Getting 401 when logging in to Camunda Webapps with ldap plugin


#1

Hello,
I am trying to use ldap for authentication.
It seems like I am able to connect to the ldap server, but camunda cant retrieve any users or groups from the store.
This is my config:

@Configuration
@ConfigurationProperties (prefix = “ldap”)
public class CamundaLdapConfig {

String serverUrl;
Boolean acceptUntrustedCertificates;
Boolean allowAnonymousLogin;

Boolean useSsl;
String securityAuthentication;

// manager Einstellungen
String baseDn;
String managerDn;
String managerPassword;

// user-spezifische Einstellungen
String userSearchBase;
String userSearchFilter;
String userIdAttribute;
String userFirstnameAttribute;
String userLastnameAttribute;
String userEmailAttribute;
String userPasswordAttribute;

// gruppen-spezifische Einstellungen
String groupSearchBase;
String groupSearchFilter;
String groupIdAttribute;
String groupNameAttribute;
String groupMemberAttribute;

String adminUserName;
String adminGroupName;

@Bean
@Order (Ordering.DEFAULT_ORDER + 1)
public ProcessEnginePlugin strongUUIDGenerator() {
    return new ProcessEnginePlugin() {
        @Override
        public void preInit(ProcessEngineConfigurationImpl processEngineConfiguration) {
            processEngineConfiguration.setIdGenerator(new StrongUuidGenerator());
        }

        @Override
        public void postInit(ProcessEngineConfigurationImpl processEngineConfiguration) {
        }

        @Override
        public void postProcessEngineBuild(ProcessEngine processEngine) {
        }
    };
}

@Bean
@Order (Ordering.DEFAULT_ORDER + 2)
public LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {

    LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();

    plugin.setServerUrl(getServerUrl());
    plugin.setAcceptUntrustedCertificates(getAcceptUntrustedCertificates());
    plugin.setAllowAnonymousLogin(getAllowAnonymousLogin());

    plugin.setUseSsl(getUseSsl());
    plugin.setSecurityAuthentication(getSecurityAuthentication());

    // manager Einstellungen
    plugin.setBaseDn(getBaseDn());
    plugin.setManagerDn(getManagerDn());
    plugin.setManagerPassword(getManagerPassword());

    // user-spezifische Einstellungen
    plugin.setUserSearchBase(getUserSearchBase());
    plugin.setUserSearchFilter(getUserSearchFilter());
    plugin.setUserIdAttribute(getUserIdAttribute());
    plugin.setUserFirstnameAttribute(getUserFirstnameAttribute());
    plugin.setUserLastnameAttribute(getUserLastnameAttribute());
    plugin.setUserEmailAttribute(getUserEmailAttribute());
    //  plugin.setUserPasswordAttribute(getUserPasswordAttribute());

    // gruppen-spezifische Einstellungen
    plugin.setGroupSearchBase(getGroupSearchBase());
    plugin.setGroupSearchFilter(getGroupSearchFilter());
    plugin.setGroupIdAttribute(getGroupIdAttribute());
    plugin.setGroupNameAttribute(getGroupNameAttribute());
    plugin.setGroupMemberAttribute(getGroupMemberAttribute());

    return plugin;
}

@Bean
@Order (Ordering.DEFAULT_ORDER + 3)
public AdministratorAuthorizationPlugin administratorAuthorizationPlugin() {
    AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
    plugin.setAdministratorGroupName(getAdminGroupName()); //Group Name available in the ldap server
    plugin.setAdministratorUserName(getAdminUserName()); //User-id available in the ldap server
    return plugin;
}

public String getUserPasswordAttribute() {
    return userPasswordAttribute;
}

public void setUserPasswordAttribute(String userPasswordAttribute) {
    this.userPasswordAttribute = userPasswordAttribute;
}

public String getServerUrl() {
    return serverUrl;
}

public void setServerUrl(String serverUrl) {
    this.serverUrl = serverUrl;
}

public Boolean getAcceptUntrustedCertificates() {
    return acceptUntrustedCertificates;
}

public void setAcceptUntrustedCertificates(Boolean acceptUntrustedCertificates) {
    this.acceptUntrustedCertificates = acceptUntrustedCertificates;
}

public Boolean getAllowAnonymousLogin() {
    return allowAnonymousLogin;
}

public void setAllowAnonymousLogin(Boolean allowAnonymousLogin) {
    this.allowAnonymousLogin = allowAnonymousLogin;
}

public Boolean getUseSsl() {
    return useSsl;
}

public void setUseSsl(Boolean useSsl) {
    this.useSsl = useSsl;
}

public String getSecurityAuthentication() {
    return securityAuthentication;
}

public void setSecurityAuthentication(String securityAuthentication) {
    this.securityAuthentication = securityAuthentication;
}

public String getBaseDn() {
    return baseDn;
}

public void setBaseDn(String baseDn) {
    this.baseDn = baseDn;
}

public String getManagerDn() {
    return managerDn;
}

public void setManagerDn(String managerDn) {
    this.managerDn = managerDn;
}

public String getManagerPassword() {
    return managerPassword;
}

public void setManagerPassword(String managerPassword) {
    this.managerPassword = managerPassword;
}

public String getUserSearchBase() {
    return userSearchBase;
}

public void setUserSearchBase(String userSearchBase) {
    this.userSearchBase = userSearchBase;
}

public String getUserSearchFilter() {
    return userSearchFilter;
}

public void setUserSearchFilter(String userSearchFilter) {
    this.userSearchFilter = userSearchFilter;
}

public String getUserIdAttribute() {
    return userIdAttribute;
}

public void setUserIdAttribute(String userIdAttribute) {
    this.userIdAttribute = userIdAttribute;
}

public String getUserFirstnameAttribute() {
    return userFirstnameAttribute;
}

public void setUserFirstnameAttribute(String userFirstnameAttribute) {
    this.userFirstnameAttribute = userFirstnameAttribute;
}

public String getUserLastnameAttribute() {
    return userLastnameAttribute;
}

public void setUserLastnameAttribute(String userLastnameAttribute) {
    this.userLastnameAttribute = userLastnameAttribute;
}

public String getUserEmailAttribute() {
    return userEmailAttribute;
}

public void setUserEmailAttribute(String userEmailAttribute) {
    this.userEmailAttribute = userEmailAttribute;
}

public String getGroupSearchBase() {
    return groupSearchBase;
}

public void setGroupSearchBase(String groupSearchBase) {
    this.groupSearchBase = groupSearchBase;
}

public String getGroupSearchFilter() {
    return groupSearchFilter;
}

public void setGroupSearchFilter(String groupSearchFilter) {
    this.groupSearchFilter = groupSearchFilter;
}

public String getGroupIdAttribute() {
    return groupIdAttribute;
}

public void setGroupIdAttribute(String groupIdAttribute) {
    this.groupIdAttribute = groupIdAttribute;
}

public String getGroupNameAttribute() {
    return groupNameAttribute;
}

public void setGroupNameAttribute(String groupNameAttribute) {
    this.groupNameAttribute = groupNameAttribute;
}

public String getGroupMemberAttribute() {
    return groupMemberAttribute;
}

public void setGroupMemberAttribute(String groupMemberAttribute) {
    this.groupMemberAttribute = groupMemberAttribute;
}

public String getAdminUserName() {
    return adminUserName;
}

public void setAdminUserName(String adminUserName) {
    this.adminUserName = adminUserName;
}

public String getAdminGroupName() {
    return adminGroupName;
}

public void setAdminGroupName(String adminGroupName) {
    this.adminGroupName = adminGroupName;
}

}

application.yaml:
ldap:
serverUrl: ldaps://*********************
acceptUntrustedCertificates: true
allowAnonymousLogin: false
useSsl: true
securityAuthentication: simple
baseDn: DC=intern,DC=,DC=local
managerDn: CN=
,OU=,DC=intern,DC=,DC=local
managerPassword: ***********
userSearchBase: OU=USERS,OU=

userSearchFilter: (&(|(objectClass=userProxyFull)(objectClass=user))(mail=?))
userIdAttribute: mail
userFirstnameAttribute: givenName
userLastnameAttribute: sn
userEmailAttribute: mail
groupSearchBase: OU=GROUPS,OU=*****
groupSearchFilter: (&(objectClass=group)(cn=?))
groupIdAttribute: cn
groupNameAttribute: cn
groupMemberAttribute: member
adminGroupName: ******
adminUserName: *@

All Loggers are DEBUG and that is the only response i get:
15:05:11.211 [http-nio-18080-exec-2] WARN org.glassfish.jersey.servlet.WebComponent - A servlet request to the URI http://localhost:18080/api/admin/auth/user/default/login/welcome contains form parameters in the request body but the request body has been consumed by the servlet or a servlet filter accessing the request parameters. Only resource methods using @FormParam will work as expected. Resource methods consuming the request body by other means will not work as expected.
15:05:11.214 [http-nio-18080-exec-2] DEBUG org.camunda.bpm.engine.cmd - ENGINE-13005 Starting command -------------------- CheckPassword ----------------------
15:05:11.215 [http-nio-18080-exec-2] DEBUG org.camunda.bpm.engine.cmd - ENGINE-13009 opening new command context
15:05:11.445 [http-nio-18080-exec-2] DEBUG org.camunda.bpm.engine.cmd - ENGINE-13011 closing existing command context
15:05:11.446 [http-nio-18080-exec-2] DEBUG org.camunda.bpm.engine.cmd - ENGINE-13006 Finishing command -------------------- CheckPassword ----------------------

The Project is a spring boot starter.
I always get 401 Http Response if i try to login. I tried to do different passwords but that did not work either.

Would be nice if anyone has a explanation why camunda cant retrieve the UserData

EDIT:
I get the same error if i type in the wrong password.


#2

SOLVED!
made changes to search filters


#3

msi09

Can you please, provide how you change searchFilter ??