Business Process Management

With the initial setup of Intalio Community Edition, the user management information is stored in the server/var/conf/security.xml file. This works fine but it not usable for a real world environment.  

So LDAP is the most obvious choice. I installed openLDAP on my Ubuntu 10.04. That was a real nightmare. There is no straight forward way and many people have the same problem. Only after I have succeeded to install openLDAP, I found out that there is an easy way to provide LDAP for Intalio Server.

Intalio offers an Apache Directory Server in a web application. So here is the easy way:

1. Install a Tomcat Server

It is not recommendable to install the ApacheDS webapp on the tomcat on which intalio runs, because LDAP should be started before the Intalio server, otherwise you will get exceptions.

Therefore I installed a Tomcat version 6 and changed all the ports of the standard configuration in conf/server.xml to avoid collisions.

2. Deploy ApacheDS webapp

After downloading the Apache Directory Server webapp from the address http://www.intalio.org/public/maven2/org/intalio/tempo/apacheds-webapp, I deployed the war file through the Tomcat Web Application Manager webinterface. The application couldn't start because log4j was missing. After copying a log4j jar into the WEB-INF/lib folder of the webapp, I was able to start the application through the Tomcat webinterface.

During this startup, this ApacheDS application imports the ldif files which are located in its WEB-INF/classes folder. Afterwards, all standard users which are in the security.xml file are in the LDAP database too.

3. Edit the Intalio Security Provider

 You have to inform Intalio server somehow that it is supposed to use LDAP now. Do this by editing the file server/var/config/securityConfig.xml. Uncomment the LDAPSecurityProvider and comment the SimpleSecurityProvider. Then it will look like this:

<!--
<bean id="securityProvider" class="org.intalio.tempo.security.simple.SimpleSecurityProvider" init-method="init">
        <property name="configFile">
            <value>${org.intalio.tempo.configDirectory}/security.xml</value>
        </property>
</bean>-->
     
<bean id="securityProvider" class="org.intalio.tempo.security.ldap.LDAPSecurityProvider">
        <property name="propertiesFile">
            <value>${org.intalio.tempo.configDirectory}/ldap.properties</value>
        </property>
 </bean>

 As you can see, the settings for the LDAP access are in the file ldap.properties in the same directory. Have a look at the file, but all settings are correct for Intalio server to access ApacheDS already.

That is it. With these settings, the server will access ApacheDS to authenticate the users. Nevertheless, let's make the picture complete and let's add a new user.

 4. Add users via Apache Directory Studio

Get this application from http://directory.apache.org/studio/ and unzip it. There is no additional installation process.

Start it and add a connection with these settings:

 Now you are ready to add new roles and users.

 5. Integrate user and role definitions in your process design.

Last, I want to show how you use this user and role definitions for the assignments of user tasks in a process. I will use my simple HelloWorld process.

In Intalio Designer, you can assign users tasks in the properties settings of the task. Choose 'workflow' and you can see the dialog to add users and roles for the assignment. It is not recommendable to assign tasks to users, because they usually constantly change. And you don't want to change you process implementation when employees change. Instead, assign roles to the tasks. Then you are flexible and can change the responsibilities for a task by editing your LDAP database.

Of course it is not only possible to assign responsibility for tasks in this static way. You can also assign a task to a role during runtime.  I have not tried it, but you can find a tutorial on the Intalio website.