1 2 Previous Next 21 Replies Latest reply on Jun 4, 2013 5:27 AM by aemdtuc

    JBPM + LDAP - can login, but HumanTask error appears in the jboss log

    aemdtuc

      Hi.

       

      I've setup the jbpm-installer to work with LDAP, and I could manage to authenticate and get the roles. I can perfectly walk through the jBPM-Console. But looking at JBoss log, I see an error that I think that comes from the Human Task.

      Here is how I configured the LDAP:

       

      Jboss standalone.xml

      <authentication>
       <login-module code="org.jboss.security.auth.spi.LdapExtLoginModule" flag="required">
                      <module-option name="bindDN" value="LDAP_USER_DN"/>
                      <module-option name="bindCredential" value="LDAP_USER_PASSWD "/>
                       <module-option name="baseCtxDN" value=""/>
                      <module-option name="baseFilter" value="(&amp;(objectClass=user)(userPrincipalName={0}))"/>
                      <module-option name="rolesCtxDN" value=""/>
                       <module-option name="roleFilter" value="(&amp;(objectClass=group)(member:1.2.840.113556.1.4.1941:={1}))"/>
                      <module-option name="roleAttributeID" value="cn"/>
                      <module-option name="java.naming.provider.url" value="ldap://domain:port"/>
                      <module-option name="java.naming.factory.initial" value="com.sun.jndi.ldap.LdapCtxFactory"/>
                      <module-option name="allowEmptyPasswords" value="true"/>
                      <module-option name="throwValidateError" value="true"/>
       </login-module>
      </authentication>
      
      

       

      jbpm-gwt-console-server.war web.xml

      <login-config>
          <auth-method>FORM</auth-method>
          <form-login-config>
            <form-login-page>/login.html</form-login-page>
            <form-error-page>/login_failed.html</form-error-page>
          </form-login-config>
        </login-config>
      
        <security-role>
          <role-name>Write</role-name>
        </security-role>
        <security-role>
          <role-name>Read</role-name>
      </security-role>
      
      

       

      jbpm-human-task-war.war jbpm.usergroup.callback.properties

      ldap.bind.user=CN\=User,OU\=Users,OU\=Company Users,OU\=Company,DC\=company-1234,DC\=com
      ldap.bind.pwd=Passwd
      ldap.user.ctx=
      ldap.role.ctx=
      #ldap.user.roles.ctx=ou\=Roles,dc\=my-domain,dc\=com
      ldap.user.filter=(&(objectClass=user)(userPrincipalName\={0}))
      ldap.role.filter=
      ldap.user.roles.filter=(&(objectClass=group)(member:1.2.840.113556.1.4.1941:\={0}))
      #ldap.user.attr.id=
      #ldap.roles.attr.id=
      java.naming.provider.url=ldap://domain:port
      

       

      jbpm-human-task-war.war web.xml

         <init-param>
           <param-name>user.group.callback.class</param-name>      <param-value>org.jbpm.task.identity.LDAPUserGroupCallbackImpl</param-value>    </init-param>
      
      
      
      

       


      The jbpm.usergroup.callback.properties is located under jbpm-human-task-war.war/WEB-INF/classes.

       

      The error message is the following:

      ERROR [stderr] (Thread-68) javax.naming.NamingException: [LDAP: error code 1 - 00000000: LdapErr: DSID-0C090627, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, vece]; remaining name ''
      ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.mapErrorCode(Unknown Source)
      ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
      ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
      ERROR [stderr] (Thread-68) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
      ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
      ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
      ERROR [stderr] (Thread-68) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
      ERROR [stderr] (Thread-68) at javax.naming.directory.InitialDirContext.search(Unknown Source)
      ERROR [stderr] (Thread-68) at org.jbpm.task.identity.LDAPUserGroupCallbackImpl.existsUser(LDAPUserGroupCallbackImpl.java:128)
      ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServiceSession.doCallbackUserOperation(TaskServiceSession.java:1225)
      ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServiceSession.getTasksOwned(TaskServiceSession.java:763)
      ERROR [stderr] (Thread-68) at org.jbpm.task.service.TaskServerHandler.messageReceived(TaskServerHandler.java:309)
      ERROR [stderr] (Thread-68) at org.jbpm.task.service.hornetq.HornetQTaskServerHandler.messageReceived(HornetQTaskServerHandler.java:43)
      ERROR [stderr] (Thread-68) at org.jbpm.task.service.hornetq.BaseHornetQTaskServer.run(BaseHornetQTaskServer.java:104)
      ERROR [stderr] (Thread-68) at java.lang.Thread.run(Unknown Source)
      

       

       

      As you can see in the error message, when trying to create the LDAP context, it doesn't bind a user and password. So when it tries to make the search it fails.

      I'm not sure if it doesn't bind correctly because my properties file is wrong, or because the human task has a bug.

      Any help I'll appreciate.

       

      Thanks.

        • 1. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
          swiderski.maciej

          I believe this is a bug in LDAPUserGroupCallbackImpl that simply does not bind with given credentials, could you please check if there is jira for it and if nor file one so we can track and fix it.

           

          Cheers

          1 of 1 people found this helpful
          • 2. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
            aemdtuc

            Thanks for the reply.

             

            I've looked for a jira and there's none related to it.

             

            I've opened a jira as you requested, here's the link to it:

             

            https://issues.jboss.org/browse/JBPM-4016

             

            Regards,

             

            Eduardo

            • 3. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
              swiderski.maciej

              As indeed this is a bug you should be able to workaround this by specifying following properties as part of jbpm.usergroup.callback.properties file:

               

              java.naming.security.principal=your username for ldap

              java.naming.security.credentials=your password for ldap

               

               

              That should allow to bind to LDAP that requires authentication.

               

              HTH

              • 4. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                aemdtuc

                Uow, you're fast!

                 

                Thanks for the solution, I'll try it tomorrow.

                If anything still fails, I'll come back!

                 

                Thanks

                • 5. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                  aemdtuc

                  now I'm having a hard time with another thing, that I'm not sure why

                   

                  ERROR [stderr] (Thread-131) javax.naming.InvalidNameException: ldap.role.ctx: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
                  ERROR [stderr] (Thread-131)     'ldap.role.ctx'
                  ERROR [stderr] (Thread-131) ]; remaining name 'ldap.role.ctx'
                  ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
                  ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
                  ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.processReturnCode(Unknown Source)
                  ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.searchAux(Unknown Source)
                  ERROR [stderr] (Thread-131) at com.sun.jndi.ldap.LdapCtx.c_search(Unknown Source)
                  ERROR [stderr] (Thread-131) at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search(Unknown Source)
                  ERROR [stderr] (Thread-131) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
                  ERROR [stderr] (Thread-131) at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search(Unknown Source)
                  ERROR [stderr] (Thread-131) at javax.naming.directory.InitialDirContext.search(Unknown Source)
                  ERROR [stderr] (Thread-131) at org.jbpm.task.identity.LDAPUserGroupCallbackImpl.getGroupsForUser(LDAPUserGroupCallbackImpl.java:245)
                  ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServiceSession.doCallbackGroupsOperation(TaskServiceSession.java:1568)
                  ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServiceSession.doUserGroupCallbackOperation(TaskServiceSession.java:1213)
                  ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServiceSession.getTasksAssignedAsPotentialOwnerByStatus(TaskServiceSession.java:794)
                  ERROR [stderr] (Thread-131) at org.jbpm.task.service.TaskServerHandler.messageReceived(TaskServerHandler.java:359)
                  ERROR [stderr] (Thread-131) at org.jbpm.task.service.hornetq.HornetQTaskServerHandler.messageReceived(HornetQTaskServerHandler.java:43)
                  ERROR [stderr] (Thread-131) at org.jbpm.task.service.hornetq.BaseHornetQTaskServer.run(BaseHornetQTaskServer.java:104)
                  ERROR [stderr] (Thread-131) at java.lang.Thread.run(Unknown Source)
                  

                   

                  do you know that is it about?!

                   

                  My properties file now looks like this:

                   

                  java.naming.security.principal=user\\userread
                  java.naming.security.credentials=passwd
                  ldap.user.ctx=
                  ldap.role.ctx=
                  ldap.user.filter=(&(objectClass\=user)(userPrincipalName\={0}))
                  ldap.role.filter=
                  ldap.user.roles.filter=(&(objectClass\=group)(member\:1.2.840.113556.1.4.1941\:\={0}))
                  java.naming.provider.url=ldap://domain\:port
                  

                   

                  I already tried setting a ldap.role.ctx and ldap.user.ctx, but I always get the same error message.

                   

                  Thanks in advance

                  • 6. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                    swiderski.maciej

                    when you look at the java docs for the ldap callback, you'll notice that some of the parameters are mandatory. In fact both ldap.user.ctx and ldap.role.ctx are mandatory. So you need to specify what is the context in ldap that callback should search in for users and groups/roles. Once you specify that it should be able to access and fetch data correctly. You could simplify tests of the correct ldap settings by creating similar tests that jbpm has.

                     

                    HTH

                    • 7. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                      aemdtuc

                      Sorry but as I said, I already tried to specify the ldap.role.ctx and ldap.user.ctx, and still have the same error message.

                      • 8. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                        swiderski.maciej

                        what value have you assigned to ldap.user.ctx and ldap.role.ctx?

                         

                        it should have something like: OU\=Users,OU\=Company Users,OU\=Company,DC\=company-1234,DC\=com

                         

                        so it must be valid LDAP syntax.

                         

                        HTH

                        • 9. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                          aemdtuc

                          I have something like:

                           

                          ldap.user.ctx=OU\=Company,DC\=company-1234,DC\=com

                          ldap.role.ctx=OU\=Company,DC\=company-1234,DC\=com

                           

                          I only included the start for the ctx, because the start is the same but then different users can be in different OUs and the same for roles.

                          Is it wrong?! That's why I don't actually include a role or user ctx as you can see in my jboss standalone.xml.

                           

                          Thanks for the help!

                          • 10. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                            swiderski.maciej

                            looking at the error:

                             

                            ERROR [stderr] (Thread-131) javax.naming.InvalidNameException: ldap.role.ctx: [LDAP: error code 34 - 0000208F: NameErr: DSID-031001BA, problem 2006 (BAD_NAME), data 8350, best match of:
                            ERROR [stderr] (Thread-131)     'ldap.role.ctx'
                            ERROR [stderr] (Thread-131) ]; remaining name 'ldap.role.ctx'

                             

                            it clearly says it's using ldap.role.ctx as the value when searching for context and data code 8350 means "DN format is incorrect" so there must be something incorrect with configuration.

                             

                            HTH

                            • 11. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                              aemdtuc

                              So the file looks the way I mentioned above, but with the ldap.user.ctx and ldap.role.ctx defined in my last reply.

                               

                              I've tried to change the position where the ldap.role.ctx was defined to see if the problem come from another line, and also tried to include the complete path to the roles, but still have the same error message.

                              Any other ideas?!

                               

                              Thanks

                              • 12. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                                aemdtuc

                                So I figured out what was wrong.

                                 

                                I tried to use the ldap.user.roles.ctx instead of ldap.role.ctx and the error message is gone.

                                Looking in the class implementation I saw at line 236: https://github.com/droolsjbpm/jbpm/blob/5.4.x/jbpm-human-task/jbpm-human-task-core/src/main/java/org/jbpm/task/identity/LDAPUserGroupCallbackImpl.java

                                 

                                String roleContext = this.config.getProperty(USER_ROLES_CTX, ROLE_CTX);
                                

                                 

                                It tries to get the value for the key USER_ROLES_CTX, if this key is not in the property list, then it uses ROLE_CTX as default VALUE. This means it doesn't look for ROLE_CTX in the property list.

                                And that's why I get such an error message.

                                This is a bug should I open a jira?!

                                 

                                Regards,

                                Eduardo

                                • 13. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                                  swiderski.maciej

                                  this is not a bug, this is intended behavior, the code that you pointed out is about finding roles that user belongs to and that's why it has additional property (ldap.user.roles.ctx) that is optional and if not given the regular context for roles will be used. Please ensure that you provide all mandatory properties in your configuration file - see java docs given previously otherwise you'll experience different issues.

                                   

                                  HTH

                                  • 14. Re: JBPM + LDAP - can login, but HumanTask error appears in the jboss log
                                    swiderski.maciej

                                    this might be because you still declare the property in the configuration file but with empty value, so the handler will consider it as existing property but with empty string as value. So make sure that optional fields that you don't use are removed (or commented out) in the config file.

                                     

                                    HTH

                                    1 2 Previous Next