Integrate LDAP with Camunda for Authentication - An alternate approach for Camunda BPM Run

Published On: 2020/12/24

In this post, we are going through the steps to configure ldap in camunda for user authentication by inheriting camunda-bpm-run-root artifact. Camunda, by default, provides the database based authentication and the clients could use alternative approaches (works only for enterprise deployment) like LDAP or custom made authenticaton services. I have taken this alternative approach to enable the administrator authorization plugin as I could not find a suitable configuration property in properties group.

Camunda BPM Run

Camunda BPM Run is a pre-packaged distribution from Camunda team to help their clients to start the BPM platform with less effort. The details of camunda run could be found here

Maven Configuration

Since this is an alternative approach, I have inherited the camunda-bpm-run-root pom of camunda bpm run to create my bpm project.

Please note that the webapp library has to be camunda-bpm-spring-boot-starter-webapp-ee as the packaging is extended from the enterprise version of camunda-bpm-run-root




Main Application

As this application is running as a spring boot application, annotated the main class with @SpringBootApplication.

public class Application{
    private  static final Logger LOG = LoggerFactory.getLogger(Application.class);

    public static void main(String[] args){"Starting bpm application");;

LDAP Properties

Camunda BPM Run has a property group ’ldap’ to connect to the LDAP system using certain parameters. This property group will be enabled if the value of ‘’ is set to ’true’. The below given properties has to be configured in the application.yml file to make a connection to LDAP server from camunda.

      enabled: true
      userIdAttribute: sAMAccountName
      userFirstnameAttribute: givenName
      userSearchFilter: (objectClass=user)
      serverUrl: ldap://<ldap-host>:<ldap-port>
      managerDn: <technical-user-name>
      managerPassword: <technical-user-password>
      baseDN: <base DN value > // something like dc=example,dc=com
      groupSearchFilter: (objectClass=group)
      groupIdAttribute: cn
      groupNameAttribute: cn
      groupMemberAttribute: member

Configuration classes

Create a class extends LdapIdentityProviderPlugin provided by the org.camunda.bpm.identity:camunda-identity-ldap in case you need to give some default values.

public class BpmRunLdapPlugin extends LdapIdentityProviderPlugin {

    boolean enabled = true;

    public BpmRunLdapPlugin() {

    public boolean isEnabled() {
        return this.enabled;

    public void setEnabled(boolean enabled) {
        this.enabled = enabled;

The class BpmRunProperties injects the properties from the application.yml file into the BpmRunLdapPlugin to create the connection with LDAP server.
public class BpmRunProperties {

    private BpmRunLdapPlugin ldap = new BpmRunLdapPlugin();

    public BpmRunLdapPlugin getLdap() {
        return this.ldap;

    public void setLdap(BpmRunLdapPlugin ldap) {
        this.ldap = ldap;


Administrator Authorization Plugin

As mentioned in the camunda documentation, It is good to enable Administrator Authorization Plugin the the LDAP Identity Provider Plugin. Either you could use bpm-platform.xml/processes.xml OR java config to enable the Administrator Authorization Plugin. I have externalized the configuration using below configuration in the application.yml file.

  enabled: true
  user: myapp-admin-user // to grant admin access to a user
  group: myapp-camunda-bpm-admin // to grant admin access to a group of users

Spring Bean Configuration

Once we have the properties configured, configure the spring beans for LdapIdentityProviderPlugin and AdministratorAuthorizationPlugin. These plugins are configured in such a way that we could enable or disable it in different spring profiles.

public class BpmRunConfiguration {

    BpmRunProperties bpmRunProperties;

    public BpmRunConfiguration() {

            name = {"enabled"},
            havingValue = "true",
            prefix = ""
    public LdapIdentityProviderPlugin ldapIdentityProviderPlugin() {
        return this.bpmRunProperties.getLdap();

            name = {"enabled"},
            havingValue = "true",
            prefix = "myapp.camunda.superadmin"
    public AdministratorAuthorizationPlugin administratorAuthorizationPlugin(
            @Value("${myapp.camunda.superadmin.user:}") String adminUser,
            @Value("${}") String adminGroup
        AdministratorAuthorizationPlugin administratorAuthorizationPlugin = new AdministratorAuthorizationPlugin();
        if(Objects.nonNull(adminUser) && !StringUtils.isEmpty(adminUser)) {
        if(Objects.nonNull(adminGroup) && !StringUtils.isEmpty(adminGroup)){
        return administratorAuthorizationPlugin;



In this short blog, I have explained an alternative approach to configure the ldap plugin in camunda bpm application. The normal way of configuring the LDAP plugin is add the ldap properties in the default.yml or production.yml files provided in the camunda bpm run distribution.

comments powered by Disqus