SWAMP is a cool Workflow engine with a nice Web-interface, but it lacks authentication for LDAP users. This contribution implements that functionality.
The source code is here: SWAMP_LDAP.zip
Here's some quick documentation:
The implementation checks (for loading a user) whether a user is already in the DB, if so it loads that record - otherwise it loads it from LDAP (it seems that was the intended way of the auth system - but I may have misinterpreted it?). Authentication is done by trying to bind with the supplied credentials to the LDAP server. The username in this implementation is (kind of) expected to be a username part only and the full LDAP DN is added within the code.
I have developed/tested my implementation with a Windows AD, and therefore the sample values below and some of my code are tweaked that way - but I have added some logic to (at least in theory) make it work with other LDAP servers (ie: base64 value encoding as implemented in OpenLDAP for non-7bit ASCII values). However, especially the base64 code is UNTESTED as I don't have an non-AD LDAP system at hand.There are several configuration values, which need to be set in the "WEB-INF/conf/defaults" file - here some sample values (roughly based on our internal Windows AD setup):
# ldap server
LDAP_BIND_URL=ldap://domaincontroller/
# bind user and password
LDAP_BIND_USER=swamp@intranet.akkaya.de
LDAP_BIND_PASS=password
# where to search for user entries when looking up the username
LDAP_USER_BASEDN=dc=intranet,dc=akkaya,dc=de
# the search filter for user entries
LDAP_USER_FILTER=(&(objectClass=user)(sAMAccountName=%s))
# this is used to construct the full DN from the username only and in
# this form only works with M$ ADs
LDAP_USER_TEMPLATE=%s@intranet.akkaya.de
# Attributes from which to fetch the user data
LDAP_USER_ATTR_GIVENNAME=givenName
LDAP_USER_ATTR_SURNAME=sn
LDAP_USER_ATTR_EMAIL=mail
Please note again that the Email-style usernames are a feature only implemented in MS AD - for other LDAP servers you'll most likely need regular LDAP DN based usernames, like so:
LDAP_BIND_USER=cn=SWAMP,dc=intranet,dc=akkaya,dc=de
LDAP_USER_TEMPLATE=cn=%s,dc=intranet,dc=akkaya,dc=de If you would like to log in using a full LDAP DN, set these:
LDAP_USER_FILTER=
LDAP_USER_TEMPLATE=%s
However, two warnings:
- this is untested (I think it should work like this)
- I don't know if SWAMP chokes on such a "complex" username
If you've build from source and would like to integrate this in your "build", here's the run-down (<SRC> being the base directory with the SWAMP sources):
- extract file in archive to:
<SWAMP_SRC_BASEDIR>/src/de/suse/swamp/core/security
- in <SWAMP_SRC_BASEDIR>:
ant compile-swamp
- copy compiled class into tomcat (stop first):
cp <SWAMP_SRC_BASEDIR>/build/de/suse/swamp/core/security/SWAMPLDAPUserManager.class <TOMCAT_BASE>/common/classes/de/suse/swamp/core/security/
- set AUTH_CLASS in <TOMCAT_WEBAPPS>/webswamp/WEB-INF/conf/defaults to:
de.suse.swamp.core.security.SWAMPLDAPUserManager
- set LDAP configuration values as stated above in:
<TOMCAT_WEBAPPS>/webswamp/WEB-INF/conf/defaults
|
Accessible Version
Imprint