LDAP Support
The Camunda Account LDAP integration enables users with an account on your organization’s LDAP server to log in to Cawemo without signing up first.
Configuration Options
In order to activate the LDAP integration, you must configure the required of the following environment variables in step 3 of the on-premise installation:
| Environment Variable | Example Value | Description | Active Directory | Other LDAP Server |
|---|---|---|---|---|
| IAM_LDAP_SERVER_URL | ldaps://ldap.example.com/ | URL at which the LDAP server can be reached | Required | Required |
| IAM_LDAP_DOMAIN | camunda.org | Domain of an Active Directory LDAP Server | Required | Not allowed |
| IAM_LDAP_MANAGER_DN | cn=admin,dc=camunda,dc=org | Dn (Distinguished name) to bind to the LDAP server | Not allowed | Required |
| IAM_LDAP_MANAGER_PASSWORD | myPassword123 | Password to bind to the LDAP server | Not allowed | Required |
| IAM_LDAP_BASE_DN | dc=camunda,dc=org | Start location for LDAP search (for AD: derive from IAM_LDAP_DOMAIN) | Optional | Required |
| IAM_LDAP_USER_SEARCH_BASE | ou=berlin | Start location for user search; relative to IAM_LDAP_BASE_DN | Not Allowed | Optional |
| IAM_LDAP_USER_SEARCH_FILTER | (&(objectClass=inetOrgPerson)(employeeType=engineer)) | Filter to restrict the group of users to search in | Optional | Optional |
| IAM_LDAP_UUID_ATTRIBUTE | entryUUID | Name of the attribute containing the UUID of the user (for AD: objectGUID) | Required | Required |
| IAM_LDAP_USER_NAME_ATTRIBUTES | firstName,lastName | Name(s) of the attribute(s) containing the user name; multiple names separated by a comma | Required | Required |
| IAM_LDAP_USER_EMAIL_ATTRIBUTE | Name of the attribute containing the user's email | Required | Required |
Migration of Existing User Accounts
Please back up the Camunda Account and Cawemo databases before you migrate to LDAP as we do not offer a mechanism for reversing the account migration.
Users that are already registered in Cawemo through Camunda Account can keep using their accounts with LDAP enabled. Each account is matched automatically on the user’s first login after LDAP is configured by your organization. For this to work, the email addresses used for the Camunda Account and saved on the LDAP server must match. After migrating an existing account, it can only be accessed with the user’s LDAP credentials.
The diagrams a user has previously created in Cawemo will still be associated to their account after the migration. Their personal data is updated in Camunda Account and Cawemo with the data from the LDAP server on the first login.
Handling of User Data
Camunda Account retrieves the user’s name from your LDAP server on each login and saves/updates it in the Camunda Account and Cawemo databases, so it can be displayed in the applications. We do not read or save the user’s password, instead the password comparison is performed by binding to the LDAP server.
Active Directory User Search
The bind to AD is performed with the user’s credentials entered in the Camunda Account login form. For searching in AD, we use subtree scope.
The group of users that can log in to Camunda Account and Cawemo is restricted by IAM_LDAP_DOMAIN
(or IAM_LDAP_BASE_DN if configured) that must be specified in the configuration when using Active Directory.