Hyland Community
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

LDAP Authentication Issue

sarkar92
Champ in-the-making
Champ in-the-making

‎02-28-2014 08:51 AM

I am using activiti 5.14.
Following is my activiti ldap integration configuration …


  <bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
                <property name="dataSource" ref="dataSource" />
                <property name="transactionManager" ref="transactionManager" />
                <property name="databaseSchemaUpdate" value="true" />
                <property name="mailServerHost" value="127.0.0.1" />
                <property name="mailServerPort" value="25" />
                <property name="jobExecutorActivate" value="false" />
                <property name="configurators">
                  <list>
              <bean class="org.activiti.ldap.LDAPConfigurator">

                <!– Server connection params –>
                <property name="server" value="ldaps://10.0.48.10" />
                <property name="port" value="636" />
                <property name="user" value="cn=admin,ou=services,o=system" />
                <property name="password" value="*******" />

                <!– Query params –>
                <property name="baseDn" value="" />
                <property name="queryUserByUserId" value="(&amp;(objectClass=inetOrgPerson)(cn={0}))" />
                <property name="queryUserByFullNameLike" value="(&amp;(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
                <property name="queryGroupsForUser" value="(&amp;(objectClass=groupOfNames)(member={0}))" />

                <!– Attribute config –>
                <property name="userIdAttribute" value="cn" />
                <property name="userFirstNameAttribute" value="givenName" />
                <property name="userLastNameAttribute" value="sn" />

                <property name="groupIdAttribute" value="cn" />
                <property name="groupNameAttribute" value="cn" />

              </bean>
          </list>
        </property>

        </bean>


The integration working fine .

But the issue is while existing ldap user try to login with their "cn" and without "password" user authenticated successfully, which is not good. This thing happen both rest and explorer.
if an existing user try to login with their correct "cn" and without password they are authenticated successfully.
Is it a bug of activiti 5.14 or am i missing some config parameter?

please let me know , its urgent as it is a big security issue.
Labels:
0 Kudos
25 REPLIES 25

sarkar92
Champ in-the-making
Champ in-the-making

‎03-03-2014 12:37 AM

anyone familiar with this issue?

please help…
0 Kudos

b_schnarr
Champ in-the-making
Champ in-the-making

‎03-06-2014 06:02 AM

I can confirm this. When you enter incorrect username and password, you can not login (ok). When you enter correct username and password, you can login (also ok). But when you enter the correct CN-Username WITHOUT ANY PASSWORD, you can login successfully. Here my config:

<code>
<property name="configurators">
          <list>
              <bean class="org.activiti.ldap.LDAPConfigurator">
             
                <!– Server connection params –>
                <property name="server" value="ldap://10.120.201.12" />
                <property name="port" value="389" />
                <property name="user" value="cn=Administrator,cn=Users,dc=ebusiness,dc=local" />
                <property name="password" value="****" />
               
    <!– Query params –>
                <property name="baseDn" value="ou=ebusiness,dc=ebusiness,dc=local" />
                <property name="queryUserByUserId" value="(&amp;(objectClass=person)(cn={0}))" />
                <property name="queryUserByFullNameLike" value="(&amp;(objectClass=person)(|({0}=*{1}*)({2}=*{3}*)))" />
                <property name="queryGroupsForUser" value="(&amp;(objectClass=group)(member={0}))" />
  <property name="customConnectionParameters">
     <map>
   <entry key="InitialDirContext" value="Context.REFERRAL" />
    </map>
  </property>
               
                <!– Attribute config –>
                <property name="userIdAttribute" value="distinguishedName" />
                <property name="userFirstNameAttribute" value="givenName" />
                <property name="userLastNameAttribute" value="sn" />
               
                <property name="groupIdAttribute" value="cn" />
                <property name="groupNameAttribute" value="cn" />
               
              </bean>
          </list>
</code>

Did we both miss something or is it a severe showstopper bug? Please, this is very urgend. I´m looking forward to hearing from you.

Thanks and best regards
Ben
0 Kudos

sarkar92
Champ in-the-making
Champ in-the-making

‎03-06-2014 07:06 AM

yes you are right @B.Schnarr..

but no-one from activiti-development team confirm this issue
0 Kudos

svenvermeulen
Champ in-the-making
Champ in-the-making
In response to sarkar92

‎03-06-2014 07:34 AM

Do you get anything in the logs?

The org.activity.ldap.LDAPUserManager::checkPassword method calls LDAPConnectionUtil.createDirectoryContext but doesn't handle any potential ActivitiException exceptions, whereas LDAPConnectionUtil.createDirectoryContext explicitly throws the proper ActivitiException upon failure. Perhaps the context returned by createDirectoryContext isn't null (even though the password is incorrect) and thus the logic fails.

Can't confirm though, only scarcely looked through the codebase.
0 Kudos

sarkar92
Champ in-the-making
Champ in-the-making

‎03-06-2014 07:49 AM

there is no error in logs
0 Kudos

b_schnarr
Champ in-the-making
Champ in-the-making

‎03-06-2014 08:45 AM

I looked through the tomcat logs, but I found no errors.
0 Kudos

b_schnarr
Champ in-the-making
Champ in-the-making

‎03-07-2014 03:46 AM

I tried to create a Jira Issue, but I cannot Login.
0 Kudos

b_schnarr
Champ in-the-making
Champ in-the-making

‎03-09-2014 12:47 PM

Activiti Developers,

it is very great that you actually are working on some new great features like multi tenancy. But this severe security issue here leads to the fact that nearly no company can use Activiti in a productive environment. Therefore, please, seriously, a little bit more responses and attention to this issue….
0 Kudos

tombo
Champ in-the-making
Champ in-the-making
In response to b_schnarr

‎03-09-2014 01:03 PM

Hm,
<code>
<property name="queryUserByUserId" value="(&amp;(objectClass=person)(cn={0}))" />
<property name="userIdAttribute" value="distinguishedName" />
</code>
Both attributes related to the user should be the same. This is the source of your troubles. Try with:
<code>
<property name="queryUserByUserId" value="(&amp;(objectClass=person)(cn={0}))" />
<property name="userIdAttribute" value="cn" />
</code>
or other attribute. I'm using sAMAccountName.

Regards,
Boris
0 Kudos
Getting started

Tags

Find what you came for

We want to make your experience in Hyland Connect as valuable as possible, so we put together some helpful links.

Copyright © 2025 Khoros, LLC