Debugging LDAP authorizations


#1

I’m trying to setup what I’m guessing is a fairly standard setup.

We’ve an AD based LDAP directory with two groups of interest, CamundaUsers and CamundaAdmins.

I’d like CamundaUsers to have read-only access while CamundaAdmins can do anything.

I’ve set up the authorizations in line with Read-only operator mode but the CamundaUsers do not have access to the Cockpit. Or the Tasklist. In fact they have access to nothing but their own profile. I’ve given the group appropriate Application Authorizations;

Type: ALLOW
User/Group: Group - CamundaUsers
Permissions: ACCESS
Resource ID: *
(also tried explicitly listing cockpit)

Yet nothing.

Is there anything obvious I’ve missed? Are there any debug options I can enable which may help me track down the cause of this?

Thanks in advance,

Greg


#2

My bad. After struggling with this for what seems like ages, and stepping through the code with a debugger, I realised that the group name should be the LDAP group distinguishedName not the sAMAccountName that is shown elsewhere on the admin UI - i.e. CN=CamundaUsers,OU=Groups,DC=...

Greg