBase"></property>
    <property name="userSearchFilter">(objectclass=*)</property>
            
    <property name="userIdAttribute">sAMAccountName</property>
    <property name="userFirstnameAttribute">givenName</property>
    <property name="userLastnameAttribute">sn</property>
    <property name="userEmailAttribute">mail</property>
    <property name="userPasswordAttribute">userpassword</property>
            
    <property name="groupSearchBase">(|(OU=Office OU)(CN=Users)(OU=Call Center)(CN=Builtin)(OU=IT OU))</property>
    <property name="groupSearchFilter">(objectClass=group)</property>
    <property name="groupIdAttribute">cn</property>
    <property name="groupNameAttribute">name</property>
            
    <property name="groupMemberAttribute">member</property>
	  

     
    </properties>
  </plugin>
  <plugin>
    <class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
    <properties>
      <property name="administratorUserName">dom-adm-si</property>
    </properties>
  </plugin>

</plugins>

the other details are :

SELECT * FROM ACT_ID_USER;
ID_ REV_ FIRST_ LAST_ EMAIL_ PWD_ SALT_ PICTURE_ID_
(no rows, 2 ms)

SELECT * FROM ACT_ID_GROUP;
ID_ REV_ NAME_ TYPE_
(no rows, 1 ms)

SELECT * FROM ACT_ID_MEMBERSHIP;
USER_ID_ GROUP_ID_
(no rows, 1 ms)

SELECT * FROM ACT_RU_AUTHORIZATION;
ID_ REV_ TYPE_ GROUP_ID_ USER_ID_ RESOURCE_TYPE_ RESOURCE_ID_ PERMS_
f7ce6658-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 0 * 2147483647
f7cf9ed9-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 1 * 2147483647
f7d03b1a-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 2 * 2147483647
f7d0d75b-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 3 * 2147483647
f7d20fdc-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 4 * 2147483647
f7d459cd-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 5 * 2147483647
f7d6077e-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 6 * 2147483647
f7d78e1f-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 7 * 2147483647
f7d80351-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 8 * 2147483647
f7d914c2-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 9 * 2147483647
f7d9b103-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 10 * 2147483647
f7da4d44-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 11 * 2147483647
f7dac275-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 12 * 2147483647
f7db37a6-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 13 * 2147483647
f7dc4917-1e61-11e8-9524-809f945b4044 1 1 null Dc admin 14 * 2147483647
fca47fbe-1e61-11e8-9524-809f945b4044 1 1 accounting null 7 fc9b7f0b-1e61-11e8-9524-809f945b4044 6
fca4a6d1-1e61-11e8-9524-809f945b4044 1 1 sales null 7 fc9b7f0b-1e61-11e8-9524-809f945b4044 6
fcf2c6fd-1e61-11e8-9524-809f945b4044 1 1 management null 7 fcf278da-1e61-11e8-9524-809f945b4044 6
9aa8ebe4-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 0 * 2147483647
9aac9565-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 1 * 2147483647
9aada6d6-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 2 * 2147483647
9aae9137-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 3 * 2147483647
9ab0db28-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 4 * 2147483647
9ab3733a-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 5 * 2147483647
9ab3e86b-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 6 * 2147483647
9ab4abbc-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 7 * 2147483647
9ab5e43d-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 8 * 2147483647
9ab82e2e-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 9 * 2147483647
9ab8f17f-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 10 * 2147483647
9ab98dc0-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 11 * 2147483647
9aba2a01-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 12 * 2147483647
9aba7822-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 13 * 2147483647
9abb1463-1e62-11e8-a3a0-809f945b4044 1 1 null dom-adm-si 14 * 2147483647
9f470546-1e62-11e8-a3a0-809f945b4044 1 1 accounting null 7 9f3d6853-1e62-11e8-a3a0-809f945b4044 6
9f475369-1e62-11e8-a3a0-809f945b4044 1 1 sales null 7 9f3d6853-1e62-11e8-a3a0-809f945b4044 6
9fa66385-1e62-11e8-a3a0-809f945b4044 1 1 management null 7 9fa63c72-1e62-11e8-a3a0-809f945b4044 6
(36 rows, 3 ms)


#2

Hi @Ovidiu_Loghin,

Is it possible to attach the complete stack trace of the error from the server log?

Best regards,
Yana


#3

Hi,

I sorted out. It noes not work if you only add the user to the AdministratorAuthorizationPlugin.

<!-- does not work-->
 <property name="administratorUserName">dom-adm-si</property>

In case you add the entire LDAP group of administrators, works perfectly…in my case the folowing line added to AdministratorAuthorizationPlugin just did what I wanted.

<property name="administratorGroupName">sysadmins</property>
		  <property name="administratorGroupName">Managers</property>
		  <property name="administratorGroupName">Domain Admins</property>

This is curious as dom-adm-si belongs to Domain Admins group, in my directory.

The group though is sufficient, the documentation worth mention this detail

Regards


#4

Hi @Ovidiu_Loghin,

Documentation regarding AdministratorAuthorizationPlugin is here.
Please feel free to rise a pull request if you think that it should be improved.

Best regards,
Yana


#5

@Yana, even i am running into this issue, i tried to add administratorUserName and also with administratorGroupName but still i am getting Wrong credentials or missing access rights to application