Integrate LDAP with Camunda for Authentication - An alternate approach for Camunda BPM Run
Published On: 2020/12/24
In this post, we are going through the steps to configure ldap in camunda for user authentication by inheriting camunda-bpm-run-root artifact. Camunda, by default, provides the database based authentication and the clients could use alternative approaches (works only for enterprise deployment) like LDAP or custom made authenticaton services. I have taken this alternative approach to enable the administrator authorization plugin as I could not find a suitable configuration property in camunda.bpm.run properties group.
Camunda BPM Run
Camunda BPM Run is a pre-packaged distribution from Camunda team to help their clients to start the BPM platform with less effort. The details of camunda run could be found here
Maven Configuration
Since this is an alternative approach, I have inherited the camunda-bpm-run-root pom of camunda bpm run to create my bpm project.
<parent>
<groupId>org.camunda.bpm.run</groupId>
<artifactId>camunda-bpm-run-root</artifactId>
<version>7.13.1-ee</version>
</parent> <dependencies>
...
<dependency>
<groupId>org.camunda.bpm.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter</artifactId>
</dependency>
<dependency>
<groupId>org.camunda.bpm.springboot</groupId>
<artifactId>camunda-bpm-spring-boot-starter-webapp-ee</artifactId>
</dependency>
<dependency>
<groupId>org.camunda.bpm.identity</groupId>
<artifactId>camunda-identity-ldap</artifactId>
</dependency>
...
</dependencies>Main Application
As this application is running as a spring boot application, annotated the main class with @SpringBootApplication.
@SpringBootApplication
public class Application{
private static final Logger LOG = LoggerFactory.getLogger(Application.class);
public static void main(String[] args){
LOG.info("Starting bpm application");
SpringApplication.run(Application.class);
}
}LDAP Properties
Camunda BPM Run has a property group ’ldap’ to connect to the LDAP system using certain parameters. This property group will be enabled if the value of ‘camunda.bpm.run.ldap.enabled’ is set to ’true’. The below given properties has to be configured in the application.yml file to make a connection to LDAP server from camunda.
camunda.bpm:
run:
ldap:
enabled: true
userIdAttribute: sAMAccountName
userFirstnameAttribute: givenName
userSearchFilter: (objectClass=user)
serverUrl: ldap://<ldap-host>:<ldap-port>
managerDn: <technical-user-name>
managerPassword: <technical-user-password>
baseDN: <base DN value > // something like dc=example,dc=com
groupSearchFilter: (objectClass=group)
groupIdAttribute: cn
groupNameAttribute: cn
groupMemberAttribute: memberConfiguration classes
Create a class extends LdapIdentityProviderPlugin provided by the org.camunda.bpm.identity:camunda-identity-ldap in case you need to give some default values.
public class BpmRunLdapPlugin extends LdapIdentityProviderPlugin {
boolean enabled = true;
public BpmRunLdapPlugin() {
}
public boolean isEnabled() {
return this.enabled;
}
public void setEnabled(boolean enabled) {
this.enabled = enabled;
}
}@ConfigurationProperties("camunda.bpm.run")
public class BpmRunProperties {
@NestedConfigurationProperty
private BpmRunLdapPlugin ldap = new BpmRunLdapPlugin();
public BpmRunLdapPlugin getLdap() {
return this.ldap;
}
public void setLdap(BpmRunLdapPlugin ldap) {
this.ldap = ldap;
}
}Administrator Authorization Plugin
As mentioned in the camunda documentation, It is good to enable Administrator Authorization Plugin the the LDAP Identity Provider Plugin. Either you could use bpm-platform.xml/processes.xml OR java config to enable the Administrator Authorization Plugin. I have externalized the configuration using below configuration in the application.yml file.
myapp.camunda.superadmin:
enabled: true
user: myapp-admin-user // to grant admin access to a user
group: myapp-camunda-bpm-admin // to grant admin access to a group of usersSpring Bean Configuration
Once we have the properties configured, configure the spring beans for LdapIdentityProviderPlugin and AdministratorAuthorizationPlugin. These plugins are configured in such a way that we could enable or disable it in different spring profiles.
@EnableConfigurationProperties({BpmRunProperties.class})
@Configuration
@AutoConfigureAfter({CamundaBpmAutoConfiguration.class})
public class BpmRunConfiguration {
@Autowired
BpmRunProperties bpmRunProperties;
public BpmRunConfiguration() {
}
@Bean
@ConditionalOnProperty(
name = {"enabled"},
havingValue = "true",
prefix = "camunda.bpm.run.ldap"
)
public LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {
return this.bpmRunProperties.getLdap();
}
@Bean
@ConditionalOnProperty(
name = {"enabled"},
havingValue = "true",
prefix = "myapp.camunda.superadmin"
)
public AdministratorAuthorizationPlugin administratorAuthorizationPlugin(
@Value("${myapp.camunda.superadmin.user:}") String adminUser,
@Value("${myapp.camunda.superadmin.group:}") String adminGroup
){
AdministratorAuthorizationPlugin administratorAuthorizationPlugin = new AdministratorAuthorizationPlugin();
if(Objects.nonNull(adminUser) && !StringUtils.isEmpty(adminUser)) {
administratorAuthorizationPlugin.setAdministratorUserName(adminUser);
}
if(Objects.nonNull(adminGroup) && !StringUtils.isEmpty(adminGroup)){
administratorAuthorizationPlugin.setAdministratorGroupName(adminGroup);
}
return administratorAuthorizationPlugin;
}
}Conclusion
In this short blog, I have explained an alternative approach to configure the ldap plugin in camunda bpm application. The normal way of configuring the LDAP plugin is add the ldap properties in the default.yml or production.yml files provided in the camunda bpm run distribution.