My jasig don't use the User ldap password - ssl

We have several services auntentican with an LDAP server, we put JASIG as the main entrance, we deploy JASIG on Jboss7 and works well over SSL, however our LDAP server over TLS works. My problem is that over TLS for any authenticated user runs any user password, right or wrong.
I do not know why the login username is sensitive and not sensitive to the password, pass any password.
Thank you.
Show parts interesting parts of my DeployConfigContex.xml file.
This is our AuthenticationManager:
<bean id="authenticationManager"
class="org.jasig.cas.authentication.AuthenticationManagerImpl">
<property name="credentialsToPrincipalResolvers">
<list>
<bean
class="org.jasig.cas.authentication.principal.CredentialsToLDAPAttributePrincipalResolver">
<property name="credentialsToPrincipalResolver">
<bean
class="org.jasig.cas.authentication.principal.UsernamePasswordCredentialsToPrincipalResolver" />
</property>
<property name="filter" value="(cn=%u)" />
<property name="principalAttributeName" value="cn" />
<property name="searchBase" value="ou=ServiciosCentrales,ou=Usuarios,dc=educacion,dc=es" />
<property name="contextSource" ref="contextSource" />
<property name="attributeRepository">
<ref bean="attributeRepository" />
</property>
</bean>
</list>
</property>
<property name="authenticationHandlers">
<list>
<bean class="org.jasig.cas.authentication.handler.support.HttpBasedServiceCredentialsAuthenticationHandler"
p:httpClient-ref="httpClient" />
<bean class="org.jasig.cas.adaptors.ldap.BindLdapAuthenticationHandler">
<property name="filter" value="cn=%u" />
<property name="searchBase" value="ou=ServiciosCentrales,ou=Usuarios,dc=educacion,dc=es" />
<property name="contextSource" ref="contextSource" />
<property name="ignorePartialResultException" value="yes" />
</bean>
</list>
</property>
</bean>
this es our contexsource:
<property name="pooled" value="false" />
<property name="userDn" value="cn=secret,dc=educacion,dc=es"/>
<property name="password" value="secret"/>
<property name="url" value="ldap://192.168.0.100:389"/>
<qualifier value="secured"/>
<property name="authenticationStrategy">
<bean class="org.springframework.ldap.core.support.DefaultTlsDirContextAuthenticationStrategy">
<property name="sslSocketFactory">
<bean class="com.cein.educa.ldap.LDAPSocketFactory" />
</property>
<property name="hostnameVerifier">
<bean class="com.cein.educa.ldap.LDAPHostNameVerifier" />
</property>
<property name="shutdownTlsGracefully" value="true" />
</bean>
</property>
<property name="baseEnvironmentProperties">
<map>
<entry key="java.naming.security.authentication" value="simple" />
</map>
</property>
</bean>

Related

Concurrently modified some keys

I am using Ignite 2.13.x for one of my requirement, I need to maintain cache in Ignite cluster and some of the keys value will be updates concurrently and selection also happens parallel. So here i am facing issue like,
java.sql.SQLException: Failed to update some keys because they had been modified concurrently [keys=[ROWKEY [idHash=628930863, hash=1637498765, rowkey=6, id=765436]]]
at org.apache.ignite.internal.jdbc.thin.JdbcThinConnection.sendRequest(JdbcThinConnection.java:1009)
at org.apache.ignite.internal.jdbc.thin.JdbcThinStatement.execute0(JdbcThinStatement.java:234)
at org.apache.ignite.internal.jdbc.thin.JdbcThinPreparedStatement.executeWithArguments(JdbcThinPreparedStatement.java:252)
at org.apache.ignite.internal.jdbc.thin.JdbcThinPreparedStatement.executeUpdate(JdbcThinPreparedStatement.java:96)
at sun.reflect.GeneratedMethodAccessor56.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(StatementFacade.java:118)
at com.sun.proxy.$Proxy16.executeUpdate(Unknown Source)
This was the configuration using at server side,
<bean class="org.apache.ignite.configuration.IgniteConfiguration"
id="igniteConfiguration">
<property name="cacheKeyConfiguration">
<list>
<bean class="org.apache.ignite.cache.CacheKeyConfiguration">
<property name="typeName" value="ROWKEY" />
<property name="affinityKeyFieldName" value="rowkey" />
</bean>
</list>
</property>
<property name="clientMode" value="false" />
<property name="gridName" value="6d-ignite-grid"></property>
<property name="cacheConfiguration">
<list>
<bean class="org.apache.ignite.configuration.CacheConfiguration">
<property name="name" value="persons"></property>
<!-- Set cache mode. -->
<property name="cacheMode" value="PARTITIONED" />
<!-- Set number of backups to 0 -->
<property name="backups" value="0" />
<property name="onheapCacheEnabled" value="false" />
<property name="statisticsEnabled" value="true" />
<property name="memoryPolicyName" value="Default_Region" />
<property name="copyOnRead" value="false" />
<property name="writeSynchronizationMode" value="FULL_SYNC" />
<property name="affinity">
<bean
class="org.apache.ignite.cache.affinity.rendezvous.RendezvousAffinityFunction">
<property name="excludeNeighbors" value="true" />
<property name="partitions" value="10" />
<property name="affinityBackupFilter">
<bean
class="org.apache.ignite.cache.affinity.rendezvous.ClusterNodeAttributeAffinityBackupFilter">
<constructor-arg>
<array value-type="java.lang.String">
<value>AVAILABILITY_ZONE</value>
</array>
</constructor-arg>
</bean>
</property>
</bean>
</property>
<property name="queryEntities">
<list>
<bean class="org.apache.ignite.cache.QueryEntity">
<property name="keyType" value="ROWKEY"></property>
<property name="valueType" value="PERSONS"></property>
<property name="fields">
<map>
<entry key="rowkey" value="java.lang.Long"></entry>
<entry key="id" value="java.lang.Long"></entry>
<entry key="name" value="java.lang.String"></entry>
<entry key="birthday" value="java.lang.String"></entry>
<entry key="gender" value="java.lang.String"></entry>
<entry key="amount" value="java.lang.Long"></entry>
<entry key="salary" value="java.lang.Long"></entry>
<entry key="orgid" value="java.lang.String"></entry>
</map>
</property>
<property name="keyFields">
<set>
<value>rowkey</value>
<value>id</value>
</set>
</property>
</bean>
</list>
</property>
</bean>
</list>
</property>
<property name="includeEventTypes">
<list>
<!--Task execution events -->
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_TASK_STARTED" />
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_TASK_FINISHED" />
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_TASK_FAILED" />
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_TASK_TIMEDOUT" />
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_TASK_SESSION_ATTR_SET" />
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_TASK_REDUCED" />
<!--Cache events -->
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_CACHE_OBJECT_PUT" />
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_CACHE_OBJECT_READ" />
<util:constant
static-field="org.apache.ignite.events.EventType.EVT_CACHE_OBJECT_REMOVED" />
</list>
</property>
<property name="peerClassLoadingEnabled" value="true"></property>
<property name="discoverySpi">
<bean class="org.apache.ignite.spi.discovery.tcp.TcpDiscoverySpi">
<property name="ipFinder">
<bean
class="org.apache.ignite.spi.discovery.tcp.ipfinder.multicast.TcpDiscoveryMulticastIpFinder">
<property name="addresses">
<list>
<!-- In distributed environment, replace with actual host IP address. -->
<value>127.0.0.1:47500..47509</value>
</list>
</property>
</bean>
</property>
</bean>
</property>
<property name="memoryConfiguration">
<bean class="org.apache.ignite.configuration.MemoryConfiguration">
<property name="defaultMemoryPolicyName" value="Default_Region" />
<property name="pageSize" value="4096" />
<property name="systemCacheInitialSize" value="#{40 * 1024 * 1024}" />
<property name="systemCacheMaxSize" value="#{40 * 1024 * 1024}" />
<property name="memoryPolicies">
<list>
<bean
class="org.apache.ignite.configuration.MemoryPolicyConfiguration">
<property name="name" value="Default_Region" />
<property name="initialSize" value="#{20 * 1024 * 1024}" />
<property name="maxSize" value="#{20 * 1024 * 1024}" />
<property name="pageEvictionMode" value="RANDOM_2_LRU" />
<property name="evictionThreshold" value="0.6" />
<property name="metricsEnabled" value="true" />
</bean>
</list>
</property>
</bean>
</property>
</bean>
Thanks for help
Ajay Babu Maguluri.
The error message indicates that the value was updated in parallel during the operation execution and the failed operation should be retried. It's expected to get such a type of error in the case of concurrent atomic updates for the same key in the cache. Or you can use transactions as an alternative way to avoid that.
Also, you can find more details regarding cache atomicity modes here:
https://ignite.apache.org/docs/latest/configuring-caches/atomicity-modes#atomicity-modes

Enable SSL in ActiveMQ - connection getting timed out while accessing web console over https

I have a RHEL 7 server where I have ActiveMQ installed (version : apache-activemq-5.15.11).I am trying to run the web console over https and hence I went through the instructions mentioned in the documentation here and made changes in my jetty.xml and un-commented the following section:
<!--
Enable this connector if you wish to use https with web console
-->
<!-- bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean -->
when I am trying to access the web console like the following:
https://myserver.com:8162/admin/index.jsp
I am getting connection getting timed out in the browser.
Questions :
Am I trying to access it properly - via port 8162? It works fine with port 8161 and over http like the following:
http://myserver.com:8161/admin/index.jsp
Are there any additional changes needed to make it work over https?
My jetty.xml is below for reference:
<!--
Licensed to the Apache Software Foundation (ASF) under one or more contributor
license agreements. See the NOTICE file distributed with this work for additional
information regarding copyright ownership. The ASF licenses this file to You under
the Apache License, Version 2.0 (the "License"); you may not use this file except in
compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or
agreed to in writing, software distributed under the License is distributed on an
"AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
implied. See the License for the specific language governing permissions and
limitations under the License.
-->
<!--
An embedded servlet engine for serving up the Admin consoles, REST and Ajax APIs and
some demos Include this file in your configuration to enable ActiveMQ web components
e.g. <import resource="jetty.xml"/>
-->
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="securityLoginService" class="org.eclipse.jetty.security.HashLoginService">
<property name="name" value="ActiveMQRealm" />
<property name="config" value="${activemq.conf}/jetty-realm.properties" />
</bean>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="user,admin" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admin" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="securityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="securityConstraint" />
<property name="pathSpec" value="/api/*,/admin/*,*.jsp" />
</bean>
<bean id="adminSecurityConstraintMapping" class="org.eclipse.jetty.security.ConstraintMapping">
<property name="constraint" ref="adminSecurityConstraint" />
<property name="pathSpec" value="*.action" />
</bean>
<bean id="rewriteHandler" class="org.eclipse.jetty.rewrite.handler.RewriteHandler">
<property name="rules">
<list>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-FRAME-OPTIONS"/>
<property name="value" value="SAMEORIGIN"/>
</bean>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-XSS-Protection"/>
<property name="value" value="1; mode=block"/>
</bean>
<bean id="header" class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
<property name="pattern" value="*"/>
<property name="name" value="X-Content-Type-Options"/>
<property name="value" value="nosniff"/>
</bean>
</list>
</property>
</bean>
<bean id="secHandlerCollection" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
<list>
<ref bean="rewriteHandler"/>
<bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/admin" />
<property name="resourceBase" value="${activemq.home}/webapps/admin" />
<property name="logUrlOnStart" value="true" />
</bean>
<bean class="org.eclipse.jetty.webapp.WebAppContext">
<property name="contextPath" value="/api" />
<property name="resourceBase" value="${activemq.home}/webapps/api" />
<property name="logUrlOnStart" value="true" />
</bean>
<bean class="org.eclipse.jetty.server.handler.ResourceHandler">
<property name="directoriesListed" value="false" />
<property name="welcomeFiles">
<list>
<value>index.html</value>
</list>
</property>
<property name="resourceBase" value="${activemq.home}/webapps/" />
</bean>
<bean id="defaultHandler" class="org.eclipse.jetty.server.handler.DefaultHandler">
<property name="serveIcon" value="false" />
</bean>
</list>
</property>
</bean>
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="securityLoginService" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
<bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
</bean>
<bean id="jettyPort" class="org.apache.activemq.web.WebConsolePort" init-method="start">
<!-- the default port number for the web console -->
<property name="host" value="0.0.0.0"/>
<property name="port" value="8161"/>
</bean>
<bean id="Server" depends-on="jettyPort" class="org.eclipse.jetty.server.Server"
destroy-method="stop">
<property name="handler">
<bean id="handlers" class="org.eclipse.jetty.server.handler.HandlerCollection">
<property name="handlers">
<list>
<ref bean="contexts" />
<ref bean="securityHandler" />
</list>
</property>
</bean>
</property>
</bean>
<bean id="invokeConnectors" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="setConnectors" />
<property name="arguments">
<list>
<bean id="Connector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<!-- see the jettyPort bean -->
<property name="host" value="#{systemProperties['jetty.host']}" />
<property name="port" value="#{systemProperties['jetty.port']}" />
</bean>
<!--
Enable this connector if you wish to use https with web console
-->
<!-- Enabling the following connector on Nov 11,2020 for HTTPS -->
<bean id="SecureConnector" class="org.eclipse.jetty.server.ServerConnector">
<constructor-arg ref="Server" />
<constructor-arg>
<bean id="handlers" class="org.eclipse.jetty.util.ssl.SslContextFactory">
<property name="keyStorePath" value="${activemq.conf}/broker.ks" />
<property name="keyStorePassword" value="password" />
</bean>
</constructor-arg>
<property name="port" value="8162" />
</bean>
</list>
</property>
</bean>
<bean id="configureJetty" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean">
<property name="staticMethod" value="org.apache.activemq.web.config.JspConfigurer.configureJetty" />
<property name="arguments">
<list>
<ref bean="Server" />
<ref bean="secHandlerCollection" />
</list>
</property>
</bean>
<bean id="invokeStart" class="org.springframework.beans.factory.config.MethodInvokingFactoryBean"
depends-on="configureJetty, invokeConnectors">
<property name="targetObject" ref="Server" />
<property name="targetMethod" value="start" />
</bean>
</beans>

ActiveMQ Web console using LDAP Active Directory authentication

Struggling to get ActiveMQ web console to use LDAP and authenticated against Active Directory.
No errors when starting MQ, username/password login box prompt appears but doesn't progress when inserting the correct credentials.
Version
5.15.6
login.config
amqLdapLoginModule {
org.eclipse.jetty.jaas.spi.LdapLoginModule required
debug="true"
contextFactory="com.sun.jndi.ldap.LdapCtxFactory"
hostname="ad-server1.domain.com"
port="389"
bindDn="CN=readonly-user,OU=Accounts,DC=domain,DC=com"
bindPassword="readonly-user-password"
authenticationMethod="simple"
forceBindingLogin="false"
userBaseDn="CN=users,DC=domain,DC=com"
userRdnAttribute="uid"
userIdAttribute="uid"
userPasswordAttribute="userPassword"
userObjectClass="inetOrgPerson"
roleBaseDn="CN=groups,DC=domain,dc=com"
roleNameAttribute="cn"
roleMemberAttribute="uniqueMember"
roleObjectClass="groupOfUniqueNames";
};
jetty.xml
<bean id="ldapLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
<property name="name" value="LdapRealm" />
<property name="loginModuleName" value="amqLdapLoginModule" />
<property name="roleClassNames" value="org.eclipse.jetty.jaas.JAASRole" />
<property name="identityService" ref="identityService" />
</bean>
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins-group" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins-group" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="securityHandlerLdap" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="ldapLoginService" />
<property name="identityService" ref="identityService" />
<property name="realmName" value="LdapRealm" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>
<bean id="contexts" class="org.eclipse.jetty.server.handler.ContextHandlerCollection">
</bean>
Following the guide from http://bacedifo.blogspot.com/2013/06/securing-activemq-580-web-console-using.html and using the ldaptive ldap java library with some tweaks to the configs I managed to get this working for our AD environment.
Copied the ldaptive-{version number}.jar and jetty-jass-{version number}.jar to /activemq/lib directory.
login.conf
activemq {
org.ldaptive.jaas.LdapLoginModule required
debug=true
storePass="true"
ldapUrl="ldap://ldap-server1.domainname.com:389 ldap://ldap-server2.domainname.com:389"
connectionStrategy="ACTIVE_PASSIVE"
bindDn="CN=ldap-readaccount,OU=Read Accounts,DC=domainname,DC=com"
baseDn="OU=accounts,DC=domainname,DC=com"
bindCredential="ldapuser-password"
useStartTLS="false"
userFilter="(sAMAccountName={user})";
org.ldaptive.jaas.LdapRoleAuthorizationModule required
useFirstPass="true"
ldapUrl="ldap://ldap-server1.domainname.com:389 ldap://ldap-server2.domainname.com:389"
connectionStrategy="ACTIVE_PASSIVE"
bindDn="CN=ldap-readaccount,OU=Read Accounts,DC=domainname,DC=com"
baseDn="OU=groups,DC=domainname,DC=com"
bindCredential="ldapuser-password"
roleFilter="(&(cn=webconsoleadmins)(member={user}))"
useStartTLS="false"
defaultRole="admins"
roleAttribute="cn";
};
jetty.xml
<beans xmlns="http://www.springframework.org/schema/beans" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd">
<bean id="securityLoginService" class="org.eclipse.jetty.jaas.JAASLoginService">
<property name="name" value="LdapRealm" />
<property name="loginModuleName" value="activemq" />
<property name="roleClassNames" value="org.ldaptive.jaas.LdapRole" />
<property name="identityService" ref="identityService" />
</bean>
<bean id="identityService" class="org.eclipse.jetty.security.DefaultIdentityService"/>
<bean id="securityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins,webconsoleadmins" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
<bean id="adminSecurityConstraint" class="org.eclipse.jetty.util.security.Constraint">
<property name="name" value="BASIC" />
<property name="roles" value="admins,webconsoleadmins" />
<!-- set authenticate=false to disable login -->
<property name="authenticate" value="true" />
</bean>
...
<bean id="securityHandler" class="org.eclipse.jetty.security.ConstraintSecurityHandler">
<property name="loginService" ref="securityLoginService" />
<property name="identityService" ref="identityService" />
<property name="authenticator">
<bean class="org.eclipse.jetty.security.authentication.BasicAuthenticator" />
</property>
<property name="constraintMappings">
<list>
<ref bean="adminSecurityConstraintMapping" />
<ref bean="securityConstraintMapping" />
</list>
</property>
<property name="handler" ref="secHandlerCollection" />
</bean>

GET ALL LDAP USERS WITH LDAP BEAN

I am currently devloping a java web application based on activiti and i want to use ldap as an authentification system.
I Configured ldap as it its 's shown,but when i write this command in java System.out.println(processEngine.getIdentityService().createGroupQuery().list().size()); i got an error "This query is not supported by the LDAPGroupManager".So what can i do ?
Thank you in advance.
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:aop="http://www.springframework.org/schema/aop"
xmlns:tx="http://www.springframework.org/schema/tx"
xsi:schemaLocation="
http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-2.0.xsd
http://www.springframework.org/schema/tx http://www.springframework.org/schema/tx/spring-tx-2.0.xsd
http://www.springframework.org/schema/aop http://www.springframework.org/schema/aop/spring-aop-2.0.xsd">
<bean id="dataSource" class="org.springframework.jdbc.datasource.SimpleDriverDataSource">
<property name="driverClass" value="org.h2.Driver" />
<property name="url" value="jdbc:h2:mem:activiti;DB_CLOSE_DELAY=1000" />
<property name="username" value="sa" />
<property name="password" value="" />
</bean>
<bean id="transactionManager" class="org.springframework.jdbc.datasource.DataSourceTransactionManager">
<property name="dataSource" ref="dataSource" />
</bean>
<bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
<property name="dataSource" ref="dataSource" />
<property name="transactionManager" ref="transactionManager" />
<property name="databaseSchemaUpdate" value="true" />
<property name="jobExecutorActivate" value="false" />
<property name="configurators">
<list>
<bean class="org.activiti.ldap.LDAPConfigurator">
<!-- Server connection params -->
<property name="server" value="ldap://localhost" />
<property name="port" value="10389" />
<property name="user" value="uid=admin,ou=system" />
<property name="password" value="secret" />
<!-- Query params -->
<property name="baseDn" value="o=mojo" />
<property name="queryUserByUserId" value="(&(objectClass=inetOrgPerson)(uid={0}))" />
<property name="queryUserByFullNameLike" value="(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
<!-- Attribute config -->
<property name="userIdAttribute" value="uid" />
<property name="userFirstNameAttribute" value="cn" />
<property name="userLastNameAttribute" value="sn" />
<property name="groupIdAttribute" value="cn" />
<property name="groupNameAttribute" value="cn" />
</bean>
</list>
</property>
</bean>
<bean id="processEngine" class="org.activiti.spring.ProcessEngineFactoryBean">
<property name="processEngineConfiguration" ref="processEngineConfiguration" />
</bean>
<bean id="repositoryService" factory-bean="processEngine" factory-method="getRepositoryService" />
<bean id="runtimeService" factory-bean="processEngine" factory-method="getRuntimeService" />
<bean id="taskService" factory-bean="processEngine" factory-method="getTaskService" />
<bean id="historyService" factory-bean="processEngine" factory-method="getHistoryService" />
<bean id="managementService" factory-bean="processEngine" factory-method="getManagementService" />
</beans>
we can't get all the ldap users with the bean this is not supported by the LDAPGroupManager

How to config activiti.org to work with IBM Domino LDAP groups

I work on integration IBM Domino with activiti.org workflow engine. I need to connect Activiti with Domino LDAP in order to retrive users and groups.
I already can log in with my Domino credentials but I'm not able to resolve user groups. My user is a member of ACTIVITI_ADMINS domino group but he doesn't see activiti-explorer administration menu (the one that default kermit user see). I've made the following modifications in Activiti xml config files. What should I add/rewrite in my config files in order to resolve user groups?
activiti-custom-context.xml
<bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
<!--...-->
<property name="configurators">
<list>
<bean class="org.activiti.ldap.LDAPConfigurator">
<!-- Server connection params -->
<property name="server" value="ldap://myDominoLdapServer" />
<property name="port" value="389" />
<property name="user" value="cn=User Ldap, ou=myUnit1, ou=myUnit2, o=myCompany" />
<property name="password" value="myPassword" />
<!-- Query params -->
<property name="baseDn" value="o=myCompany" />
<property name="queryUserByUserId" value="(&(objectClass=inetOrgPerson)(displayname={0}))" />
<property name="queryUserByFullNameLike" value="(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
<!-- Attribute config -->
<property name="userIdAttribute" value="displayname" />
<property name="userFirstNameAttribute" value="GivenName" />
<property name="userLastNameAttribute" value="sn" />
<property name="userEmailAttribute" value="mail" />
<property name="groupIdAttribute" value="cn" />
<property name="groupNameAttribute" value="cn" />
</bean>
</list>
</property>
</bean>
activiti-ui-context.xml
<bean name="explorerApp" class="org.activiti.explorer.ExplorerApp" scope="session">
<property name="environment" value="${activiti.ui.environment}" />
<property name="useJavascriptDiagram" value="${activiti.ui.jsdiagram}" />
<property name="i18nManager" ref="i18nManager" />
<property name="viewManager" ref="viewManager" />
<property name="notificationManager" ref="notificationManager" />
<property name="attachmentRendererManager" ref="attachmentRendererManager" />
<property name="formPropertyRendererManager" ref="formPropertyRendererManager" />
<property name="variableRendererManager" ref="variableRendererManager" />
<property name="applicationMainWindow" ref="mainWindow" />
<property name="componentFactories" ref="componentFactories" />
<property name="workflowDefinitionConversionFactory" ref="workflowDefinitionConversionFactory" />
<property name="loginHandler" ref="activitiLoginHandler" />
<property name="simpleWorkflowJsonConverter" ref="simpleWorkflowJsonConverter" />
<property name="adminGroups">
<list>
<value>ACTIVITI_ADMINS</value>
</list>
</property>
<property name="userGroups">
<list>
<value>user</value>
</list>
</property>
</bean>
Your configuration looks right so the problem must have something to do with the LDAP query used to retrieved the groups for the user:
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
Is this query returning the ACTIVITI_ADMIN group?
Well, I've found that the baseDN entry was the reason of my problem. I set empty value and Activiti is resolving my group now. The activiti-custom-context.xml file contains the following code:
<bean id="processEngineConfiguration" class="org.activiti.spring.SpringProcessEngineConfiguration">
<!--...-->
<property name="configurators">
<list>
<bean class="org.activiti.ldap.LDAPConfigurator">
<!-- Server connection params -->
<property name="server" value="ldap://myDominoLdapServer" />
<property name="port" value="389" />
<property name="user" value="cn=User Ldap, ou=myUnit1, ou=myUnit2, o=myCompany" />
<property name="password" value="myPassword" />
<!-- Query params -->
<!--MY CHANGE START-->
<property name="baseDn" value="" />
<!--MY CHANGE END-->
<property name="queryUserByUserId" value="(&(objectClass=inetOrgPerson)(displayname={0}))" />
<property name="queryUserByFullNameLike" value="(&(objectClass=inetOrgPerson)(|({0}=*{1}*)({2}=*{3}*)))" />
<property name="queryGroupsForUser" value="(&(objectClass=groupOfUniqueNames)(uniqueMember={0}))" />
<!-- Attribute config -->
<property name="userIdAttribute" value="displayname" />
<property name="userFirstNameAttribute" value="GivenName" />
<property name="userLastNameAttribute" value="sn" />
<property name="userEmailAttribute" value="mail" />
<property name="groupIdAttribute" value="cn" />
<property name="groupNameAttribute" value="cn" />
</bean>
</list>
</property>
</bean>