Discussion:
[jboss-user] [jBPM] - JBPM + LDAP - can login, but HumanTask error appears in the jboss log
aemdtuc
2013-05-23 15:25:10 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819124#819124

--------------------------------------------------------------
Hi.

I've setup the jbpm-installer to work with LDAP, and I could manage to authenticate and get the roles. I can perfectly walk through the jBPM-Console. But looking at JBoss log, I see an error that I think that comes from the Human Task.
Here is how I configured the LDAP:

Jboss standalone.xml
<authentication>
<login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                <module-option name="bindDN" value="LDAP_USER_DN"/>
                <module-option name="bindCredential" value="LDAP_USER_PASSWD "/>
                 <module-option name="baseCtxDN" value=""/>
                <module-option name="baseFilter" value="(&amp;(objectClass=user)(userPrincipalName={0}))"/>
                <module-option name="rolesCtxDN" value=""/>
                 <module-option name="roleFilter" value="(&amp;(objectClass=group)(member:1.2.840.113556.1.4.1941:={1}))"/>
                <module-option name="roleAttributeID" value="cn"/>
                <module-option name="java.naming.provider.url" value="ldap://domain:port"/>
                <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                <module-option name="allowEmptyPasswords" value="true"/>
                <module-option name="throwValidateError" value="true"/>
</login-module>
</authentication>




jbpm-gwt-console-server.war web.xml
<login-config>
    <auth-method>FORM</auth-method>
    <form-login-config>
      <form-login-page>/login.html</form-login-page>
      <form-error-page>/login_failed.html</form-error-page>
    </form-login-config>
  </login-config>

  <security-role>
    <role-name>Write</role-name>
  </security-role>
  <security-role>
    <role-name>Read</role-name>
</security-role>




jbpm-human-task-war.war jbpm.usergroup.callback.properties
ldap.bind.user=CN\=User,OU\=Users,OU\=Company Users,OU\=Company,DC\=company-1234,DC\=com
ldap.bind.pwd=Passwd
ldap.user.ctx=
ldap.role.ctx=
#ldap.user.roles.ctx=ou\=Roles,dc\=my-domain,dc\=com
ldap.user.filter=(&(objectClass=user)(userPrincipalName\={0}))
ldap.role.filter=
ldap.user.roles.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:\={0}))
#ldap.user.attr.id=
#ldap.roles.attr.id=
java.naming.provider.url=ldap://domain:port


jbpm-human-task-war.war web.xml
   <init-param>
     <param-name>user.group.callback.class</param-name>      <param-value>org.jbpm.task.identity.LDAPUserGroupCallbackImpl</param-value>    </init-param>







The jbpm.usergroup.callback.properties is located under jbpm-human-task-war.war/WEB-INF/classes.

The error message is the following:
ERROR [stderr] (Thread-68) javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name ''
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
ERROR [stderr] (Thread-68) at javax.naming.directory.InitialDirContext.search(Unknown Source)
ERROR [stderr] (Thread-68) at org.jbpm.task.identity.LDAPUserGroupCallbackImpl.existsUser(LDAPUserGroupCallbackImpl.java:128)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServiceSession.doCallbackUserOperation(TaskServiceSession.java:1225)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServiceSession.getTasksOwned(TaskServiceSession.java:763)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServerHandler.messageReceived(TaskServerHandler.java:309)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.hornetq.HornetQTaskServerHandler.messageReceived(HornetQTaskServerHandler.java:43)
ERROR [stderr] (Thread-68) at org.jbpm.task.service.hornetq.BaseHornetQTaskServer.run(BaseHornetQTaskServer.java:104)
ERROR [stderr] (Thread-68) at java.lang.Thread.run(Unknown Source)



As you can see in the error message, when trying to create the LDAP context, it doesn't bind a user and password. So when it tries to make the search it fails.
I'm not sure if it doesn't bind correctly because my properties file is wrong, or because the human task has a bug.
Any help I'll appreciate.

Thanks.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819124#819124]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-05-27 10:04:17 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819619#819619

--------------------------------------------------------------
I believe this is a bug in LDAPUserGroupCallbackImpl that simply does not bind with given credentials, could you please check if there is jira for it and if nor file one so we can track and fix it.

Cheers
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819619#819619]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-05-27 13:21:37 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819653#819653

--------------------------------------------------------------
Thanks for the reply.

I've looked for a jira and there's none related to it.

I've opened a jira as you requested, here's the link to it:

https://issues.jboss.org/browse/JBPM-4016 https://issues.jboss.org/browse/JBPM-4016

Regards,

Eduardo
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819653#819653]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-05-27 15:44:58 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819682#819682

--------------------------------------------------------------
As indeed this is a bug you should be able to workaround this by specifying following properties as part of jbpm.usergroup.callback.properties file:

java.naming.security.principal=your username for ldap
java.naming.security.credentials=your password for ldap


That should allow to bind to LDAP that requires authentication.

HTH
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819682#819682]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-05-27 19:06:53 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819692#819692

--------------------------------------------------------------
Uow, you're fast!

Thanks for the solution, I'll try it tomorrow.
If anything still fails, I'll come back!

Thanks
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819692#819692]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-05-28 09:26:37 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819812#819812

--------------------------------------------------------------
now I'm having a hard time with another thing, that I'm not sure why

ERROR [stderr] (Thread-131) javax.naming.InvalidNameException: ldap.role.ctx: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
ERROR [stderr] (Thread-131)     'ldap.role.ctx'
ERROR [stderr] (Thread-131) ]; remaining name 'ldap.role.ctx'
ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
ERROR [stderr] (Thread-131) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
ERROR [stderr] (Thread-131) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
ERROR [stderr] (Thread-131) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
ERROR [stderr] (Thread-131) at javax.naming.directory.InitialDirContext.search(Unknown Source)
ERROR [stderr] (Thread-131) at org.jbpm.task.identity.LDAPUserGroupCallbackImpl.getGroupsForUser(LDAPUserGroupCallbackImpl.java:245)
ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServiceSession.doCallbackGroupsOperation(TaskServiceSession.java:1568)
ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServiceSession.doUserGroupCallbackOperation(TaskServiceSession.java:1213)
ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServiceSession.getTasksAssignedAsPotentialOwnerByStatus(TaskServiceSession.java:794)
ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServerHandler.messageReceived(TaskServerHandler.java:359)
ERROR [stderr] (Thread-131) at org.jbpm.task.service.hornetq.HornetQTaskServerHandler.messageReceived(HornetQTaskServerHandler.java:43)
ERROR [stderr] (Thread-131) at org.jbpm.task.service.hornetq.BaseHornetQTaskServer.run(BaseHornetQTaskServer.java:104)
ERROR [stderr] (Thread-131) at java.lang.Thread.run(Unknown Source)


do you know that is it about?!

My properties file now looks like this:

java.naming.security.principal=user\\userread
java.naming.security.credentials=passwd
ldap.user.ctx=
ldap.role.ctx=
ldap.user.filter=(&(objectClass\=user)(userPrincipalName\={0}))
ldap.role.filter=
ldap.user.roles.filter=(&(objectClass\=group)(member\:1.2.840.113556.1.4.1941\:\={0}))
java.naming.provider.url=ldap://domain\:port


I already tried setting a ldap.role.ctx and ldap.user.ctx, but I always get the same error message.

Thanks in advance
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819812#819812]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-05-28 09:51:59 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819818#819818

--------------------------------------------------------------
when you look at the http://docs.jboss.org/jbpm/v5.4/javadocs/org/jbpm/task/identity/LDAPUserGroupCallbackImpl.html java docs for the ldap callback, you'll notice that some of the parameters are mandatory. In fact both ldap.user.ctx and ldap.role.ctx are mandatory. So you need to specify what is the context in ldap that callback should search in for users and groups/roles. Once you specify that it should be able to access and fetch data correctly. You could simplify tests of the correct ldap settings by creating https://github.com/droolsjbpm/jbpm/blob/5.4.x/jbpm-human-task/jbpm-human-task-core/src/test/java/org/jbpm/task/identity/LDAPUserGroupCallbackImplTest.java similar tests that jbpm has.

HTH
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819818#819818]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-05-28 11:33:33 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819846#819846

--------------------------------------------------------------
Sorry but as I said, I already tried to specify the ldap.role.ctx and ldap.user.ctx, and still have the same error message.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819846#819846]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-05-28 13:38:35 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819884#819884

--------------------------------------------------------------
what value have you assigned to ldap.user.ctx and ldap.role.ctx?

it should have something like: OU\=Users,OU\=Company Users,OU\=Company,DC\=company-1234,DC\=com

so it must be valid LDAP syntax.

HTH
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819884#819884]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-05-28 13:44:49 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819886#819886

--------------------------------------------------------------
I have something like:

ldap.user.ctx=OU\=Company,DC\=company-1234,DC\=com
ldap.role.ctx=OU\=Company,DC\=company-1234,DC\=com

I only included the start for the ctx, because the start is the same but then different users can be in different OUs and the same for roles.
Is it wrong?! That's why I don't actually include a role or user ctx as you can see in my jboss standalone.xml.

Thanks for the help!
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819886#819886]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-05-28 13:54:35 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819889#819889

--------------------------------------------------------------
looking at the error:

ERROR [stderr] (Thread-131) javax.naming.InvalidNameException: ldap.role.ctx: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
ERROR [stderr] (Thread-131)     'ldap.role.ctx'
ERROR [stderr] (Thread-131) ]; remaining name 'ldap.role.ctx'

it clearly says it's using ldap.role.ctx as the value when searching for context and data code 8350 means "DN format is incorrect" so there must be something incorrect with configuration.

HTH
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819889#819889]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-05-28 14:04:16 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/819893#819893

--------------------------------------------------------------
So the file looks the way I mentioned above, but with the ldap.user.ctx and ldap.role.ctx defined in my last reply.

Can it be that the java.naming.security.principal=user\\userread is wrong?
I mean the user principal is user\userread and I escaped the '\'

Thanks
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/819893#819893]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-06-03 09:09:24 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/820927#820927

--------------------------------------------------------------
So I figured out what was wrong.

I tried to use the ldap.user.roles.ctx instead of ldap.role.ctx and the error message is gone.
Looking in the class implementation I saw at line 236: https://github.com/droolsjbpm/jbpm/blob/5.4.x/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/task/identity/LDAPUserGroupCallbackImpl.java https://github.com/droolsjbpm/jbpm/blob/5.4.x/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/task/identity/LDAPUserGroupCallbackImpl.java
{code}
String roleContext = this.config.getProperty(USER_ROLES_CTX, ROLE_CTX);
{code}

It tries to get the value for the key USER_ROLES_CTX, if this key is not in the property list, then it uses ROLE_CTX as default VALUE. This means it doesn't look for ROLE_CTX in the property list.
And that's why I get such an error message.
This is a bug should I open a jira?!

Regards,
Eduardo
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/820927#820927]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-06-03 09:19:45 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/820933#820933

--------------------------------------------------------------
this is not a bug, this is intended behavior, the code that you pointed out is about finding roles that user belongs to and that's why it has additional property (ldap.user.roles.ctx) that is optional and if not given the regular context for roles will be used. Please ensure that you provide all mandatory properties in your configuration file - see java docs given previously otherwise you'll experience different issues.

HTH
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/820933#820933]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-06-03 10:25:46 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/820944#820944

--------------------------------------------------------------
I already tried a lot of options, there's no explanation why I set the same value to ldap.user.roles.ctx and ldap.role.ctx and it works and when I set for only ldap.role.ctx it doesn't work.
I already looked the java docs, and all the mandatory fields are correctly provided.

I'm out of ideas already, for now I'll use ldap.user.roles.ctx.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/820944#820944]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-06-03 10:49:07 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/820957#820957

--------------------------------------------------------------
this might be because you still declare the property in the configuration file but with empty value, so the handler will consider it as existing property but with empty string as value. So make sure that optional fields that you don't use are removed (or commented out) in the config file.

HTH
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/820957#820957]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-06-03 10:57:03 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/820962#820962

--------------------------------------------------------------
Sorry I didn't get your comment.
You mean when I declare ldap.role.ctx I should comment the ldap.user.roles.ctx ?!
If this is what you mean, I already did it.
And also I'm not declaring any of the ldap.role.ctx or ldap.user.roles.ctx empty anymore. But still if I declare both empty, it works.
The problem is only declaring the ldap.role.ctx and not having the ldap.user.roles.ctx, which leads me that the problem is realy in the line I pointed out, the right way for me would be something like this:

String roleContext = this.config.getProperty(USER_ROLES_CTX, Context.ROLE_CTX);
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/820962#820962]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-06-03 16:19:36 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/821048#821048

--------------------------------------------------------------
not sure what class you have in mind by Context but in general what you want to do is already done in the code. Could you upload complete configuration file you use so I can check that as unit test?

Cheers
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/821048#821048]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-06-04 06:51:55 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/821153#821153

--------------------------------------------------------------
Sure, here it is:

#ldap.bind.user= bug, doesn't work, workaround java.naming.security.principal
#ldap.bind.pwd= bug, doesn't work, workaround java.naming.security.credentials
ldap.role.ctx=OU\=Security,OU\=Groups,OU\=_company,DC\=company,DC\=com
java.naming.security.principal=CN\=User,OU\=Accounts,OU\=_company,DC\=company,DC\=com
java.naming.security.credentials=passwd
ldap.user.ctx=OU\=Accounts,OU\=_company,DC\=company,DC\=com
#ldap.user.roles.ctx=
ldap.user.filter=(&(objectClass\=user)(userPrincipalName\={0}))
ldap.role.filter=(cn\={0})
ldap.user.roles.filter=(&(objectClass\=group)(member\:1.2.840.113556.1.4.1941\:\={0}))
#ldap.user.attr.id=
#ldap.roles.attr.id=
ldap.user.id.dn=true
java.naming.provider.url=ldap://domain\:port
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/821153#821153]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-06-04 08:48:25 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/821185#821185

--------------------------------------------------------------
and you're saying this configuration does not work?
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/821185#821185]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-06-04 08:59:02 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/821187#821187

--------------------------------------------------------------
Exactly, I get the error message already mentioned:

ERROR [stderr] (Thread-131) javax.naming.InvalidNameException: ldap.role.ctx: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
ERROR [stderr] (Thread-131)     'ldap.role.ctx'
ERROR [stderr] (Thread-131) ]; remaining name 'ldap.role.ctx'


The only way to make this error goes away was uncommenting the ldap.user.roles.ctx and defining it's value the same as the one defined in ldap.role.ctx

ldap.user.roles.ctx=OU\=Security,OU\=Groups,OU\=_company,DC\=company,DC\=com


And from the error message we can clearly see that the program is getting ldap.role.ctx="ldap.role.ctx".

That's why I'm poiting the line 236

String roleContext = this.config.getProperty(USER_ROLES_CTX, ROLE_CTX);


Because in this line seems to be where the problem rises, as we are passing the ROLE_CTX (which contains the string "ldap.role.ctx") as the default value in case the USER_ROLES_CTX is not defined in the properties file.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/821187#821187]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Maciej Swiderski
2013-06-04 09:05:00 UTC
Permalink
Maciej Swiderski [https://community.jboss.org/people/swiderski.maciej] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/821190#821190

--------------------------------------------------------------
alright, now I got it, you're right this is a bug and that line should be change to be this:


String roleContext = this.config.getProperty(USER_ROLES_CTX, this.config.getProperty(ROLE_CTX));
 

so it should get the default value from the config properties instead of submitting the key there. I got confused when you passed the line with Context.ROLE_CTX.

I'll fix this as part of the issue already opened for it.

Thanks for detailed investigation
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/821190#821190]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
aemdtuc
2013-06-04 09:27:46 UTC
Permalink
aemdtuc [https://community.jboss.org/people/aemdtuc] created the discussion

"Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log"

To view the discussion, visit: https://community.jboss.org/message/821203#821203

--------------------------------------------------------------
You're welcome.

Sorry about the confusion done.

Thanks.
--------------------------------------------------------------

Reply to this message by going to Community
[https://community.jboss.org/message/821203#821203]

Start a new discussion in jBPM at Community
[https://community.jboss.org/choose-container!input.jspa?contentType=1&containerType=14&container=2034]
Loading...