topic Re: LDAP with 5.19 REST - Code changes in Alfresco Archive

LDAP with 5.19 REST - Code changes

ncoonghe — Tue, 22 Mar 2016 18:53:42 GMT

HiIn Activiti 5.19, in order to use LDAP with the REST module instead of the Activiti Identity related user/group/membership tables. Will it work by including the Activiti-ldap related jar file and also by Change the ProcessEngineConfigurationImpl.java code by commenting the below lines addSessionF

Re: LDAP with 5.19 REST - Code changes

hari — Wed, 23 Mar 2016 07:04:55 GMT

Hi Nirmal,

As per your statement, I understood that you are using Activiti via REST. Now when you use it via REST, you need not integrate Activiti with LDAP but you need to integrate your application with LDAP.
Also you need not change any code in Activiti source files.

Re: LDAP with 5.19 REST - Code changes

ncoonghe — Wed, 23 Mar 2016 16:56:48 GMT

Thanks Hari,

So you mean to say when certain API calls are made the engine does not look up the user/group identity link data and make sure that the entries are available before performing what the API has to do. Like Assigning a Task, delegating a task, assigning to a group, etc. In fact it checks the user/password as part of REST using the user table.

I definitely think it cannot be isolated. It has to be integrated with the engine..

Re: LDAP with 5.19 REST - Code changes

hari — Thu, 24 Mar 2016 05:31:50 GMT

It would not check if the user/group exists in the table when you assign a task or perform any other action to a user/group. When you integrate your application with LDAP, its becomes your application's responsibility to verify these things.

We have done it in the same way. I pull the information of the list of users and list of groups from the LDAP and display it to the user when he tries to assign a task. In this way we ensured that no other user/group gets into the db.

Re: LDAP with 5.19 REST - Code changes

ncoonghe — Thu, 24 Mar 2016 16:40:35 GMT

But The REST webapp out of box does require the basic authentication to work. Meaning, without it the Rest Client does not allow me to execute any of the REST API's and the REST app checks against the user table to check the user and password. This means I would have to change Activiti REST code to not make the password check in the User table ?

Also can you confirm that none of the API calls ever validate against the User/Group table based on the context

Also I think some of the API's like claim, etc does check the Identity objects before the task is claimed, etc

Regards
Nirmal

Re: LDAP with 5.19 REST - Code changes

jbarrez — Fri, 25 Mar 2016 15:15:42 GMT

no, Activiti does not check identities. It simply sets strings.
Swapping out the auth to ldap, you'd need to change the SecurityConfiguration in the Activiti rest app.