Skip to main content

Active Directory Plugin

The Active Directory plugin allows you to link your application with directory services using the LDAP protocol. The plugin implements control of directory users and groups, and checks user group membership to restrict access to process commands.

Configuration

You will need a configured directory service, such as Active Directory. When connecting the plugin, you will need the following information:

  • Host and port of the server
  • User DN and password if the connection is not anonymous
  • Information about the configuration of users and groups, their objectClass, DN, and other parameters

Setting Up and Connecting the Plugin

To set up the plugin, you first need to specify a set of data sources where it will search for users and groups. Such a data source is represented by an instance of the ActiveDirectorySource class. In each data source, you specify the configuration for working with users (UserSource) and groups (GroupSource), as well as the settings for connecting to the server. There can be multiple data sources, and they will operate simultaneously. However, users are associated with a group only within a single data source. All plugin methods take the name of the data source with which they need to work as a parameter, and this parameter is mandatory. Here is an example of setting up a data source and connecting them to the plugin:

var userSource1 = UsersSource.LDAPUserDn("ou=users,dc=wimpi,dc=net");
userSource1.Attributes.Add("uid");
userSource1.Attributes.Add("mail");
var groupSource1 = GroupSource.LDAPGroupDn("ou=roles,dc=wimpi,dc=net");
ActiveDirectorySource ldap1 = new ActiveDirectorySource("ldap1", "127.0.0.1", 10389)
    .SetAuth("uid=admin,ou=system", "secret")
    .SetUsersSource(userSource1)
    .SetGroupsSource(groupSource1);

var userSource2 = UsersSource.LDAPUserDn("ou=users,dc=wimpi,dc=net");
userSource2.Attributes.Add("uid");
userSource2.Attributes.Add("description");
var groupSource2 = GroupSource.LDAPGroupDn("ou=roles,dc=wimpi,dc=net");
groupSource2.Attributes.Add("description");
ActiveDirectorySource ldap2 = new ActiveDirectorySource("ldap2", "127.0.0.1", 10390)
    .SetAuth("uid=admin,ou=system", "secret")
    .SetUsersSource(userSource2)
    .SetGroupsSource(groupSource2);

var activeDirectoryPlugin =
    new ActiveDirectoryPlugin(new List<ActiveDirectorySource> { ldap1, ldap2 });

After setting up, you can connect the plugin to WorkflowRuntime:

workflowRuntime.WithPlugin(activeDirectoryPlugin);

Let's look at the configuration in more detail.

General Data Source Settings

Creating a data source for LDAP connection:

ActiveDirectorySource ldap1 = new ActiveDirectorySource("sourceName", "Host or IP", 10389);

Here, we specify the name of the data source, the host or IP address, and the server port.

If you are connecting to a server via LDAPS, the configuration will look like this:

ActiveDirectorySource ldap1 = new ActiveDirectorySource("sourceName", "Host", 10389, true);

In this case, you should not specify an IP address, as there might be issues with certificate verification.

If you have authentication, you can specify it as follows:

ldap1.SetAuth("uid=admin,ou=system", "secret");

Configuring Data Sources for Users

Creating a data source for users, if you want to connect to Active Directory:

var userSource1 = UsersSource.ADUserDn("CN=Users,DC=mydomain,DC=com");

If you want to connect to a different LDAP implementation, you will need to specify:

var userSource1 = UsersSource.LDAPUserDn("ou=users,dc=wimpi,dc=net");

If you want to use methods for creating users in Workflow Engine schemes, and you want to assign various attributes to the user, you should list them as follows:

userSource1.Attributes.Add("uid");
userSource1.Attributes.Add("mail");

Other settings for the user data source:

  • CommonNameAttribute - the name of the attribute in which the user's common name (CN) is written;
  • MemberOfAttribute - the name of the attribute in which the list of groups the user belongs to is written;
  • ObjectClasses - the list of mandatory objectClasses for the user;
  • Attributes - the list of additional user attributes, which is worth filling if you want to use methods for creating users in Workflow Engine schemas. Otherwise, it is not needed;
  • AttributeInitializers - functions for initializing user attributes when creating. Used rarely in some LDAP implementations;

You can use the default settings, or if they do not suit you, you can configure everything yourself.

Default settings for ActiveDirectory:

  • SearchFilter = "(&(objectClass=user)(objectClass=person))";
  • CommonNameAttribute = "cn";
  • MemberOfAttribute = "memberOf";
  • ObjectClasses = ["user", "person"];
  • Attributes = [];
  • AttributeInitializers = []

For other LDAP implementations:

  • SearchFilter = "(objectClass=inetOrgPerson)";
  • CommonNameAttribute = "cn";
  • MemberOfAttribute = "memberOf";
  • ObjectClasses = ["inetOrgPerson", "person"];
  • Attributes = [];
  • AttributeInitializers = {"sn", (name, _) => name};

After creating the user data source, you need to connect it to the data source:

ldap1.SetUsersSource(userSource1);

Configuring Data Sources for Groups

To create a data source for groups when connecting to Active Directory, use the following C# code:

var groupSource1 = GroupSource.ADGroupDn("CN=Builtin,DC=mydomain,DC=com");

For connecting to a different LDAP implementation, specify as follows:

var groupSource1 = GroupSource.LDAPGroupDn("ou=roles,dc=wimpi,dc=net");

To use methods for creating groups in Workflow Engine schemes and assign various attributes to the group, list the attributes like this:

groupSource2.Attributes.Add("description");

Other settings for the group data source include:

  • SearchFilter - LDAP filter for searching groups in your directory;
  • CommonNameAttribute - the name of the attribute where the group's common name (CN) is stored;
  • MemberAttribute - attributes listing the users who are part of the group;
  • ObjectClasses - a list of mandatory object classes for the group;
  • Attributes- a list of additional group attributes, useful if you want to use methods for creating groups in Workflow Engine schemes. Otherwise, not needed;
  • AttributeInitializers - functions for initializing group attributes when creating. Used infrequently in some LDAP implementations;

You can either use the default settings or configure them as needed.

Default settings for Active Directory:

  • SearchFilter = "(objectClass=group)";
  • CommonNameAttribute = "cn";
  • MemberAttribute = "member";
  • ObjectClasses = ["group"];
  • Attributes = [];
  • AttributeInitializers = []

For other LDAP implementations:

  • SearchFilter = "(objectClass=groupOfNames)";
  • CommonNameAttribute = "cn";
  • MemberAttribute = "member";
  • ObjectClasses = ["groupOfNames"];
  • Attributes = [];
  • AttributeInitializers = [];

After creating the group data source, connect it to the data source:

ldap1.SetGroupsSource(groupSource1);

LDAP Implementation

The Active Directory Plugin supports two implementations of LDAP:

By default, Novell is used, but you can choose a different implementation if needed. However, keep in mind that the implementation of DirectoryServices will only work on Windows. The implementation can be explicitly specified when creating the plugin:

var plugin = new ActiveDirectoryPlugin(sources, LdapImplementation.NovellLdap);
var plugin = new ActiveDirectoryPlugin(sources, LdapImplementation.DirectoryServices);
info

In some implementations of directory services, users do not have a memberof attribute. In such cases, it is necessary to enable the setting for searching user groups:

groupSource1.LoadGroupMethod = UsersSource.LoadGroupType.UseGroupSearch;
danger

If all of the following conditions are true for your application:

  • The application framework is < 4.7
  • You are using Novell's implementation
  • You have LDAPS

Then the following code needs to be included in your application, and it must be executed BEFORE the start of processes:

AppContext.SetSwitch("Switch.System.Net.DontEnableSystemDefaultTlsVersions", false);

Using a Plugin When Creating Workflow Engine Processes

You can construct your processes with the plugin using the scheme in the designer. For basic operations on users and groups, the following activities are available:

  • ActiveDirectoryCreateUser
  • ActiveDirectoryDeleteUser
  • ActiveDirectoryCreateGroup
  • ActiveDirectoryDeleteGroup
  • ActiveDirectoryAddUserToGroup
  • ActiveDirectoryRemoveUserFromGroup

active directory activities

Also, the plugin is supplied with conditions that can be used in logical branching of the process:

  • ActiveDirectoryIsUserInGroup
  • ActivityDirectoryIsUserExists
  • ActiveDirectoryIsGroupExists

active directory condition actions
active directory condition is user in group

The main feature of the plugin is the ability to use its methods for checking access rights to process commands. To do this, in the process schema, you need to create actors and specify the Active Directory group that will correspond to them. After that, actors can be used in transitions associated with process commands.

active directory actors active directory commands

To use this functionality, utilize the ActiveDirectoryGroup rule in the actors interface.

info

Please note that for the group membership verification to work, you must pass the common name (CN) of the user to the Workflow Engine methods as the identityId parameter. For example:

var commands = runtime.GetAvailableCommands(processId, "user's Cn");

Additionally, you can work with the plugin by directly calling the required methods from the IActiveDirectoryMethods interface.

activeDirectoryPlugin.ActiveDirectoryMethods.CreateUser("John", "SourceName");
activeDirectoryPlugin.ActiveDirectoryMethods.CreateGroup("Employees", "SourceName",
    new List<string> { "John" });