Webapp login via LDAP not working

Hello,

I am having a bit of a tricky issue with using LDAP to log into the Camunda Webapps provided by the Spring Boot starter.
I am using spring-boot-starter-webapp/rest version 2.0.0 and camunda-identity-ldap version 7.6.0.

This is my current LDAP configuration for Camunda:

@Bean
public static AdministratorAuthorizationPlugin administratorAuthorizationPlugin() {
    AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();
    plugin.setAdministratorUserName("admin");
    return plugin;
}

@Bean
public static LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {
    LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();
    plugin.setServerUrl("ldap://<ldap-address>:389");
    plugin.setManagerDn("cn=Administrator,dc=my,dc=domain,dc=net");
    plugin.setManagerPassword("secret");
    plugin.setBaseDn("dc=my,dc=domain,dc=net");
    plugin.setUserSearchBase("ou=Benutzer");
    plugin.setUserSearchFilter("(uid={0})");
    plugin.setUserIdAttribute("uid");
    plugin.setUserFirstnameAttribute("givenName");
    plugin.setUserLastnameAttribute("sn");
    plugin.setUserPasswordAttribute("userPassword");
    plugin.setGroupSearchBase("ou=Gruppen");
    plugin.setGroupSearchFilter("(member={0})");
    plugin.setGroupIdAttribute("ou");
    plugin.setGroupNameAttribute("cn");
    plugin.setGroupMemberAttribute("member");

    return plugin;
}

I am using the same configuration values for my normal Spring Security login and everything works fine,
but when trying to log the admin user into Camunda Tasklist for example, I get the following two errors:

Communication Error :
The application received an unexpected 405 response from the server. Try to refresh the page or login and out of the application.

Can not log in with those credentials.

Here is the debug log from a login attempt: https://pastebin.com/trhc69r4
Note that the warnings (line 38 and 58ff) about the 405 error also appear when using the built-in login.

Here’s what I’ve tried so far:

  • Using Camunda built-in login (causes the same warnings, but still works)
  • Turned CSRF protection off (same warnings still appear, same error)
  • Ensured that all paths related to Camunda (/api, /app, /lib) are configured as permitAll in my SecurityConfiguration

So I guess my question is: does anyone have any experience with using LDAP for authentication for the embedded webapps and is able to point me in the right direction? Any tips would be greatly appreciated.

1 Like

Hi @ajesina,

is DEBUG logging enabled for org.camunda.bpm.identity.impl.ldap? Log from the pastebin is not really helpful at the moment, are you getting any exceptions?

Cheers,
Askar

Hey,

I didn’t enable it before since I assumed just setting the root log level in logback.xml to DEBUG would be enough; adding

logging.level.org.camunda.bpm.identity.impl.ldap=DEBUG

to my application.properties doesn’t cause any additional output from that package.
Unfortunately, there aren’t any exceptions either. I feel some step-by-step debugging coming on… I don’t really have enough insight into the Camunda source to know where to start with that though.
Could you (or anyone else) maybe point me to where the authentication process takes place in Camunda so that I might be able to better comprehend what the issue is?

Thanks in advance,
Andreas

Hi @ajesina,

I think following classes would be interesting for you:

  • org.camunda.bpm.identity.impl.ldap.LdapUserQueryImpl
  • org.camunda.bpm.engine.impl.IdentityServiceImpl
  • org.camunda.bpm.engine.impl.cmd.CheckPassword

Hope that helps,
Askar

Thanks a lot, I’ll start investigating and get back here once I have something that actually looks like an error. :slight_smile:

1 Like

Hi,

the following configuration (bean method 2+3) worked fine within our environment (sensible attribute values have been anonymized):

@Configuration
public class CustomCamundaConfiguration {

    @Bean
	@Order(Ordering.DEFAULT_ORDER + 1)
    public static ProcessEnginePlugin strongUUIDGenerator() {
            return new ProcessEnginePlugin() {
				@Override
				public void preInit(ProcessEngineConfigurationImpl processEngineConfiguration) {
					processEngineConfiguration.setIdGenerator(new StrongUuidGenerator());
				}

				@Override
				public void postInit(ProcessEngineConfigurationImpl processEngineConfiguration) {
				}

				@Override
				public void postProcessEngineBuild(ProcessEngine processEngine) {
				}
			};
    }

    @Bean
	@Order(Ordering.DEFAULT_ORDER + 2)
	public static LdapIdentityProviderPlugin ldapIdentityProviderPlugin(){
		
		LdapIdentityProviderPlugin plugin = new LdapIdentityProviderPlugin();

		//TODO: konfigurierbar von auĂźen machen
		plugin.setServerUrl("ldap://ldap.brezn.knoedel.info:089/");
		plugin.setAcceptUntrustedCertificates(false);
		plugin.setAllowAnonymousLogin(false);

		//TODO: Nachschärfen
		plugin.setUseSsl(false);
		plugin.setSecurityAuthentication("simple");

		// manager Einstellungen
		plugin.setBaseDn("DC=kueche,DC=kochtopf,DC=de");
		plugin.setManagerDn("CN=WeiĂźwurscht,OU=Kochtopf,OU=Kueche,OU=ErdgeschoĂź,DC=Haus,DC=Dahoam,DC=de");
		plugin.setManagerPassword("MitVielSenfUndBittschönNurDasOriginal");

		// user-spezifische Einstellungen
		plugin.setUserSearchBase("ou=HungrigeLeid");
		plugin.setUserSearchFilter("(objectclass=person)");
		plugin.setUserIdAttribute("iBins");
		plugin.setUserFirstnameAttribute("iBinDa");
		plugin.setUserLastnameAttribute("SehrErfreut");
		plugin.setUserEmailAttribute("schicksDoHi");

		// gruppen-spezifische Einstellungen
		plugin.setGroupSearchBase("ou=Alle,ou=Hungrigen,ou=Leid");
		plugin.setGroupSearchFilter("(objectclass=group)");
		plugin.setGroupIdAttribute("miaSans");
		plugin.setGroupNameAttribute("soHoasMa");
		plugin.setGroupMemberAttribute("hungrigeGeschellschaft");

		return plugin;
	}


	@Bean
	@Order(Ordering.DEFAULT_ORDER + 3)
	public static AdministratorAuthorizationPlugin administratorAuthorizationPlugin(){
		AdministratorAuthorizationPlugin plugin = new AdministratorAuthorizationPlugin();

		plugin.setAdministratorGroupName("WeiĂźbier-Trinker"); //Group Name available in the ldap server
		plugin.setAdministratorUserName("DaBreznSepp"); //User-id available in the ldap server

		return plugin;
	}

Having the ldap plugin active, the admin user configuration (camunda.bpm.admin-user, https://camunda.github.io/camunda-bpm-spring-boot-starter/docs/current/index.html#properties) has to be omitted. otherwise the application tries to access the identity service with write access. ldap identity service only has read access permission. Currently I cannot say if the former is a general restriction or if it is specific to our ldap environment (having ldap credentials with only read access to the Server).

Regards
Kristian

1 Like

nice to see it works, never tested this before.

Ok, after seeing the config posted by @Kristian (thanks for the laughs in your “anonymization” by the way ^^), I re-tried some things with my config and figured out what the issue was:

Apparently, Camunda and Spring Security treat their group search filters differently.
While Spring Security needs a group search filter to check for group membership (e.g. (uniqueMember={0})), Camunda assumes that the group search filter is used to search for the group itself (e.g. (objectclass=groupOfNames)).

After using different filters for my Camunda and Spring LDAP configs, everything works as expected now. Luckily, I avoided the step-by-step debugging.

Thanks all for your help!