Cockpit ignoring authorization rule for LDAP groups

wdonnell · December 4, 2020, 5:52pm

Hi, hoping any community members might be able to help me out here! I’ve configured Camunda Cockpit to use LDAP authentication, but it doesn’t seem to be recognizing group authorizations.

What’s working:

I can log in using SSO
My user profile info & active directory groups are being populated from the LDAP server

I set up a new active directory group called “cockpit-users” and added myself. When I go to the “cockpit-users” group page in Camunda Admin I can see that I’m a member. If I go to my user page and look at my groups, I can see “cockpit-users” in the list. So far so good.

Then I set up the following authorizations in Camunda Admin:

the “cockpit-users” group has access to Cockpit
my specific user id has access to Admin

When I enable authorization to test it out and go the welcome page, I only see the admin section:

So it’s as if my group membership is being ignored. Has anyone seen this before? Any suggestions on how to debug or what the problem might be?

Using spring-boot with Camunda 7.10. MySql Db.

wdonnell · December 8, 2020, 3:02am

I tried setting this up using the local mysql database for storing users and groups (instead of LDAP) and it worked as intended, so I think my authorization rules are configured correctly and the problem definitely lies with LDAP somehow.

From looking at the network tab, I noticed that api/admin/auth/user/default is returning the list of authorized apps:

{"userId":"redacted","authorizedApps":["admin","welcome"]}

This API call is returning suspiciously fast, like 6ms. Our LDAP server is not nearly so quick. Pulling the list of groups on my user page in Camunda admin takes ~1.5 seconds. Is this endpoint even considering group membership when calculating authorizedApps?

Ingo_Richtsmeier · December 8, 2020, 8:40am

Hi @wdonnell,

the authorizations are indeed saved in the Camunda database. They have to reference matching user- or group-Ids.

Is your ldap plugin configuration correct to find your group ids? I only have watched a ldap configuration once, and I remember that it was challenging to find the correct term for the group search base.

Hope this helps, Ingo

wdonnell · January 5, 2021, 8:52pm

For anyone that comes across this post in the future:

When logging in, the ContainerBasedAuthenticationProvider returns an AuthenticationResult.

Camunda uses the AuthenticationResult groups property to determine which applications are authorized. This is the part we were missing – you need to be sure this is set correctly, something like:

@Override
public AuthenticationResult extractAuthenticatedUser(HttpServletRequest request, ProcessEngine engine) {

        OAuth2Authentication authentication = (OAuth2Authentication) SecurityContextHolder.getContext()
                                                                     .getAuthentication();

        // some failure condition checking code removed ...

        AuthenticationResult authenticationResult = new AuthenticationResult(authentication.getName(), true);
        authenticationResult.setGroups(UserAuthenticationParser.getUserGroups(authentication));
        return authenticationResult;
}

The implementation of UserAuthenticationParser.getUserGroups() will depend on your setup, but should return a collection of group names.