Steps to enable Active Directory on Bonita 6.5.X Community

1
0
-1

All the info I found about that where too ambiguous, not useful by itself. Something like "make an Authentication Service Implementation by yourself". So I searched a lot and found some way to make it working. I write the steps here: (Disclaimer: Use at your own risk, I'm not responsible for any problem/damage direct or indirect.)

1-Create some admins users on Bonita, with exactly the same samAccountName that you have on your Active Directory. Once you enable AD/LDAP authentication all your users will validate against the Active Directory. Maybe you can tweak the source code below to allow some privileged accounts to be in local Bonita DB. So make sure you can connect after you link to AD.

2-Download this source code, save it as "JAASAuthenticationServiceImpl.java" Disclaimer: The source code isn't mine, it's taken from https://github.com/stephanel/BonitaBPM-AuthServices/tree/master/src/in/stephanelep/bonita/auth , with some minor tweaks. It seems to work.

  1. package org.bonitasoft.engine.authentication.impl;
  2.  
  3. import java.io.Serializable;
  4. import java.util.Map;
  5.  
  6. import javax.security.auth.callback.Callback;
  7. import javax.security.auth.callback.CallbackHandler;
  8. import javax.security.auth.callback.NameCallback;
  9. import javax.security.auth.callback.PasswordCallback;
  10. import javax.security.auth.login.*;
  11.  
  12. import org.bonitasoft.engine.authentication.AuthenticationConstants;
  13. import org.bonitasoft.engine.authentication.AuthenticationException;
  14. import org.bonitasoft.engine.authentication.GenericAuthenticationService;
  15. import org.bonitasoft.engine.log.technical.TechnicalLogSeverity;
  16. import org.bonitasoft.engine.log.technical.TechnicalLoggerService;
  17. import org.bonitasoft.engine.sessionaccessor.STenantIdNotSetException;
  18. import org.bonitasoft.engine.sessionaccessor.SessionAccessor;
  19.  
  20. public class JAASAuthenticationServiceImpl implements GenericAuthenticationService {
  21. private TechnicalLoggerService logger;
  22. private SessionAccessor sessionAccessor;
  23.  
  24. public JAASAuthenticationServiceImpl(final TechnicalLoggerService logger, final SessionAccessor sessionAccessor) {
  25. this.logger = logger;
  26. this.sessionAccessor = sessionAccessor;
  27. this.logger.log(this.getClass(), TechnicalLogSeverity.DEBUG, "AD/LDAP Initialization");
  28. }
  29.  
  30. @Override
  31. public String checkUserCredentials(final Map<String, Serializable> credentials) throws AuthenticationException {
  32. long tenantId;
  33. LoginContext lc;
  34.  
  35. final String authUsername = String.valueOf(credentials.get(AuthenticationConstants.BASIC_USERNAME));
  36. final String authPassword = String.valueOf(credentials.get(AuthenticationConstants.BASIC_PASSWORD));
  37.  
  38. String username = authUsername;
  39.  
  40. try {
  41. tenantId = this.sessionAccessor.getTenantId();
  42. lc = new LoginContext("BonitaAuthentication-"+tenantId, new CallbackHandler(){
  43. public void handle(Callback[] callbacks) {
  44. for(int i = 0; i < callbacks.length; i++) {
  45. if(callbacks[i] instanceof NameCallback) {
  46. NameCallback nc = (NameCallback)callbacks[i];
  47. nc.setName(authUsername);
  48. }
  49. else if(callbacks[i] instanceof PasswordCallback) {
  50. PasswordCallback pc = (PasswordCallback)callbacks[i];
  51. pc.setPassword(authPassword.toCharArray());
  52. }
  53. }
  54. }
  55. });
  56.  
  57. lc.login();
  58.  
  59. logger.log(this.getClass(), TechnicalLogSeverity.DEBUG, "AD/LDAP: Auth success for user "+username);
  60. return username;
  61. }
  62. catch (LoginException e) {
  63. logger.log(this.getClass(), TechnicalLogSeverity.ERROR, "AD/LDAP: Auth failure for user "+username+": "+e.getMessage());
  64. }
  65. catch (STenantIdNotSetException e) {
  66. logger.log(this.getClass(), TechnicalLogSeverity.ERROR, "AD/LDAP: Auth failure for user "+username+": "+e.getMessage());
  67. }
  68. catch(Exception e) {
  69. logger.log(this.getClass(), TechnicalLogSeverity.ERROR, "AD/LDAP: Unknown exception "+e.getClass().toString()+": "+e.getMessage());
  70. }
  71.  
  72. return null;
  73. }
  74. }

3-Then compile it with javac. IMPORTANT! You must compile it with these parameters:

  1. javac -g:vars -cp bonita-server-6.5.1.jar JAASAuthenticationServiceImpl.java

Without the -g:vars the class won't work. You must have the bonita-server-6.X.X.jar in the same folder, or correctly target it on the -cp parameter. I used JDK 6 to compile it, just because I saw original bonitasoft classes used it.

4-Then create a temporary folder structure like this: org\bonitasoft\engine\authentication\impl And place the compiled JAASAuthenticationServiceImpl.class and JAASAuthenticationServiceImpl$1.class inside the "impl" folder. Zip the structure, you must have a zip with the same structure as I stated, with the two class files on the impl folder.

5-Rename the zip file to "JAASAuthenticationServiceImpl.jar" and place it on apache-tomcat/webapps/bonita/WEB-INF/lib You can delete this folder structure, it's only needed to create the jar with the correct folders that matches the package name. I attach the compiled jar I used, but I encourage you to compile by yourself, it's really easy to do (you just need a JDK). Compiled JAASAuthenticationServiceImpl.jar

With that you can use the official document: http://documentation.bonitasoft.com/active-directoryldap-authentication-0 Just don't use the class="com.bonitasoft.engine.authentication.impl.JAASGenericAuthenticationServiceImpl" You must user class="org.bonitasoft.engine.authentication.impl.JAASGenericAuthenticationServiceImpl" with an starting org. instead of com. because it's the package I used on the source code. You can use the original package name that Stephane used on the source code (and creating the folder structure to comply the package name), I just wanted to keep all auth implementations on the same package

I configured exactly that to enable AD on Apache-Tomcat: AD_1- On setenv.sh (or setenv.bat in Windows) I enabled this line:

  1. SECURITY_OPTS="-Djava.security.auth.login.config=${CATALINA_HOME}/conf/jaas-standard.cfg"

mine had a # before, I uncommented it. And modify the CATALINA_OPS line to add this option:

  1. CATALINA_OPTS="${CATALINA_OPTS} ${BONITA_HOME} ${SECURITY_OPTS} ${DB_OPTS} ${BTM_OPTS} -Dfile.encoding=UTF-8 -Xshare:auto -Xms2048m -Xmx2048m -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError"

Note, the other CATALINA_OPS are dependant on your environment, don't copy mine. Only add the ${SECURITY_OPTS} after ${BONITA_HOME} On windows it's something like that:

  1. set SECURITY_OPTS="-Djava.security.auth.login.config=%CATALINA_HOME%\conf\jaas-standard.cfg"
  2. set CATALINA_OPTS=%CATALINA_OPTS% %BONITA_HOME% %SECURITY_OPTS% %DB_OPTS% %BTM_OPTS% -Dfile.encoding=UTF-8 -Xshare:auto -Xms1024m -Xmx1024m -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError

AD_2- Set contents of ${CATALINA_HOME}/conf/jaas-standard.cfg

  1. BonitaAuthentication-1 {
  2. com.sun.security.auth.module.LdapLoginModule REQUIRED
  3. userProvider="ldap://dc1.domain.com:389/dc=domain,dc=com"
  4. authIdentity="{USERNAME}@domain.com"
  5. userFilter="(&(objectClass=user)(samAccountName={USERNAME})(!(userAccountControl:1.2.840.113556.1.4.803:=18)))"
  6. useSSL=false
  7. debug=false;
  8. };

Replace dc1.domain.com with your real domain controller (you can also use an IP). My users login with their logon name, they don't need to add the @domain.com. Replace domain.com for your real domain name, both on userProvider and authIdentity. My userFilter searches only actives user accounts with samAccountName = Bonita username. I search on the whole AD forest, if you want to narrow the search change the userProvider and add something like:

  1. userProvider="ldap://dc1.domain.com:389/cn=users,dc=domain,dc=com"

check for the correct use of cn= or ou= I always mix them.

If you have several DC's, I think you can add redundancy with :

  1. userProvider="ldap://dc1.domain.com:389/dc=domain,dc=com ldap://dc2.domain.com:389/dc=domain,dc=com"

Note: If your users aren't allowed to search in AD you must add these two lines inside the BonitaAuthentication-1:

  1. java.naming.security.principal="user@domain.com"
  2. java.naming.security.credentials="yourpassword"

Use some AD user with delegated privileges to make searches and read person objects, DO NOT USE an administrator AD account.

AD_3- Go to apache-tomcat/bonita/server/tenants//conf/services/ Make a backup of the file: cfg-bonita-authentication-impl.xml , name it cfg-bonita-authentication-impl.xml.backup for example. Edit cfg-bonita-authentication-impl.xml and write this:

  1. <beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:p="http://www.springframework.org/schema/p"
  2. xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd">
  3.  
  4. <bean id="authenticationService" class="org.bonitasoft.engine.authentication.impl.JAASAuthenticationServiceImpl" >
  5. <constructor-arg index="0" name="logger" ref="tenantTechnicalLoggerService" />
  6. <constructor-arg index="1" name="sessionAccessor" ref="sessionAccessor" />
  7. </bean>
  8.  
  9. </beans>

AD_4- Restart Tomcat server and watch log files for errors. If something fails check names on config files (names are case sensitives) and use debug=true on jass-standard.cfg file, and restart

Comments

Submitted by DrakunDry on Thu, 03/10/2016 - 03:38

i will try this

Submitted by DrakunDry on Thu, 03/10/2016 - 03:38

i will try this

5 answers

1
0
-1
This one is the BEST answer!

It's answered already, it's an how-to

1
0
-1

is anybody know how to configure kerberos with bonita 7.4.3 subscription edition ?

1
0
-1

hi , quelqu'un a il testé cette solution avec BonitaCommunity 7.2 ????

Comments

Submitted by user11 on Mon, 06/06/2016 - 14:27

Bonjour,

avez-vous testé cette solution sur la version 7 ?

1
0
-1

so good

1
0
-1

Excellent work, thank you,

here is another answer that works:

http://community.bonitasoft.com/answers/ldap-auth-bonita-bpm-community#node-24997

Comments

Submitted by mrkroket on Sun, 06/14/2015 - 09:06

I didn't see that answer!!! I searched for weeks, and google never gives me that link :( They gave me only half baked, old stuff.

I found interesting that approach. Mine is just a replacement of the official one. But the whole compiling stuff is a bit overwhelming, I don't want to add the whole Eclipse just for that. I'll go with the javac -g:vars way, I just create the new java and manually compile it with bonita-server jar. You should never ever tweak/modify standard java files from Bonita package if it isn't necessary. I saw phil.allred to recompile the whole thing just to add the LDAP Authentication. And he used the AuthenticationServiceImpl classname. It's much easier the approach I did.

Create a new Java file, compile it, make a jar and add it to the lib. Then change the cfg-bonita-authentication-impl.xml to the new class and that's all. If there is a new bonita version custom classes aren't affected. In fact I'd like to use that solution because I think I could use it to create/update LDAP users on Bonita if they don't exist.
Valid LDAP users doesn't login if that user doesn't exist yet on Bonita, and that's a problem. You need some sync process, but I think I can add that process to the login. In my scenario that's better because I won't have a lot of users using Bonita right now, son I'll auto-create the users who logon, and not all of them.

So I'll try to tweak that java to have: LDAP+external config file+sync to Bonita+failover to local users. But with a different classname, I prefer not to override standard Bonita classes.

I also tried to search some SSO (single sign-on) using Krb5 kerberos, but there is so little info about it...

Submitted by user11 on Mon, 04/04/2016 - 15:42

hi,
thank you for the solution
do this work ? any one tried it ?

Submitted by DrakunDry on Tue, 05/03/2016 - 18:11

hi , quelqu'un a il testé cette solution avec BonitaCommunity 7.2 ????

Submitted by niemaine_1 on Wed, 07/20/2016 - 09:32

Hello,
DrakunDry : do you manage to configure sso with the Community 7.2 version ?

Submitted by DrakunDry on Wed, 07/20/2016 - 15:02

not yet and you ? or you're in your side

Notifications