dram.me

jBPM和LDAP整合

补遗

  1. 以下jBPM LDAP配置存在错误,ldap.bind.user应为java.naming.security.principalldap.bind.pwd应为java.naming.security.credentials。—— 2017-12-26

之前有介绍过jBPM基于Tomcat的LDAP简单对接,但在权限处理上并不大灵活。以下是用户信息和角色分离的方案(Tomcat文档中也有提及)。

总体思路是角色(roles)和分组(groups)分离开,roles用于在Tomcat实现鉴权,groups用于jBPM中的任务处理。

以下分别说明Tomcat、jBPM以及LDAP的配置。

Tomcat的Realm配置如下:

<Realm className="org.apache.catalina.realm.JNDIRealm"
       connectionURL="ldap://127.0.0.1:389/" userPattern="uid={0},ou=people,dc=company,dc=com" roleBase="ou=roles,dc=company,dc=com" roleName="cn" roleSearch="(uniqueMember={0})"/>

在kie-server中添加WEB-INF/classes/jbpm.user.info.propertiesWEB-INF/classes/jbpm.usergroup.callback.properties文件,内容如下:

java.naming.provider.url=ldap://127.0.0.1:389
ldap.bind.user=cn\=$ADMIN,cn\=config
ldap.bind.pwd=$PASSWORD

ldap.email.attr.id=mail
ldap.lang.attr.id=preferredLanguage
ldap.member.attr.id=uniqueMember
ldap.role.ctx=ou\=groups,dc\=company,dc\=com
ldap.role.filter=(cn\={0})
ldap.role.members.filter=(cn\={0})
ldap.user.ctx=ou\=people,dc\=company,dc\=com
ldap.user.filter=(uid\={0})
ldap.user.roles.ctx=ou\=groups,dc\=company,dc\=com
ldap.user.roles.filter=(uniqueMember\={0})

在kie-server的setenv.sh中追加如下配置:

-Dorg.jbpm.ht.userinfo=ldap -Dorg.jbpm.ht.callback=ldap

最后以如下模板创建LDAP用户:

dn: dc=company,dc=com
objectClass: dcObject
objectClass: organization
dc: company
o: Company Name

dn: ou=groups,dc=company,dc=com
objectClass: organizationalUnit
ou: groups

dn: cn=GroupName,ou=groups,dc=company,dc=com
objectClass: groupOfUniqueNames
objectClass: mailboxRelatedObject
cn: GroupName
mail: groupname@company.com
uniqueMember: uid=name,ou=people,dc=company,dc=com

dn: ou=roles,dc=company,dc=com
objectClass: organizationalUnit
ou: roles

dn: cn=admin,ou=roles,dc=company,dc=com
objectClass: groupOfUniqueNames
cn: admin
uniqueMember: uid=name,ou=people,dc=company,dc=com

dn: cn=user,ou=roles,dc=company,dc=com
objectClass: groupOfUniqueNames
cn: user
uniqueMember: uid=name,ou=people,dc=company,dc=com

dn: ou=people,dc=company,dc=com
objectClass: organizationalUnit
ou: people

dn: uid=Name,ou=people,dc=company,dc=com
objectClass: inetOrgPerson
uid: Name
userPassword: {SSHA}...
cn: Common Name
sn: Surname
preferredLanguage: en-UK
mail: name@company.com

其中mailboxRelatedObject参考这里如下定义:

dn: cn=mailboxrelatedobject,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: mailboxrelatedobject
olcAttributeTypes: ( 1.3.6.1.4.1.5427.1.389.4.18
  NAME 'intlMailAddr'
  DESC 'Internationalized Email Address'
  EQUALITY caseIgnoreMatch
  SUBSTR caseIgnoreSubstringsMatch
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcObjectClasses: ( 1.3.6.1.4.1.5427.1.389.6.9
  NAME 'mailboxRelatedObject'
  DESC 'Associated RFC 5321 mailbox for any entry'
  AUXILIARY
  MAY ( displayName $ mail $ intlMailAddr ) )