Hyland Connect

sarkar92 · ‎02-28-2014

I am using activiti 5.14.
Following is my activiti ldap integration configuration …


  <bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
                <property name="dataSource" ref="dataSource" />
                <property name="transactionManager" ref="transactionManager" />
                <property name="databaseSchemaUpdate" value="true" />
                <property name="mailServerHost" value="127.0.0.1" />
                <property name="mailServerPort" value="25" />
                <property name="jobExecutorActivate" value="false" />
                <property name="configurators">
                  <list>
              <bean class="org.activiti.ldap.LDAPConfigurator">

                <!– Server connection params –>
                <property name="server" value="ldaps://10.0.48.10" />
                <property name="port" value="636" />
                <property name="user" value="cn=admin,ou=services,o=system" />
                <property name="password" value="*******" />

                <!– Query params –>
                <property name="baseDn" value="" />
                <property name="queryUserByUserId" value="(&amp;(objectClass=inetOrgPerson)(cn={0}))" />
                <property name="queryUserByFullNameLike" value="(&amp;(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
                <property name="queryGroupsForUser" value="(&amp;(objectClass=groupOfNames)(member={0}))" />

                <!– Attribute config –>
                <property name="userIdAttribute" value="cn" />
                <property name="userFirstNameAttribute" value="givenName" />
                <property name="userLastNameAttribute" value="sn" />

                <property name="groupIdAttribute" value="cn" />
                <property name="groupNameAttribute" value="cn" />

              </bean>
          </list>
        </property>

        </bean>
‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍

The integration working fine .

But the issue is while existing ldap user try to login with their "cn" and without "password" user authenticated successfully, which is not good. This thing happen both rest and explorer.
if an existing user try to login with their correct "cn" and without password they are authenticated successfully.
Is it a bug of activiti 5.14 or am i missing some config parameter?

please let me know , its urgent as it is a big security issue.

jbarrez · ‎03-10-2014

Okay, I added it: https://github.com/Activiti/Activiti/commit/09d1858fe4a4e8d74ea86e81c8bbe898fe6ff0e6 and https://github.com/Activiti/Activiti/commit/d7267a27e0dc4f3285dfd715166f2503968ed7f3

As you can see in the commit, it is easy to do that in a custom LDAPUserManager which extends the default one with this extra check. Also the custom LoginHandler is trivial.

sarkar92 · ‎03-11-2014

thanks @barrez to commit the changes.
Is it possible to apply the changes in current version 5.14

b_schnarr · ‎03-10-2014

Thank you. According to this: http://technet.microsoft.com/de-de/library/cc816788%28v=ws.10%29.aspx
Anonymous LDAP Binding is disabled by deflaut in Active Directory 2008….This is very strange….

jbarrez · ‎03-10-2014

Indeed. And it seems to be enabled on AD 2003.

So by your comment, I assume you are using AD 2008?

b_schnarr · ‎03-10-2014

Indeed, this issue seems to be related to Microsoft Active Directory. There are several posts describing that an authentication just with a username and without a password is possible. Seems like a feature and not a bug….Yes, I am using Active Directory 2008

jbarrez · ‎03-11-2014

@sarkar92: we can't retrofix a previous release (and 5.15 is close).
But you can easily extend the current Ldap classes and apply the same fix as I did in the commit above.

Hyland Connect

LDAP Authentication Issue