• User: a user identified by a unique Id
  • Group: a group identified by a unique Id
  • Membership: the relationship between users and groups
  • Tenant Membership: the relationship between tenants and users/groups

Camunda BPM distinguishes between read-only and writable user repositories. A read-only user repository provides read-only access to the underlying user/group database. A writable user repository allows write access to the user database which includes creating, updating and deleting users and groups.

To provide a custom identity provider implementation, the following interfaces can be implemented:

The database identity service uses the process engine database for managing users and groups. This is the default identity service implementation used if no alternative identity service implementation is provided.

The database identity service implements both and WritableIdentityProvider providing full CRUD functionality in Users, Groups and Memberships.

The LDAP Identity Service

The LDAP identity service provides read-only access to an LDAP-based user/group repository. The identity service provider is implemented as a Process Engine Plugin and can be added to the process engine configuration. In that case it replaces the default database identity service.

To use the LDAP identity service, the camunda-identity-ldap.jar library has to be added to the classloader of the process engine.

Please import the to ensure correct versions for every Camunda project.

The following is an example of how to configure the LDAP Identity Provider Plugin using Spring XML:

The following is an example of how to configure the LDAP Identity Provider Plugin in bpm-platform.xml/processes.xml:

The LDAP Identity Provider Plugin is usually used in combination with the Administrator Authorization Plugin which allows you to grant administrator authorizations for a particular LDAP User/Group.

Currently, the LDPA Identity Service doesn’t support . That means it is not possible to get tenants from LDAP and the transparent multi-tenancy access restrictions don’t work by default.

The LDAP Identity Provider provides the following configuration properties:

The base DN: Identifies the root of the LDAP directory. Is appended to all DN names composed for searching for users or groups.

Example: o=camunda,c=org

Example: ou=employees

LDAP query string used when searching for users. Example: (objectclass=person)

Name of the user Id property. Example: uid

Name of the firstname property. Example: cn

Name of the lastname property. Example: sn

Name of the email property. Example: mail

Name of the password property. Example: userpassword

Identifies the node in the LDAP tree under which the plugin should search for groups. Must be relative to baseDn.

Example: ou=roles

LDAP query string used when searching for groups. Example: (objectclass=groupOfNames)

Name of the group Id property. Example: ou

Name of the group Name property. Example: cn

Name of the group Type property. Example: cn

Name of the member attribute. Example: member

Set to true if LDAP connection uses SSL. Default:

Value for the java.naming.factory.initial property. Default: com.sun.jndi.ldap.LdapCtxFactory

Value for the java.naming.security.authentication property. Default: simple

Indicates whether posix groups are used. If true, the connector will use a simple (unqualified) user id when querying for groups by group member instead of the full DN. Default: false

Allows to login anonymously without a password. Default: false

Warning: We strongly advise against using this property. You should configure your LDAP to use simple authentication without anonymous login.

If this property is set to true, then authorization checks are performed when querying for users or groups. Otherwise authorization checks are not performed when querying for users or groups. Default: true

Note: If you have a huge amount of LDAP users or groups we advise to set this property to false to improve the performance of the user and group query.

If this property is set to true, then ordering of the search results is enabled. Otherwise orderBy clauses in search queries are simply ignored. Default: false

Note: The support of search result ordering is not be implemented by every LDAP server. Make sure that your currently used LDAP Server implements the RFC 2891.

Throttle login attempts

A mechanism exists for preventing subsequent unsuccessful login attempts.The essence of it is that the user is not able to log in for a specific amount of time after unsuccessful login attempts.The amount of time is calculated after each attempt but it is limited by maximum delay time.After a predefined number of unsuccessful attempts, the user will be locked and only an administrator has permissions to them.

The mechanism is configurable with the following properties and respective default values.

  • loginMaxAttempts=10
  • loginDelayFactor=2
  • loginDelayBase=3
    For more information, please check the process engine’s login properties section.

Calculation of the delay is done via the formula: baseTime * factor^(attempt-1).The behaviour with the default configuration will be:3 seconds delay after the first unsuccessful attempt, 6 seconds after the 2nd attempt, 12 seconds, 24 seconds, 48 seconds, 60 seconds, 60 seconds, etc. After the 10th attempt, if the user fails to login again, the user will be locked.

If you have a LDAP setup on your engine, you need to handle the throttling on the LDAP side. The login mechanism in your system will not be affected by the above properties.