Uploaded image for project: 'jBPM'
  1. jBPM
  2. JBPM-4016

LDAPUserGroupCallbackImpl probably not binding user

    XMLWordPrintable

Details

    • Compatibility/Configuration
    • Low
    • Workaround Exists
    • Hide

      Check whether LDAPUserGroupCallbackImpl is binding the user correctly before the search is made.

      Show
      Check whether LDAPUserGroupCallbackImpl is binding the user correctly before the search is made.
    • Hide

      Here is how I configured the LDAP:

      Jboss standalone.xml:

      <authentication>
 <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                <module-option name="bindDN" value="LDAP_USER_DN"/>
                <module-option name="bindCredential" value="LDAP_USER_PASSWD "/>
                 <module-option name="baseCtxDN" value=""/>
                <module-option name="baseFilter" value="(&amp;(objectClass=user)(userPrincipalName={0}))"/>
                <module-option name="rolesCtxDN" value=""/>
                 <module-option name="roleFilter" value="(&amp;(objectClass=group)(member:1.2.840.113556.1.4.1941:={1}))"/>
                <module-option name="roleAttributeID" value="cn"/>
                <module-option name="java.naming.provider.url" value="ldap://domain:port"/>
                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                <module-option name="allowEmptyPasswords" value="true"/>
                <module-option name="throwValidateError" value="true"/>
 </login-module>
</authentication>

      jbpm-gwt-console-server.war web.xml

      <login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.html</form-login-page>
      <form-error-page>/login_failed.html</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <role-name>Write</role-name>
  </security-role>
  <security-role>
    <role-name>Read</role-name>
</security-role>

      jbpm-human-task-war.war jbpm.usergroup.callback.properties

      ldap.bind.user=CN\=User,OU\=Users,OU\=Company Users,OU\=Company,DC\=company-1234,DC\=com
ldap.bind.pwd=Passwd
ldap.user.ctx=
ldap.role.ctx=
#ldap.user.roles.ctx=ou\=Roles,dc\=my-domain,dc\=com
ldap.user.filter=(&(objectClass=user)(userPrincipalName\={0}))
ldap.role.filter=
ldap.user.roles.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:\={0}))
#ldap.user.attr.id=
#ldap.roles.attr.id=
java.naming.provider.url=ldap://domain:port

      jbpm-human-task-war.war web.xml

       <init-param>
   <param-name>user.group.callback.class</param-name>
   <param-value>org.jbpm.task.identity.LDAPUserGroupCallbackImpl</param-value>    
 </init-param>
      Show
      Here is how I configured the LDAP: Jboss standalone.xml: <authentication> <login-module code= "org.jboss.security.auth.spi.LdapExtLoginModule" flag= "required" > <module-option name= "bindDN" value= "LDAP_USER_DN" /> <module-option name= "bindCredential" value= "LDAP_USER_PASSWD " /> <module-option name= "baseCtxDN" value=""/> <module-option name= "baseFilter" value= "(&amp;(objectClass=user)(userPrincipalName={0}))" /> <module-option name= "rolesCtxDN" value=""/> <module-option name= "roleFilter" value= "(&amp;(objectClass=group)(member:1.2.840.113556.1.4.1941:={1}))" /> <module-option name= "roleAttributeID" value= "cn" /> <module-option name= "java.naming.provider.url" value= "ldap://domain:port" /> <module-option name= "java.naming.factory.initial" value= "com.sun.jndi.ldap.LdapCtxFactory" /> <module-option name= "allowEmptyPasswords" value= "true" /> <module-option name= "throwValidateError" value= "true" /> </login-module> </authentication> jbpm-gwt-console-server.war web.xml <login-config> <auth-method> FORM </auth-method> <form-login-config> <form-login-page> /login.html </form-login-page> <form-error-page> /login_failed.html </form-error-page> </form-login-config> </login-config> <security-role> <role-name> Write </role-name> </security-role> <security-role> <role-name> Read </role-name> </security-role> jbpm-human-task-war.war jbpm.usergroup.callback.properties ldap.bind.user=CN\=User,OU\=Users,OU\=Company Users,OU\=Company,DC\=company-1234,DC\=com ldap.bind.pwd=Passwd ldap.user.ctx= ldap.role.ctx= #ldap.user.roles.ctx=ou\=Roles,dc\=my-domain,dc\=com ldap.user.filter=(&(objectClass=user)(userPrincipalName\={0})) ldap.role.filter= ldap.user.roles.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:\={0})) #ldap.user.attr.id= #ldap.roles.attr.id= java.naming.provider.url=ldap: //domain:port jbpm-human-task-war.war web.xml <init-param> <param-name> user.group.callback.class </param-name> <param-value> org.jbpm.task.identity.LDAPUserGroupCallbackImpl </param-value> </init-param>

    Description

      Hi.

      I've setup the jBPM 5.4 to work with LDAP, and I could manage to authenticate and get the roles. I can perfectly walk through the jBPM-Console. But looking at JBoss log, I see an error that comes from the Human Task.

      ERROR [stderr] (Thread-68) javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name ''
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
ERROR [stderr] (Thread-68) at javax.naming.directory.InitialDirContext.search(Unknown Source)
ERROR [stderr] (Thread-68) at org.jbpm.task.identity.LDAPUserGroupCallbackImpl.existsUser(LDAPUserGroupCallbackImpl.java:128)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServiceSession.doCallbackUserOperation(TaskServiceSession.java:1225)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServiceSession.getTasksOwned(TaskServiceSession.java:763)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServerHandler.messageReceived(TaskServerHandler.java:309)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.hornetq.HornetQTaskServerHandler.messageReceived(HornetQTaskServerHandler.java:43)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.hornetq.BaseHornetQTaskServer.run(BaseHornetQTaskServer.java:104)
ERROR [stderr] (Thread-68) at java.lang.Thread.run(Unknown Source)

      This error messages usually comes up when a LDAP search is made but the user was not bound to the LDAP context.

      Please investigate.

      Attachments

        Activity

          People

            swiderski.maciej Maciej Swiderski (Inactive)
            aemdtuc Eduardo Fdl (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: