With Ivy 10, our LDAP setup does no longer work?!

Peter Hochstrasser

We're constantly improving Axon Ivy in all areas. When we went on the journey from Ivy 8 to Ivy 10, we found that our LDAP connector has accepted setups that defined a (narrow) LDAP Context, containing some groups and lots of other objects. It may have contained users, but if a group in the context has been defined as the "source of all users", then even users in that group that had been outside the context had been synchronized.

Puzzled?
Sometimes, a picture is worth a thousand words:

That is, in effect, not what we had in mind.
Therefore, we corrected the behaviour and now, all users that have access to Ivy need to be inside the base LDAP Context:

Therefore, if you find that your LDAP user import which worked flawlessly with Ivy 8 does not work in Ivy 10, please check your LDAP Context setting.

Christian Strebel

This is only a problem with the Active Directory Security System and Axon Ivy 10. But also with Axon Ivy 8.0, it is better to configure the Default Context correctly.

Here is an example

If the Active Directory has the following configuration:
Import Users Of Group: CN=Ivy-Users,OU=Roles,OU=Department,DC=company,DC=ch
And this should import the following user:
user1, External Name: CN=user1,OU=Users,OU=Department,DC=company,DC=ch

Then the correct Default Context value would be one of:

DC=company,DC=ch or
OU=Department,DC=company,DC=ch

But we see often OU=Roles,OU=Department,DC=company,DC=ch which is NOT correct because the imported User is not inside of this Context because the users are here: OU=Users,OU=Department,DC=company,DC=ch

Outcome

If you migrate to Axon Ivy 10 and your Default Context configuration is not correct (Default Context does not contain (all) the users), your users will get disabled and they cannot log in anymore.

Advice

Please check your Default Context configuration in existing Active Directory Security systems and correct it even if you are running an Axon Ivy Version below 10.0. It may cause trouble even there.

RebeccaKettner

We changed our Default Contextfrom 8 to 10, because we had exactly the issue which is described above.
Now the Login to the System via SignleSign on is taking about 1 Minute.
We had the same performance issue in Version 8, here the solution was to minimize the default Context. What could be the solution now for Version 10?

Best regards
Rebecca

Christian Strebel

RebeccaKettner

May be you do not care about referrals to other Active Directories, so you can set the property java.naming.referral to ignore.
If this does not help you could disable the user synch on login, but then the user is only kept up to date on the daily synch.
See https://developer.axonivy.com/doc/10.0/engine-guide/integration/identity-provider/microsoft-ad/index.html#microsoft-active-directory

Config example:

SecuritySystems:
  default:
    Provider: "Microsoft Active Directory"
    Connection:
      Environment:
        "java.naming.referral": ignore
    UserSynch.OnLogin: 'false'

RebeccaKettner

Hi Christian,

the usersynch on Login was already set to false. The Refferral was different to yours, so i changed it to "ignore".
Sadly the performance is as slow as before the change.

I copied our configuration here for you:

SecuritySystems:
  Bauer:
    Provider: Microsoft Active Directory
    UserAttribute:
      Properties:
        distingushedName: DistinguishedName
        userPrincipalName: userPrincipalName
        userAccountControl: userAccountControl
    Connection:
      Url: ldap://
      UserName: bauer\
      Password: ${decrypt:}
      UseLdapConnectionPool: true
      Environment:
        java:
          naming:
            referral: ignore
    Binding:
      DefaultContext: OU=Bauer-Group,DC=bauer,DC=de
      ImportUsersOfGroup: CN=sg_app_wfm_apac_QA_Users,OU=APAC,OU=GRP-PROCESS,OU=WFM,OU=APP-GROUPS,OU=A-PORTAL,OU=Bauer-Group,DC=bauer,DC=de
    UserSynch.OnLogin: 'false'

We tried the same singleSign On configuration with our networking Team on an different Application, there we are not facing this performance issues, so they asked me to contact AxonIvy for it 🙂

The long path of Import Users of Group can not be the problem or?
CN=sg_app_wfm_apac_QA_Users,OU=APAC,OU=GRP-PROCESS,OU=WFM,OU=APP-GROUPS,OU=A-PORTAL,OU=Bauer-Group,DC=bauer,DC=de

Regards
Rebecca

Christian Strebel

RebeccaKettner

What does the user synch log tell you?
With 10.0.9 we have improved it.

RebeccaKettner

This is the logfile from user synch:

[2023-09-07 00:00:00.282][INFO ][ch.ivyteam.ivy.security.user.synch][ivy scheduled job pool-thread-3]{}
Start synchronizing users of security system 'Bauer'
[2023-09-07 00:02:25.175][INFO ][ch.ivyteam.ivy.security.user.synch][ivy scheduled job pool-thread-3]{}
User synchronization of security system 'Bauer' finished
[2023-09-07 00:02:25.175][INFO ][ch.ivyteam.ivy.security.user.synch][ivy scheduled job pool-thread-3]{}
9 users were read
9 users were analyzed
0 users were imported
0 users were disabled
0 users were updated
0 users were added to a role
0 users were removed from a role
Total execution time was 144 seconds

We are using Version 10.0.10 on the Server.

Christian Strebel

RebeccaKettner

Then not the Active Directory binding should be the problem if it is slow to login.
If the login is slow because the Active Directory then in the UserSynch Log you should also see the single user synch if the user logs in.
I would check the the Request with the Slow Requests View from the Engine Cockpit:
https://dev.axonivy.com/doc/10.0/engine-guide/reference/engine-cockpit/monitor.html#engine-cockpit-monitor-slow-requests

May you get another hint there why the login is slow.
Otherwise please open a real support case.