How to setup LDAP in Camunda Platform Run?

I was struggling to setup LDAP in Camunda Platform Run, I spend a few days & weekends to figure how to set up LDAP configuration in Camunda Platform Run.

I hope someone does not have to go through the same pain, I am happy to share my solution.

Note: Following steps are only applied to a brand new Camunda Platform Run setup.


  1. Delete all the Camunda DB Records

Delete FROM [Camunda].[dbo].[ACT_ID_USER]
Delete FROM [Camunda].[dbo].[ACT_ID_MEMBERSHIP]
Delete FROM [Camunda].[dbo].[ACT_ID_GROUP]
Delete FROM [Camunda].[dbo].[ACT_GE_SCHEMA_LOG]
Delete FROM [Camunda].[dbo].[ACT_GE_PROPERTY]
Delete FROM [Camunda].[dbo].[ACT_RU_AUTHORIZATION]
Delete FROM [Camunda].[dbo].[ACT_RU_METER_LOG]
Delete FROM [Camunda].[dbo].[ACT_HI_OP_LOG]

  1. Update default.yml file

admin-user:
id: CamundaDev
password: Password01@

authorization.enabled: false

Note: Also remove or comment out LDAP properties in default.yml file

    3. Run the start.bat file 

     4. Now load the Camunda Weeb App (https://<<DNS>>/camunda/app/welcome/default/#!/login)
           - make sure the login page shows "Camunda Welcome", it should not be "Camunda Admin")
           - login with "CamundaDev" user and password
           - make sure you can see Cockpit, TaskList & Admin sections (if you don't see the Admin section, refresh the browser)


    5. Logout from Camunda Web App
    6. Go to Command prompt and Terminate the batch job using Ctrl + C

    7. Create  the "camunda-admin" AD group in LDAP, (create it under where "groupSearchBase" is going to point)
        Example: OU=CamundaPortal,OU=Portal,OU=NonStaff,OU=Accounts,OU=QA,DC=XYZ,DC=com

    8. Create  the "CamundaDev" in LDAP, keep the same password as before (e.g. Passwrod01@)   (create it under where "userSearchBase" is going to point)
        Example: OU=CamundaPortal,OU=Portal,OU=Application,OU=Groups,OU=QA,DC=XYZ,DC=com

   9. Add "CamundaDev" user in "camunda-admin" AD group

   10. Also, create "test_user", this will be a nonadmin user. (create it under where "userSearchBase" is going to point)
        Example: OU=CamundaPortal,OU=Portal,OU=Application,OU=Groups,OU=QA,DC=XYZ,DC=com

  11.  Update default.yml file

#Comment out folloiwng values
#admin-user:
#id: CamundaDev
#password: Password01@

change following to true

 authorization.enabled: true

add the following section for LDAP configuration

run:
auth.enabled: true
auth.authentication: basic

ldap:
enabled: true
serverUrl: ${LDAPServer}
managerDn: ${LDAPManagerDn}
managerPassword: ${LDAPManagerPassword}
userSearchBase: ${LDAPUserSearchBase}
user-search-filter: (objectclass=person)
userIdAttribute: sAMAccountName
userFirstnameAttribute: cn
userEmailAttribute: mail
groupSearchBase: ${LDAPGroupSearchBase}
groupSearchFilter: (objectclass=group)
groupIdAttribute: cn
groupNameAttribute: cn
groupMemberAttribute: member
authorizationCheckEnabled: false
administratorGroupName: camunda-admin

    12. Run the start.bat file 

     13. Now load the Camunda Weeb App (https://<<DNS>>/camunda/app/welcome/default/#!/login)
           - make sure the login page shows "Camunda welcome" not "Camunda Admin")
           - login with "CamundaDev" user and password
           - make sure you can see Cockpit, TaskList & Admin sections (if you don't see the Admin section, refresh the browser)


    14. Click on "Admin", click on "List of Users", all usres will be load from                                             OU=CamundaPortal,OU=Portal,OU=Application,OU=Groups,OU=QA,DC=XYZ,DC=com   

    14. Logout from Camunda Web App
    15. Now log in with "test_user" user and password, make sure you can not see Cockpit, TaskList & Admin sections
    16. FYI, You can not create, delete or add the user into the group from the Admin tool, It has to be done via LDAP
    16. Finally have a Happy dance

Hi @R_G
Welcome to the forum!
I’m really sorry you struggled so much with LDAP on Camunda Run, I’ll try to make sure the documentation is added.

Also - thanks so much for posting the solution you found, it’s great that you spend the time to share the experience.

1 Like

Hi @Niall ,

When I run the first time start.bat it creates the “camunda-admin” group in the db. Is it possible to give a custom group name in yaml file at the start time? for example “camunda_admin_dev”

Thanks
Raj

Hi Raj,

Thanks for reporting this. We want to improve Run and its documentation for LDAP with 7.16 via https://jira.camunda.com/browse/CAM-13447.

Cheers,
Thorben

Thanks for considering it.