Hi

How can I troubleshoot problems with the user synchronisation from Active Directory or any other LDAP server?

For example if the synchronisation runs successfully but not all my users gets imported.

asked 16.04 at 07:53

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
4.9k182656
accept rate: 74%


Hi

With version 7.4 and later (7.0.12 and later)

You can find the following messages in the logs:

11:35:00.997 INFO [ch.ivyteam.ivy.security.user.synch] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  Start synchronizing users of application ads with external security system Microsoft Active Directory on zugtstdirads

11:45:23.687 INFO [ch.ivyteam.ivy.security.user.synch] [ivy immediate job pool-thread-3] [executionContext=SYSTEM] 
  User synchronization of application ads with external security system Microsoft Active Directory on zugtstdirads finished.
  943 users were read from naming and directory server.
  943 users were analyzed.
  943 users were imported.
  0 users were deleted.
  0 users were updated.
  4 users were added to a role.
  0 users were removed from a role.
  Total execution time was 10 seconds.

Here you find how many users were read from the external server and what was done with them.

Additionally you can configure the log level of the logger ch.ivyteam.ivy.security.user.synch to DEBUG . Now you find detailed log messages what is done during the user synchronisation:

14:21:06.271 DEBUG [ch.ivyteam.ivy.security.user.synch] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  Imported user 'Administrator'
14:21:06.301 DEBUG [ch.ivyteam.ivy.security.user.synch] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  Imported user 'Gast'
14:21:06.312 DEBUG [ch.ivyteam.ivy.security.user.synch] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  Imported user 'krbtgt'

If you configure the log level of the logger ch.ivyteam.ivy.security.ldap.api to DEBUG you enable low level LDAP API log messages:

11:31:33.861 DEBUG [ch.ivyteam.ivy.security.ldap.api] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  Searching LDAP objects with name 'DC=zugtstdomain,DC=wan' and filter '(&(objectClass=user)(!(objectClass=computer)))' (Page 0..500)
11:31:33.999 DEBUG [ch.ivyteam.ivy.security.ldap.api] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  Searching LDAP objects with name 'DC=zugtstdomain,DC=wan' and filter '(&(objectClass=user)(!(objectClass=computer)))' (Page 500..1000)
11:31:34.036 DEBUG [ch.ivyteam.ivy.security.ldap.api] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  LDAP call returned 943 objects. Execution time was 218 ms
11:31:34.051 DEBUG [ch.ivyteam.ivy.security.ldap.api] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  Reading LDAP attribute 'memberOf' from 'CN=Administrator,CN=Users,DC=zugtstdomain,DC=wan'
11:31:34.053 DEBUG [ch.ivyteam.ivy.security.ldap.api] [ivy immediate job pool-thread-1] [executionContext=SYSTEM] 
  LDAP call returned attribute 'memberOf' with 5 values. Execution time was 2 ms

If you configure the log level of the logger ch.ivyteam.ivy.security.ldap.wire to DEBUG you enable low level binary LDAP protocol messages:

11:35:01.266 DEBUG [ch.ivyteam.ivy.security.ldap.wire] [Thread-8] [] 
  <- zugtstdirads:389

  0000: 30 84 00 00 00 5A 02 01   02 64 84 00 00 00 51 04  0....Z...d....Q.
  0010: 27 43 4E 3D 47 61 73 74   2C 43 4E 3D 55 73 65 72  'CN=Gast,CN=User
  0020: 73 2C 44 43 3D 7A 75 67   74 73 74 64 6F 6D 61 69  s,DC=zugtstdomai
  0030: 6E 2C 44 43 3D 77 61 6E   30 84 00 00 00 22 30 84  n,DC=wan0...."0.
  0040: 00 00 00 1C 04 0E 73 41   4D 41 63 63 6F 75 6E 74  ......sAMAccount
  0050: 4E 61 6D 65 31 84 00 00   00 06 04 04 47 61 73 74  Name1.......Gast

Before version 7.4 (7.0.12)

You can find the following messages in the logs:

2019-04-12 00:00:01.638 INFO [ch.ivyteam.ivy.security.internal.jndi] [ivy scheduled job pool-thread-2] [executionContext=SYSTEM] 
  Start synchronizing users of application myApp with external security system Novell eDirectory on ldap://xxxxxx:389

2019-04-12 02:32:55.334 INFO [ch.ivyteam.ivy.security.internal.jndi] [ivy scheduled job pool-thread-2] [executionContext=SYSTEM] 
  Synchronize users of application myApp with external security system Novell eDirectory on ldap://xxxxxx:389 finished.
  200,000 users were read from naming and directory server.
  0 users were imported.
  0 users were deleted.
  0 users were updated.
  0 users were added to a role.
  0 users were removed from a role.

Here you find how many users were read from the external server and what was done with them.

Additionally you can configure the log level of the logger ch.ivyteam.ivy.security.internal.jndi to DEBUG . Now you find low level binary LDAP messages that are sent and received the LDAP server:

11:35:01.266 DEBUG [ch.ivyteam.ivy.security.internal.jndi] [Thread-8] [] 
  <- zugtstdirads:389

  0000: 30 84 00 00 00 5A 02 01   02 64 84 00 00 00 51 04  0....Z...d....Q.
  0010: 27 43 4E 3D 47 61 73 74   2C 43 4E 3D 55 73 65 72  'CN=Gast,CN=User
  0020: 73 2C 44 43 3D 7A 75 67   74 73 74 64 6F 6D 61 69  s,DC=zugtstdomai
  0030: 6E 2C 44 43 3D 77 61 6E   30 84 00 00 00 22 30 84  n,DC=wan0...."0.
  0040: 00 00 00 1C 04 0E 73 41   4D 41 63 63 6F 75 6E 74  ......sAMAccount
  0050: 4E 61 6D 65 31 84 00 00   00 06 04 04 47 61 73 74  Name1.......Gast

Xpert.ivy 3.9.X legacy installations

There is separate answer that brings light into 3.9 LDAP import issues: see https://answers.axonivy.com/questions/3788/troubleshoot-activedirectory-user-import-to-my-ivy-3-9-webapp

link

answered 16.04 at 08:02

Reto%20Weiss's gravatar image

Reto Weiss ♦♦
4.9k182656
accept rate: 74%

edited 01.05 at 06:29

Reguel%20Wermelinger's gravatar image

Reguel Werme... ♦♦
8.5k21851

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Tags:

×16
×12

Asked: 16.04 at 07:53

Seen: 336 times

Last updated: 01.05 at 06:29