Troubleshoot ActiveDirectory user import to my ivy 3.9 webApp

Logging with Xpert.ivy 3.9

Logs in 3.9 are not written to files as you'd might expect. But stored in the SystemDatabase. Before you start analyzing any logs, you may verify the Level of logs, that will be kept in the database. To do so, run [xpertIvyInstallDir]/bin/XpertIvyServerConfig.

The LogLevel INFO should be sufficient for most ActiveDirectory analyses. Nevertheless FINER will bring more detailed results about synchronization runs that have started or ended. Save and restart the XpertIvyServer if you had to adjust the LogLevel.

WARNING

Logs in the SystemDB can grow huge and either decrease the performance of the WorkflowApp or in worst case make the system inaccessible (due to the lack of disk_space). Therefore it is good practice to clean entries in the table ilog_log regulary e.g. with a cron job or schedulded task.

Analyze the JNDI import logs

With the logViewer binary : Convenient for re-usage!

1. start the logviewer binary [xpertIvyInstallDir]/bin/LogViewer
2. Connect to user server: using user PowerCustomer and password PowerUser : https://developer.axonivy.com/releases/ivy/3.9.latest/documents/ServerGuide/logviewer_login.htm
3. configuration tab: add, select and apply a session
4. configuration tab: add a filter for the category ivyteam.webapp.workflow
5. Log Entries: inspect log entries related to JndiUserThread
6. Optional: go back to the User tab and store your session/filter for later re-usage

With the SystemDB : fast alternative if you are unable to use the LogViewer

1. Open the DMBS front-end that can access the system database of your server.
2. Fire a query (see below) to select logs categorized to ivyteam.webapp.workflow
3. Inspect LogDetailMessages

query:

SELECT * FROM ilog_log as entry
JOIN ilog_category c on (c.CategoryId = entry.CategoryId)
WHERE c.CategoryName = 'ivyteam.webapp.workflow'
AND entry.LogDetailMessage LIKE '%JndiUser%'

Verify the applied configuration

View and verify the Active Directory configuration of your Xpert.ivy WebApp.

1. Open the AD-Configuration: Via ivy-Webinterface >> Admin ( link in header) >> Click on the 'ivy' icon of the affected WebApp >> Deactive App >> Confirm deactivation >> Edit AAA
2. Open a simple ActiveDirectory Browser third party tool (such as JXplorer). And connect using the same URL, credentials and BaseDN (context) as configured in the ivy-Webinterface.

Items to verify:

• lives the user in the import Context defined? or is it an imported user from an external AD (forest)?
• does the LDAP Filter for users definition block the user. Is there a need to have a certain property which some users don't have?
• is the Only import members of user group active? And if so, is the user really a member of this group?