LDAP Auth for Bonita BPM Community

1
-1
-1

I'm looking for LDAP authentication for the Bonita BPM version 6.5 community (non-subscription) edition. Has anyone been able to do this and can steer me to something that will work?

3 answers

1
+4
-1
This one is the BEST answer!

I was able to get BonitaSoft community edition to talk to our college's Active Directory server. The code isn't very clean and I am a VERY much a newbie at java coding. However, here's what I did:

  1. I complied the 6.3.8 version using the instructions mentioned in this thread.

  2. I couldn't successfully compile all the 6.3.8 code for some reason. The portal stuff failed. But the auth code is in the bonita-engine section. Since I was able to get that far, I proceeded to add some LDAP code. I added it to AuthenticationServiceImpl.java, located in the BonitaBPM-build-6-3-8/bonita-engine/services/bonita-authentication/bonita-authentication-api-impl/src/main/java/org/bonitasoft/engine/authentication/impl directory of the source code. The reason I did not write my own java class was because A) I'm a newbie and wanted to write as little as possible, and B) I wanted the ldap code to "fall through" to the standard authentication, in case someone was logging in with an admin, technical, or portal admin account. PLEASE NOTE that this setup requires that the end users in your Bonita organization have usernames that exactly match the SAMAccountname in Active Directory.

  3. The easiest-to-use ldap api for java I could find was the Apache Directory LDAP API. So I first wrote my code in Eclipse to ensure that I could talk to my Active Directory server. Since there isn't an easy "bind as user" function in this api, I first bind as a bind user, then search for the end-users's name as passed into AuthenticationServiceImpl. The search returns a complete DN for that user, and I bind using that complete DN and the password passed into AuthenticationServiceImpl.

  4. I modified the pom.xml located in BonitaBPM-build-6-3-8/bonita-engine/services/bonita-authentication/bonita-authentication-api-impl to include a dependency for the apache ldap API:

  1. <dependency>
  2. <groupId>org.apache.directory.api</groupId>
  3. <artifactId>api-all</artifactId>
  4. <version>1.0.0-M30</version>
  5. </dependency>
  1. I re-compiled the stuff in bonita-engine until I got everything to work right. I then dropped the new .jar file found in BonitaBPM-build-6-3-8/bonita-engine/bpm/bonita-server/target/ into /opt/BonitaBPMCommunity-6.3.8-Tomcat-6.0.37/webapps/bonita/WEB-INF/lib/, along with all the apache ldap .jar files.

  2. Here is AuthenticationServiceImpl, as modified by me:

  1. /**
  2.  * Copyright (C) 2011-2012, 2014 BonitaSoft S.A.
  3.  * BonitaSoft, 32 rue Gustave Eiffel - 38000 Grenoble
  4.  * This library is free software; you can redistribute it and/or modify it under the terms
  5.  * of the GNU Lesser General Public License as published by the Free Software Foundation
  6.  * version 2.1 of the License.
  7.  * This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
  8.  * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  9.  * See the GNU Lesser General Public License for more details.
  10.  * You should have received a copy of the GNU Lesser General Public License along with this
  11.  * program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
  12.  * Floor, Boston, MA 02110-1301, USA.
  13.  **/
  14. package org.bonitasoft.engine.authentication.impl;
  15.  
  16. import java.io.Serializable;
  17. import java.util.Map;
  18.  
  19. import org.bonitasoft.engine.authentication.AuthenticationConstants;
  20. import org.bonitasoft.engine.authentication.GenericAuthenticationService;
  21. import org.bonitasoft.engine.commons.LogUtil;
  22. import org.bonitasoft.engine.identity.IdentityService;
  23. import org.bonitasoft.engine.identity.SUserNotFoundException;
  24. import org.bonitasoft.engine.identity.model.SUser;
  25. import org.bonitasoft.engine.log.technical.TechnicalLogSeverity;
  26. import org.bonitasoft.engine.log.technical.TechnicalLoggerService;
  27. /**
  28.  * Apache LDAP-related imports:
  29.  */
  30. import java.io.IOException;
  31. import org.apache.directory.api.ldap.model.cursor.CursorException;
  32. import org.apache.directory.api.ldap.model.cursor.SearchCursor;
  33. import org.apache.directory.api.ldap.model.exception.LdapException;
  34. import org.apache.directory.api.ldap.model.message.Response;
  35. import org.apache.directory.api.ldap.model.message.SearchRequest;
  36. import org.apache.directory.api.ldap.model.message.SearchRequestImpl;
  37. import org.apache.directory.api.ldap.model.message.SearchResultEntry;
  38. import org.apache.directory.api.ldap.model.message.SearchScope;
  39. import org.apache.directory.api.ldap.model.name.Dn;
  40. import org.apache.directory.ldap.client.api.LdapConnection;
  41. import org.apache.directory.ldap.client.api.LdapNetworkConnection;
  42.  
  43. /**
  44.  * @author Elias Ricken de Medeiros
  45.  * @author Matthieu Chaffotte
  46.  * @author Hongwen Zang
  47.  * @author Julien Reboul
  48.  * @author Celine Souchet
  49.  */
  50. public class AuthenticationServiceImpl implements GenericAuthenticationService {
  51.  
  52. private final IdentityService identityService;
  53.  
  54. private final TechnicalLoggerService logger;
  55.  
  56. private final String lDAPServer = "put.your.hostname.here";
  57. private final int lDAPPort = 389;
  58. private final String bindString = "CN=put,OU=your,OU=full,OU=bind,DC=user,DC=dn,DC=here";
  59. private final String bindPassword = "binduserpasswordgoeshere";
  60. private final String baseDN = "dc=enduser, dc=base, dc=dn";
  61. private String userBindDN = "";
  62.  
  63. public AuthenticationServiceImpl(final IdentityService identityService, final TechnicalLoggerService logger) {
  64. this.identityService = identityService;
  65. this.logger = logger;
  66. }
  67.  
  68. /**
  69.   * @see org.bonitasoft.engine.authentication.GenericAuthenticationService#checkUserCredentials(java.util.Map)
  70.   */
  71. @Override
  72. public String checkUserCredentials(Map<String, Serializable> credentials) {
  73. final String methodName = "checkUserCredentials";
  74. try {
  75. final String password = String.valueOf(credentials.get(AuthenticationConstants.BASIC_PASSWORD));
  76. final String userName = String.valueOf(credentials.get(AuthenticationConstants.BASIC_USERNAME));
  77. final SUser user = identityService.getUserByUserName(userName);
  78. if (logger.isLoggable(this.getClass(), TechnicalLogSeverity.TRACE)) {
  79. logger.log(this.getClass(), TechnicalLogSeverity.TRACE, LogUtil.getLogBeforeMethod(this.getClass(), methodName));
  80. }
  81. /**
  82.   * Ldap code down to the END OF LDAP SECTION is
  83.   * Copyright (C) 2015 Snow College
  84.   * 150 E. College Ave., Ephraim, UT
  85.   * This ldap code is free software; you can redistribute it and/or modify it under the terms
  86.   * of the GNU Lesser General Public License as published by the Free Software Foundation
  87.   * version 2.1 of the License.
  88.   * This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
  89.   * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  90.   * See the GNU Lesser General Public License for more details.
  91.   * You should have received a copy of the GNU Lesser General Public License along with this
  92.   * program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
  93.   * Floor, Boston, MA 02110-1301, USA.
  94.   */
  95. /*
  96.   * Check via ldap first. If it can't be contacted, or it fails, check via static database
  97.   */
  98.  
  99. LdapConnection connection = new LdapNetworkConnection(lDAPServer, lDAPPort);
  100. try {
  101. connection.bind(bindString, bindPassword);
  102. SearchRequest req = new SearchRequestImpl();
  103. req.setScope( SearchScope.SUBTREE );
  104. req.addAttributes( "dn" );
  105. req.setTimeLimit( 0 );
  106. req.setBase( new Dn( baseDN ) );
  107. req.setFilter( "(samAccountName=" + userName + ")");
  108.  
  109. SearchCursor searchCursor = connection.search(req);
  110. try {
  111. searchCursor.next();
  112. } catch (CursorException c){
  113. System.err.println("failed to search the LDAP cursor for username: " + userName);
  114. }
  115.  
  116. // looks like we found the username. Try binding with the provided username and password.
  117. try {
  118. Response response = searchCursor.get();
  119. // process the SearchResultEntry
  120. if ( response instanceof SearchResultEntry )
  121. {
  122. org.apache.directory.api.ldap.model.entry.Entry resultEntry = ( ( SearchResultEntry ) response ).getEntry();
  123. userBindDN = resultEntry.toString();
  124. userBindDN = userBindDN.replace("Entry\n","");
  125. userBindDN = userBindDN.replace("dn:","");
  126. userBindDN = userBindDN.trim();
  127. LdapConnection userConnection = new LdapNetworkConnection( lDAPServer, lDAPPort );
  128. try {
  129.  
  130. System.err.println("connecting as: "+ userBindDN);
  131. userConnection.bind(userBindDN, password);
  132. System.err.println("connection succeeded as " + userBindDN);
  133. } catch (LdapException e2) {
  134. System.err.println("end user failed to connect as " + userBindDN);
  135. }
  136. try {
  137. userConnection.close();
  138. } catch (IOException e) {
  139. System.err.println("unable to close LDAP user connection userConnection for userName: " + userName);
  140. }
  141. return userName;
  142. }
  143. } catch (CursorException c) {
  144. System.err.println("failed to get a searchCursor for userName: "+userName);
  145. }
  146.  
  147. } catch (LdapException e) {
  148. System.err.println("failed to bind as the bind user");
  149. }
  150. /**
  151.   * END OF LDAP SECTION. Even if an authentication wasn't successful,
  152.   * we still need to try to connect as a non-LDAP (i.e., admin) user:
  153.   */
  154.  
  155. if (identityService.chechCredentials(user, password)) {
  156. if (logger.isLoggable(this.getClass(), TechnicalLogSeverity.TRACE)) {
  157. logger.log(this.getClass(), TechnicalLogSeverity.TRACE, LogUtil.getLogAfterMethod(this.getClass(), methodName));
  158. }
  159. return userName;
  160. }
  161. if (logger.isLoggable(this.getClass(), TechnicalLogSeverity.TRACE)) {
  162. logger.log(this.getClass(), TechnicalLogSeverity.TRACE, LogUtil.getLogAfterMethod(this.getClass(), methodName));
  163. }
  164. } catch (final SUserNotFoundException sunfe) {
  165. if (logger.isLoggable(this.getClass(), TechnicalLogSeverity.TRACE)) {
  166. logger.log(this.getClass(), TechnicalLogSeverity.TRACE, LogUtil.getLogOnExceptionMethod(this.getClass(), methodName, sunfe));
  167. }
  168. }
  169. return null;
  170. }
  171. }
  1. The code could be improved by making it refer to a .conf file to get the ldap host, the ldap bind user name and password, bind dn, end user dn suffix, etc.

Comments

Submitted by Sean McP on Thu, 05/28/2015 - 05:31

All I can say is WOW, what a wonderful piece of community spirit.

Thank you Phil, for trying it, for getting it working, and finally, for publishing it.

I like you am not a JAVA programmer but have learnt along the way... :)

In the same spirit I offer the following (Groovy) code that could be modified to easily refer to a properties file for the configuration etc.

In it I also use a include from jasypt.org for encrypted properties file. Please see their website for more details.

The config file must be placed in directory "/webapps/myCompany/properties/" and would be formatted as follows:

  1. ldap.lDAPServer=put.your.hostname.here
  2. ldap.lDAPPort=389
  3. ldap.bindString=CN=put,OU=your,OU=full,OU=bind,DC=user,DC=dn,DC=here
  4. ldap.bindPassword=binduserpasswordgoeshere
  5. ldap.baseDN=dc=enduser, dc=base, dc=dn
  6. ldap.userBindDN=

an encrypted version of the above file could look like:

  1. ldap.lDAPServer=ENC(sknva;uhga;kjgbs41fg)
  2. ldap.lDAPPort=ENC(fghfsdbf7575)
  3. ldap.bindString=ENC(7686fkrhfgis7fgsdhg7htlsghlsrs5ths8yghgliitg78hslghhgl578thsl)
  4. ldap.bindPassword=ENC(zkbfkvuygr7gha7tyafbhdflbas78tyaufh2983208rz.uziluhgzr7gh)
  5. ldap.baseDN=ENC(zjhbvzkvbz7vl;a84th;afubvzlbhtg84h;t;s;uvhbz;rg)
  6. ldap.userBindDN=ENC(sdfdfs)

The Groovy properties code, which is really a subroutine I use to pull text from language files (if you add this to Development->Manage Groovy Scripts you can use it is your scripts to get get from multiple properties files using String myString = myGroovyText.getProperty("myTextKey");), **must **be modified to work in the ldap code above:

  1. /**
  2.   * Copyright (C) 2015 Gubernare Ltd.,
  3.   * London, United Kingdom
  4.   *
  5.   * This code is free software; you can redistribute it and/or modify it under the terms
  6.   * of the GNU Lesser General Public License as published by the Free Software Foundation
  7.   * version 2.1 of the License.
  8.   *
  9.   * This code is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
  10.   * without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
  11.   * See the GNU Lesser General Public License for more details.
  12.   *
  13.   * You should have received a copy of the GNU Lesser General Public License along with this
  14.   * program; if not, write to the Free Software Foundation, Inc., 51 Franklin Street, Fifth
  15.   * Floor, Boston, MA 02110-1301, USA.
  16.   */
  17.  
  18. import org.jasypt.encryption.pbe.StandardPBEStringEncryptor;
  19. import org.jasypt.properties.EncryptableProperties;
  20.  
  21. import java.util.regex.Pattern;
  22.  
  23. import java.io.File;
  24. import java.io.FileInputStream;
  25. import java.util.HashMap;
  26. import java.util.Map;
  27. import java.util.Properties;
  28. import java.util.logging.Logger;
  29.  
  30. def static getPropertyString(String key){
  31.  
  32. Logger logger= Logger.getLogger("org.bonitasoft");
  33. int d = 0;
  34. boolean debug = false; //change to true for logging
  35.  
  36. //preample code - preparation
  37. //get catalina home - can sometimes NOT be set so work it through...
  38. def thisModule = " getPropertyString: ";
  39. String catalinaHome = System.getProperty("CATALINA_HOME");
  40. String catalinaPath = System.getProperty("CATALINA_PATH");
  41. if(debug){d++; logger.severe(d+thisModule+": CATALINA_HOME: "+catalinaHome);}
  42. if(debug){d++; logger.severe(d+thisModule+": CATALINA_PATH: "+catalinaPath);}
  43.  
  44. if(debug){d++; logger.severe(d+thisModule+": if (catalinaHome == null && catalinaPath == null){");}
  45. if (catalinaHome == null && catalinaPath == null){
  46.  
  47. if(debug){d++; logger.severe(d+thisModule+": CATASTOPHIC ERROR CATALINA Not found: ");}
  48.  
  49. String strClassPath = System.getProperty("java.class.path");
  50. if(debug){d++; logger.severe(d+thisModule+": strClassPath: "+strClassPath);}
  51. //20150201 new version to get to webapps - START
  52. if (strClassPath.indexOf(";") != 0 ){
  53.  
  54. //strClassPath is concatenated and must be reduced to one dir
  55. if(debug){d++; logger.severe(d+thisModule+"strClassPath - is concatenated?");}
  56.  
  57. String[] catHome = strClassPath.split(Pattern.quote(";"));
  58. for (String singleCatHome : catHome){
  59.  
  60. if(debug){d++; logger.severe(d+thisModule+"singleCatHome : "+singleCatHome);}
  61. if (singleCatHome.indexOf("bin") != 0){
  62. String noBin = singleCatHome.substring(0, singleCatHome.indexOf("bin"));
  63.  
  64. File f = new File(noBin+"webapps");
  65. if(debug){d++; logger.severe(d+thisModule+"noBin (webapps): "+noBin+"webapps");}
  66. if (f.exists() && f.isDirectory()) {
  67. if(debug){d++; logger.severe(d+thisModule+"singleCatHome Found webapps : "+noBin+"webapps");}
  68. catalinaHome = noBin;
  69. }
  70. }
  71. }
  72. }
  73. //strClassPath is not concated and is OK?
  74. }
  75. //20150201 new version to get to webapps - END
  76.  
  77. }
  78. else if (catalinaHome == null && catalinaPath != null){
  79. if(debug){d++; logger.severe(d+thisModule+"Set Home = Path");}
  80. catalinaHome = catalinaPath;
  81. }
  82. else { // we have a CatalinaHome - but is it concatenated?
  83. if(debug){d++; logger.severe(d+thisModule+"CatalinaHome - but is it concatenated?");}
  84.  
  85. if (catalinaHome.indexOf(";") != 0 ){
  86. //catalinaHome is concatenated and must be reduced to one dir
  87. if(debug){d++; logger.severe(d+thisModule+"CatalinaHome - is concatenated?");}
  88.  
  89. String[] catHome = catalinaHome.split(Pattern.quote(";"));
  90. for (String singleCatHome : catHome){
  91. if(debug){d++; logger.severe(d+thisModule+"CatalinaHome : "+singleCatHome);}
  92. if (singleCatHome.indexOf("webapps") != 0){
  93. if(debug){d++; logger.severe(d+thisModule+"CatalinaHome Found webapps : "+singleCatHome);}
  94. catalinaHome = singleCatHome;
  95. }
  96. }
  97. }
  98. //catalinaHome is not concated and is OK
  99. }
  100. }
  101.  
  102. //set encryption
  103. StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
  104. encryptor.setPassword("myPassword");
  105. Properties propsEnc = new EncryptableProperties(encryptor);
  106.  
  107. //set locale - defaults
  108. String defaultLang = "en";
  109. String defCountry = "US";
  110.  
  111. Locale locale = Locale.getDefault();
  112. String lang = locale.getLanguage();
  113. String country = locale.getCountry();
  114.  
  115. String propertiesDir = "/webapps/myCompany/properties/";
  116. String fileNameEncrypted = "fileNameEncrypted_";
  117. String fileNameNotEncrypted = "fileNameNotEncrypted_";
  118.  
  119. String propertiesFileEncLocale = propertiesDir+fileNameEncrypted+lang+"_"+country+".properties";
  120. String propertiesFileEncDefLoc = propertiesDir+fileNameEncrypted+defaultLang+"_"+defCountry+".properties";
  121. String propertiesFileEnc = propertiesDir+fileNameEncrypted+".properties";
  122. String propertiesFileLocale = propertiesDir+fileNameNotEncrypted+lang+"_"+country+".properties";
  123. String propertiesFileDefLoc = propertiesDir+fileNameNotEncrypted+defaultLang+"_"+defCountry+".properties";
  124. String propertiesFile = propertiesDir+fileNameNotEncrypted+".properties";
  125.  
  126.  
  127. try{ //1
  128. try{ //encrypted locale
  129. if(debug){d++; logger.severe(d+thisModule+": try: "+catalinaHome + propertiesFileEncLocale);}
  130. propsEnc.load(new FileInputStream(new File(catalinaHome + propertiesFileEncLocale)));
  131. }
  132. try{ //encrypted default
  133. if(debug){d++; logger.severe(d+thisModule+": try: "+catalinaHome + propertiesFileEncDefLoc);}
  134. propsEnc.load(new FileInputStream(new File(catalinaHome + propertiesFileEncDefLoc)));
  135. }
  136. try{ //encrypted
  137. if(debug){d++; logger.severe(d+thisModule+": try: "+catalinaHome + propertiesFileEnc);}
  138. propsEnc.load(new FileInputStream(new File(catalinaHome + propertiesFileEnc)));
  139. }
  140. try{ // locale
  141. if(debug){d++; logger.severe(d+thisModule+": try: "+catalinaHome + propertiesFileLocale);}
  142. propsEnc.load(new FileInputStream(new File(catalinaHome + propertiesFileLocale)));
  143. }
  144. try{ // locale
  145. if(debug){d++; logger.severe(d+thisModule+": try: "+catalinaHome + propertiesFileDefLoc);}
  146. propsEnc.load(new FileInputStream(new File(catalinaHome + propertiesFileDefLoc)));
  147. }
  148. try{ // default
  149. if(debug){d++; logger.severe(d+thisModule+": try: "+catalinaHome + propertiesFile);}
  150. propsEnc.load(new FileInputStream(new File(catalinaHome + propertiesFile)));
  151. }
  152. logger.severe(thisModule+": fileNameNotEncrypted.properties Error (E5-0): File Not Found: " + e5.toString());
  153. logger.severe(thisModule+": fileNameNotEncrypted.properties Error (E5-1): File Not Found: " + +catalinaHome + propertiesFile.toString());
  154. return "Error (e5): fileNameNotEncrypted.properties Error (E5): File Not Found";
  155. }
  156. }
  157. }
  158. }
  159. }
  160. }
  161.  
  162. try{
  163. if(debug){d++; logger.severe(d+thisModule+": Key: "+key);}
  164. return propsEnc.getProperty(key);
  165. }
  166. logger.severe(thisModule+": Error (ex6): Message Not Found: "+key);
  167. return "Error (ex6): Message Not Found: "+key;
  168. }
  169.  
  170. }
  171. logger.severe(thisModule+": Fatal Error (EX0): File Not Found: " + ex0.toString());
  172. return ": Fatal Error (EX0): File Not Found: ";
  173. }

Hope it helps, regards

Seán

Submitted by phil.allred on Thu, 05/28/2015 - 06:57

Thanks Seán. I'll look at it and see what I can do. It may take me a bit of time to re-post a version that uses a config file -- I'm still a slow java coder :)

Submitted by yasseroemi on Thu, 09/07/2017 - 13:11

Hi,

It would be nice if you could post your project to Github

Regards

1
0
-1

the very good developper

1
0
-1

Have a look at

http://community.bonitasoft.com/answers/ldap-bonita-65#node-24721

Which will guide you to

http://ironman.darthgibus.net/?p=57 (for 5.x but is an indicator)

regards

Comments

Submitted by phil.allred on Thu, 05/14/2015 - 21:55

Thanks, Sean. I'm going to try to build something. I think that your instructions at: http://documentation.bonitasoft.com/building-bonita-bpm-source-files-0 for version 6.5 may be need a few corrections:

  1. There are lots of git libraries that that appear to have moved away from 1.0.x to 6.1.x

  2. The pom.xml's bonita-integration-tests/bonita-test-utils/bonita-server-test-utils/pom.xml and bonita-integration-tests/pom.xml make reference to jdbc connectors for microsoft and oracle. However, you must download and install them into a local repository, and then make reference to the local repository as follows, in order to get bonita-engine to build:

    1. <groupId>com.oracle</groupId>
    2. <artifactId>ojdb6</artifactId>
    3. <version>11.2.0</version>
    4. <scope>system</scope>
    5. <systemPath>/....your user path.../.m2/repository/com/oracle/ojdbc6/11.2.0/ojdbc6-11.2.0.jar</systemPath>
    6. </dependency>
    7. <dependency>
    8. <groupId>com.microsoft.jdbc</groupId>
    9. <artifactId>sqlserver</artifactId>
    10. <version>4.0.2206.100</version>
    11. <scope>system</scope>
    12. <systemPath>/...your user path.../.m2/repository/com/microsoft/jdbc/sqlserver/4.0.2206.100/sqlserver-4.0.2206.100.jar</systemPath>
    13. </dependency>

  3. The checkout statement for google-calendar-V3 has a typo. It should read: bonita-connector-google-calendar-v3-1.0.0

I'm a novice at java, but I will continue to post info as I proceed.

Submitted by jordan2 on Fri, 05/15/2015 - 14:35

Hi, I plan to connect my LDAP to Bonita as well and I'm going to start coding my own connector. Does it work the same for this bpmn sofware version (6.5.2) of are there specific implementation details for each release?

Submitted by phil.allred on Fri, 05/15/2015 - 16:20

Jordan, I don't know for sure -- I'm going to attempt to write one for 6.5.2. Someone from BonitaSoft would have to answer that. My guess is that they are same for all 6.x versions.

Notifications