Group authorization not inherited to user


#1

I am currently setting up LDAP and I ran into an issue:

Maybe I am missing something here, but basically this scenario should work:

  1. a LDAP-group is granted permission ALL to resource tasklist. No other authorizartions should interfere here, in the screenshot below you actually see all authorizations configured on the server
  2. the user CS97840 is member of this group
  3. Expect: this user can open the tasklist

As you can see from the screenshots (3 - below): the user does not get the tasklist presented, i.e. no permission.

If I grant this user CS97840 the permission directly to the ressource tasklist then it works fine: the user can open the tasklist.

The setup:
Camunda BPM 7.6, shared process engine, Tomcat.
I use a custom LDAP-plugin, which was written by somebody else. This plugin is in production in another region/on another server for some time and I have limited access to the details there.

The LDAP plugin configuration as part of bpm-platform-xml:

<plugin>
<class>com.somecompany.bpm.platform.ldap.LdapIdentityProviderPlugin</class>
<properties>
	<property name="serverType">${camunda.ldap.serverType}</property>
	<property name="hostNames">${camunda.ldap.hostNames}</property>
	<property name="user">${camunda.ldap.user}</property>
	<property name="password">${camunda.ldap.password}</property>
	<property name="baseDN">${camunda.ldap.baseDN}</property>
	<property name="groupPrefix">${camunda.ldap.groupPrefix}</property>
	<property name="useSSL">${camunda.ldap.useSSL}</property>
	<property name="certificateHostNames">${camunda.ldap.certificateHostNames}</property>
	<property name="poolSize">${camunda.ldap.poolSize}</property>
 </properties>
<!-- LDAP CONFIGURATION -->
<!-- The following plugin allows you to grant administrator authorizations to an existing LDAP user -->
<plugin>
	<class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
	<properties>
		<property name="administratorUserName">CS0025</property>
	</properties>
</plugin>

The expressions ${xyz} refer to the Tomcat catalina.properties which are probably not relevant here.

Access to LDAP works fine, I do not see any errors so far.

What can I check or change to make the group authorizations work?

Harald


#2

Solved:

Sorry, my blind spot.
Who can see the difference?


#3

Hi Harald,

The authorizations look exactly the same to me. Problems I could imagine:

  • Unwanted white spaces in user/group names
  • The additional authorizations in your original post provoke a Camunda bug that does not show in your second scenario

Are you able to reproduce this problem reliably? Does it occur if you do not use LDAP?

Cheers,
Thorben


#4

Hi Thorben,

there is a small but important difference :wink:

See, in my first screenshot it is not a group, its a person (person icon) pre-selected in the row labeleled “1”, while in the second screenshot (“solved”) I defined a group (group icon), which is correct, and that makes it work :wink:
Really, my colleagues told me - everybody is falling at least once into that trap.
So, the GUI looks fancy, but you really can’t see intuitively that is a button or something you can click on…

Question is, why is such a misconfiguration not invalidated to the user?
I assume, all information are available for a validation since we can access the LDAP directory (its a group, but the user selected it as a person) so we could invalidate this.
Even better would be to offer a selection directly from the LDAP directory.

Anyway, room for improvements :slight_smile:
So, now that we know there is a selection you can make, I am also fine with that.

Harald


#5

Oh, haha, I see now :slight_smile:

I agree that validation would be nice and created a feature request: https://app.camunda.com/jira/browse/CAM-7830


#6

hi harald
i integrated my ldap with camunda application and i created and added users in that group.i tried to set permission for users of my group.but it is not working.it is authorizing everyone in Ldap.please help me with it.