Error handling for specific LDAP implementations

[toco-cam]

User Story (Required on creation)

• As a Software Developer, I want to be able to react on specific LDAP error codes and adjust the front-end accordingly; this allows me to improve the UX for the users.

Functional Requirements (Required before implementation)

• Delegation of the returned error code.
• Integration points in the front-end to handle the error.

Breakdown

### Tasks
- [ ] #3411
- [ ] #3412
- [ ] https://github.com/camunda/camunda-bpm-platform/issues/3474
- [ ] https://github.com/camunda/camunda-bpm-platform/issues/3496

Hints

• It should be as easy as possible to implement this integration in a Camunda Run environment, as Run is intended for NON-Java users.

Links

• https://jira.camunda.com/browse/SUPPORT-15659

[toco-cam]

@tassilo can you please validate the scope and confirm the effort.

[toco-cam]

@felix-mueller this use case should be considered in C8, too - please have a look.

[tasso94]

Solution idea outline

The hard part here is probably setting up Active Directory and ensuring that the outlined solution works:

• Maybe we can use the trial version of Azure AD to speed things up.
  • Might need to be run against the Legal department
• The IT department offered to provide a testing AD instance for us.
  • The IT department needs a general request with details and a cost forecast => PO necessary.

What the user needs to do

• Create a ProcessEnginePlugin that registers an ExceptionCodeProvider
  • When javax.naming.AuthenticationException is thrown by the LDAP identity plugin and the exception message contains error 773, a custom error code is returned
• Create plugins for Admin, Tasklist, Cockpit, and Welcome that registers a frontend plugin on the login page
  • This frontend plugin reacts on the custom error code and renders a form to change the password
• Everything is bundled in one JAR that can be dropped into the userlib folder of Camunda Run

What is missing in C7

A frontend extension point on the login page that has access to the error response of the login request; this is an effort S topic

[tasso94]

@toco-cam, changed the effort to m since Microsoft Active Directory brings quite some complexity into this. We could reduce the effort again when we tried that an ExceptionCodeProvider run against Active Directory works as expected.

[mboskamp]

Investigation Results

Active Directory

• Active Directory (AD) is an LDAP implementation that has additional error codes.
• We have an AD testing instance (contact me for credentials) for the duration of this issue.
• Example response from AD when a user tries to log in with an expired password: javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C090439, comment: AcceptSecurityContext error, data 773, v4563 ]. The LDAP error code is 49 (invalid credentials). The AD error is 773 (ERROR_PASSWORD_MUST_CHANGE).
• I was able to produce this error with Camunda Run using the LDAP process engine plugin.

Further Reading

• LDAP Result Code Reference (see error code 49)
• Common AD Bind Errors (see error code 773)

Process Engine Plugin

• A process engine plugin can be used to register a custom ExceptionCodeProvider which reacts to all ProcessEngineExceptions, checks the following:
  • The cause exception is of type javax.naming.AuthenticationException.
  • The message of the cause exception contains LDAP: error code 49.
  • The message of the cause exception contains data 773.
• If all conditions are met, the ExceptionCodeProvider returns a custom error code (e.g. 22_222).
• All of the above are configurable in the Camunda Run configuration like this.
• Example code

Webapp Plugins

• The login page is shared between the webapps. We need a plugin point for the login page. The user registers a plugin for each of the Camunda webapps (Welcome, Admin, Tasklist, Cockpit). Duplication can be limited by using automated bundling mechanisms.
• Plugins registered for the login page plugin point need access to the response of the authentication request. The plugins will be re-rendered after the request failed. Example code that demonstrates feasibility.
• Fullstack plugins work out of the box in Camunda Run (tested with cockpit-fullstack-count-processes). This is currently not documented. The cockpit plugin page has a reminder that plugins don't work with Run at all, which is not true anymore, at least for fullstack plugins.
• Example code demonstrating a cockpit frontend plugin compatible with Run.

[ingorichtsmeier]

I moved the example to the camunda-consulting organization into our camunda-7-example repository: https://github.com/camunda-consulting/camunda-7-code-examples/tree/main/snippets/ldap-change-password.

The customer ticket is updated.