LDAP users won't authenticate

I’m working on using the LdapIdentityProviderPlugin. It seems to work most of the way.
Here is my bpm-platform.xml
<plugin>

<class>org.camunda.bpm.identity.impl.ldap.plugin.LdapIdentityProviderPlugin</class>

<properties>

<property name="serverUrl">ldap://host.docker.internal:10389/</property>

<property name="acceptUntrustedCertificates">true</property>

<property name="managerDn">uid=jtsTestAdminUser,ou=People,dc=example,dc=com</property>

<property name="managerPassword">password1</property>

<property name="baseDn">dc=example,dc=com</property>

<property name="userSearchBase">ou=People</property>

<property name="userSearchFilter">(objectclass=person)</property>

<property name="userIdAttribute">uid</property>

<property name="userFirstnameAttribute">cn</property>

<property name="userLastnameAttribute">sn</property>

<property name="userEmailAttribute">mail</property>

<property name="userPasswordAttribute">userPassword</property>

<property name="groupSearchBase">ou=Roles,ou=RBAC</property>

<property name="groupSearchFilter">(objectclass=organizationalRole)</property>

<property name="groupIdAttribute">cn</property>

<property name="groupTypeAttribute">cn</property>

<property name="groupNameAttribute">cn</property>

<property name="groupMemberAttribute">roleOccupant</property>

<property name="sortControlSupported">false</property>

</properties>

</plugin>

<!-- LDAP CONFIGURATION -->

<!-- The following plugin allows you to grant administrator authorizations to an existing LDAP user -->

<plugin>

<class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>

<properties>

<property name="administratorUserName">jtsTestAdminUser</property>

<property name="administratorGroupName">oamROLE1</property>

</properties>

</plugin>

I’m able to log in as jtsTestAdminUser

and you can see my users:

that are in my ldap

and you can see the groups.

and you can see users in the groups.

and the authorization to the group (plus I added a specific user)

However, when I try to log in with jtsUser1/password (I set it write in my LDAP browser) login fails:

Please let me know how I could trouble shoot this, or how to fix. thank you!

Hi @Brent_Fisher,

If your version is 7.9 - please try lowercase user name

BR,
Ilya

OK, I’ll try.

ldap-int-71044×600 13.4 KB

still seems the same. I’m on 7.10, BTW. Please let me know if there is some other info I might provide. Sorry about the formatting. Not sure why it does that.

Not sure if it helps - extracts from my config:

      <property name="baseDn">dc=pxed,dc=my_company,dc=com</property>
      <property name="userSearchBase"></property>
      <property name="userIdAttribute">cn</property>

Thank you, I think I can find the users, but somehow it isn’t able to validate the passwords. You can see my screenshots above pull in all of the users.

Hi @Brent_Fisher,

The user doesn’t have access rights to the tasklist application.
You can grant permissions from the admin app.

Log in to admin app using admin user “jtsTestAdminUser” to grant permissions to other users.

https://docs.camunda.org/manual/latest/webapps/admin/authorization-management/

Hi @hassang, I think that’s what I did.

But, interestingly enough, I use my AD studio to try to bind to the user and received this error.

I search google and found an SO article:

which recommends I need to manually unlock the account by fetching the accounts operational values and deleting ‘pwdAccountLockedTime’

So, I logged into Active Directory and deleted the value, and then I was able to bind!

And I was able to log in!