Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1136441

Summary:

Add screen for setting up LDAP users for Business Central

Product:

[Retired] JBoss BRMS Platform 6

Reporter:

Tomas Livora <tlivora>

Component:

Installer

Assignee:

Miroslav Sochurek <msochure>

Status:

CLOSED EOL

QA Contact:

Dominik Hanak <dhanak>

Severity:

low

Docs Contact:

Priority:

low

Version:

unspecified

CC:

kverlaen, mbaluch, rzhang

Target Milestone:

ER5

Target Release:

6.1.0

Hardware:

Unspecified

OS:

Unspecified

Whiteboard:

Fixed In Version:

Doc Type:

Bug Fix

Doc Text:

Story Points:

---

Clone Of:

Environment:

Last Closed:

2020-03-27 20:09:16 UTC

Type:

Feature Request

Regression:

---

Mount Type:

---

Documentation:

---

CRM:

Verified Versions:

Category:

---

oVirt Team:

---

RHEL 7.3 requirements from Atomic Host:

Cloudforms Team:

---

Target Upstream Version:

Embargoed:

Attachments:

Description	Flags
No LDAP selected	none
LDAP selected	none
One LDAP Option	none
Both LDAP options	none
Management Console LDAP Configuration	none

Description Tomas Livora 2014-09-02 14:53:34 UTC

Description of problem:
The installer allows you to set up LDAP users only for logging into the management console. If there is an LDAP server used for this, it is very likely that the customer will use it also to log into the Business Central. Unfortunately, the installer does not provide such options.

Version-Release number of selected component (if applicable):
BPMS/BRMS 6.0.2 GA

Steps to Reproduce:
1. Install the product, perform advanced configuration and enable LDAP authentication.
2. Run the application and try to log into the Business Central with a user from LDAP.

Actual results:
After the installation you can use only users defined in application-users.properties file to log into the Business Central.

Expected results:
You should be able to log into the Business Central with LDAP users.

Additional info:
To make Business Central use LDAP users for logging in jboss-web.xml and standalone*.xml files need to be changed. The details are described here: https://access.redhat.com/solutions/655023

Note that LDAP server URL, bind DN and bind password are already configured on the first LDAP screen in the installer. The new screen should contain fields like user context, user filter, role context, role filter, role attribute ID, role name attribute ID and a checkbox if the role attribute is distinguished name or not.

Comment 1 Thomas Hauser 2014-10-03 14:48:07 UTC

This feature will be available in DR4.

Comment 2 Thomas Hauser 2014-10-21 19:48:58 UTC

One thing I could use some help with is coming up with some valid checks for the Contexts for the User / User roles / Roles being valid. For whatever reason, the filter values contained in the documentation don't seem to return anything valid when using the java ldap classes.

For now, there are no checks for validity of the fields for the Business Central LDAP configuration. The configuration is performed correctly, enabling out-of-the-box LDAP authentication with business-central.war

Comment 3 Tomas Livora 2014-10-29 13:23:33 UTC

Tom, there are some things that needs to be changed:

1) In the previous versions the LDAP configuration pages were only used to set up authentication for the management console. Now the authentication for the Business Central is also configured. However, it is only possible to configure both at once. I would recommend to add checkboxes on both second and third page of LDAP Configuration so user can choose if he wants to set up authentication for only one or both of them.

2) jbpm.user.info.properties and jbpm.usergroup.callback.properties files are created but LDAPUserGroupInfoProducer producing LDAPUserGroupCallbackImpl and LDAPUserInfoImpl, which use them, is not configured in standalone/deployments/business-central.war/WEB-INF/beans.xml. JAASUserGroupInfoProducer is still there.

3) The following lines, which are required to make JMS work with LDAP users when working with human tasks, are still missing under <hornetq-server> in standalone.xml:

<security-domain>ldap</security-domain>
<security-enabled>true</security-enabled>

Note that 2) and 3) are only relevant to BPMS.

4) It seems you want to add some tooltips to input fields on the new page. Right now there are only strings like this 'ldap.businesscentral.user.context.tooltip'. I would recommend replace them with either the description for each field or move current default values to tooltips as examples because customers are very likely to use different values (at least different user and roles contexts according to their directory server structure).

5) The current headers do not describe LDAP pages well. Right now it looks like this:

(i) LDAP Configuration
(ii) LDAP Configuration
(iii) Business Central LDAP Configuration

I would recommend something like this:

(i) LDAP Connection
(ii) Management Console LDAP Configuration
(iii) Business Central LDAP Configuration

Comment 4 Thomas Hauser 2014-10-29 15:17:58 UTC

Hi Tomas, thanks for the feedback. 

I'm thinking for

1) we can have the checkboxes be on the panel which allows the user to choose to setup an LDAP connection; if they do so, two more check boxes are enabled which allow the user to choose neither, one, or both of LDAP Management Console Configuration / Business Central LDAP configuration.

2 + 3) seem to be oversights by me, will fix for next release.

4) I like the idea of removing defaults and having the tooltips contain something like "Example value: <current default value>"

5) Your suggestions work great. I'll change as you described.

Thanks,
Tom

Comment 5 Thomas Hauser 2014-10-29 20:34:54 UTC

Created attachment 951909 [details]
No LDAP selected

Comment 6 Thomas Hauser 2014-10-29 20:35:23 UTC

Created attachment 951911 [details]
LDAP selected

Comment 7 Thomas Hauser 2014-10-29 20:36:15 UTC

Created attachment 951912 [details]
One LDAP Option

Comment 8 Thomas Hauser 2014-10-29 20:36:46 UTC

Created attachment 951913 [details]
Both LDAP options

Comment 9 Thomas Hauser 2014-10-29 20:39:36 UTC

I've uploaded a mockup of the new panel. Let me know if it's a step in the right direction.

Comment 10 Tomas Livora 2014-11-04 12:03:39 UTC

Tom, it is a very good idea to put two new checkboxes on that page. However, I am not sure if it makes any sense to configure the LDAP connection itself without using LDAP for authenticating users in either EAP Management Console or Business Central. Correct me if I am wrong, but I think that connection configuration is always set up independently for each of these components and so there is no such thing as universal configuration for both of them. That is why I would recommend to stay with the previous label 'Enable LDAP authentication' (instead of new 'Create LDAP connection') and require selecting at least one of the two new checkboxes if the parent one is checked.

Comment 11 Thomas Hauser 2014-11-07 19:54:51 UTC

Hi Tomas,

I was under the impression that Business Central also needed the ldap connection definition in standalone*.xml to function. Since this isn't the case, I think I can revert to the label you're describing, as well as enforce that one of the other two checkboxes must be enabled to proceed.

Comment 12 Thomas Hauser 2014-11-10 17:50:56 UTC

Hi Tomas, I actually find the parent checkbox to be redundant; I've gone ahead and just made the two 'child' checkboxes on the same level as the others. The panel behavior beyond that is unchanged.

Comment 13 Tomas Livora 2014-11-18 12:45:02 UTC

It seems that most of the issues mentioned in comment 3 have been resolved. However, there are still some problems in ER2:

1) jbpm.user.info.properties and jbpm.usergroup.callback.properties contains string ${ldap.pwd} instead of actual password. There is probably an intention not to store plain passwords in these files. But right now, ${ldap.pwd} is passed to the LDAP server instead of a password and so Task Service does not work properly. Notice that in comparison with configuration XML files used by EAP, these properties files are used directly by jBPM engine thus it is probably not possible to use such parameters in them.

2) The page with management console configuration is still called "LDAP Configuration" instead of suggested and more accurate "Management Console LDAP Configuration".

Comment 14 Tomas Livora 2014-11-18 15:49:19 UTC

I have just found another problem. This is a line from standalone*.xml and domain.xml files:

<module-option name="roleAttributeIsDN" value="null"/>

The value should be either true or false based on user input, but not null.

Comment 15 Tomas Livora 2014-11-19 12:06:20 UTC

I have also noticed that LDAP password is now stored in plain text in domain.xml, host.xml and standalone*.xml files while in previous versions it was stored in password vault. I mean these two peaces of code (for both EAP Management Console and Business Central):

<outbound-connections>
  <ldap name="ldap_connection" url="ldap://localhost:10389" search-dn="uid=admin,ou=system" search-credential="secret"/>
</outbound-connections>

...

<security-domain name="business-central-ldap" cache-type="default">
  <authentication>
    <login-module code="LdapExtended" flag="required">
      ...
      <module-option name="bindCredential" value="secret"/>
      ...
    </login-module>
  </authentication>
</security-domain>

Comment 16 Thomas Hauser 2014-12-10 18:04:39 UTC

I've fixed the problems with plain text storage. This occured as an unintended side effect of changing the checkbox layout. The null value is also fixed.

Comment 17 Thomas Hauser 2014-12-10 18:08:05 UTC

Note that for BRMS if the user does not install a password vault, the password will be in plaintext. In BPMS, a password vault is installed by default, so it will always be masked in BPMS.

Comment 18 Tomas Livora 2015-01-09 12:06:47 UTC

Tom, you have probably missed my comment 13 because none of the problems mentioned there is fixed in ER3. The other issues from comment 14 and 15 seem to be fixed.

Comment 19 Thomas Hauser 2015-01-09 20:45:04 UTC

The remaining issues will be resolved in the next build.

Comment 20 Tomas Livora 2015-02-11 13:24:57 UTC

After the last fix, the Task Service works as expected when it is configured to get users from LDAP.

However, there is still a minor issue with the page title which was mentioned in comment 13. Management console LDAP configuration page is called 'Management Console LDAP Configuration' in BRMS but 'LDAP Connection' in BPM Suite.

Comment 21 Tomas Livora 2015-02-11 13:26:05 UTC

Created attachment 990452 [details]
Management Console LDAP Configuration

Comment 22 Thomas Hauser 2015-02-13 20:11:08 UTC

This was somehow missed by me. BPMS now correctly titles the panels.

Comment 23 Marek Baluch 2015-02-26 10:16:00 UTC

Verified on 6.1.0.ER5.

The title has been fixed.