I was struggling to setup LDAP in Camunda Platform Run, I spend a few days & weekends to figure how to set up LDAP configuration in Camunda Platform Run.
I hope someone does not have to go through the same pain, I am happy to share my solution.
Note: Following steps are only applied to a brand new Camunda Platform Run setup.
- Delete all the Camunda DB Records
Delete FROM [Camunda].[dbo].[ACT_ID_USER]
Delete FROM [Camunda].[dbo].[ACT_ID_MEMBERSHIP]
Delete FROM [Camunda].[dbo].[ACT_ID_GROUP]
Delete FROM [Camunda].[dbo].[ACT_GE_SCHEMA_LOG]
Delete FROM [Camunda].[dbo].[ACT_GE_PROPERTY]
Delete FROM [Camunda].[dbo].[ACT_RU_AUTHORIZATION]
Delete FROM [Camunda].[dbo].[ACT_RU_METER_LOG]
Delete FROM [Camunda].[dbo].[ACT_HI_OP_LOG]
- Update default.yml file
admin-user:
id: CamundaDev
password: Password01@
authorization.enabled: false
Note: Also remove or comment out LDAP properties in default.yml file
3. Run the start.bat file
4. Now load the Camunda Weeb App (https://<<DNS>>/camunda/app/welcome/default/#!/login)
- make sure the login page shows "Camunda Welcome", it should not be "Camunda Admin")
- login with "CamundaDev" user and password
- make sure you can see Cockpit, TaskList & Admin sections (if you don't see the Admin section, refresh the browser)
5. Logout from Camunda Web App
6. Go to Command prompt and Terminate the batch job using Ctrl + C
7. Create the "camunda-admin" AD group in LDAP, (create it under where "groupSearchBase" is going to point)
Example: OU=CamundaPortal,OU=Portal,OU=NonStaff,OU=Accounts,OU=QA,DC=XYZ,DC=com
8. Create the "CamundaDev" in LDAP, keep the same password as before (e.g. Passwrod01@) (create it under where "userSearchBase" is going to point)
Example: OU=CamundaPortal,OU=Portal,OU=Application,OU=Groups,OU=QA,DC=XYZ,DC=com
9. Add "CamundaDev" user in "camunda-admin" AD group
10. Also, create "test_user", this will be a nonadmin user. (create it under where "userSearchBase" is going to point)
Example: OU=CamundaPortal,OU=Portal,OU=Application,OU=Groups,OU=QA,DC=XYZ,DC=com
11. Update default.yml file
#Comment out folloiwng values
#admin-user:
#id: CamundaDev
#password: Password01@
change following to true
authorization.enabled: true
add the following section for LDAP configuration
run:
auth.enabled: true
auth.authentication: basic
ldap:
enabled: true
serverUrl: ${LDAPServer}
managerDn: ${LDAPManagerDn}
managerPassword: ${LDAPManagerPassword}
userSearchBase: ${LDAPUserSearchBase}
user-search-filter: (objectclass=person)
userIdAttribute: sAMAccountName
userFirstnameAttribute: cn
userEmailAttribute: mail
groupSearchBase: ${LDAPGroupSearchBase}
groupSearchFilter: (objectclass=group)
groupIdAttribute: cn
groupNameAttribute: cn
groupMemberAttribute: member
authorizationCheckEnabled: false
administratorGroupName: camunda-admin
12. Run the start.bat file
13. Now load the Camunda Weeb App (https://<<DNS>>/camunda/app/welcome/default/#!/login)
- make sure the login page shows "Camunda welcome" not "Camunda Admin")
- login with "CamundaDev" user and password
- make sure you can see Cockpit, TaskList & Admin sections (if you don't see the Admin section, refresh the browser)
14. Click on "Admin", click on "List of Users", all usres will be load from OU=CamundaPortal,OU=Portal,OU=Application,OU=Groups,OU=QA,DC=XYZ,DC=com
14. Logout from Camunda Web App
15. Now log in with "test_user" user and password, make sure you can not see Cockpit, TaskList & Admin sections
16. FYI, You can not create, delete or add the user into the group from the Admin tool, It has to be done via LDAP
16. Finally have a Happy dance