Questions Tagged With ldap

How to migrate Active Directory connection to LDAP(S) / SSL

SupportIvyTeam — Wed, 29 Apr 2020 05:39:52 -0400

Microsoft is enforcing LDAPS for active directory services. https://www.heise.de/newsticker/meldung/Microsoft-stellt-Domaincontroller-langsam-auf-LDAPS-um-4666079.html

So we have to configure all ivyEngine user synch connections to use LDAP(S). How can this be done? Simply enabling 'SSL' option doesn't seem to be enough.

We have multiple workflow app on differen ivyEngine (4.3, 5.1, 7.0) versions in use. Is there a generic approach to use that works als in older environments?

Can we configure multiple external security systems (e.g. LDAP)?

sorin — Tue, 28 Apr 2020 03:59:51 -0400

The naming in ivy.securitysystem.yaml is plural as in SecuritySystems, not SecuritySistem.

Does that mean that we can configure multiple LDAP services at the same time?

How often do external security systems syncronize?

sorin — Fri, 24 Apr 2020 04:02:08 -0400

When configuring an external security system like LDAP, in the users page, I have a "Synchronize" button. That grabs the users, roles, etc. on-demand from the LDAP. If this button is not pressed, how often is the sync done? Where is it configured? Can it be made to synchronize more or less often?

Is there a way to view the additional LDAP attributes for each user?

sorin — Wed, 15 Apr 2020 04:05:09 -0400

When defining a security system, you can define extended attributes that map from the LDAP attributes to Axon Ivy.

Also, in the Axon Ivy Cockpit there is a screen where you can see each user. However, it only shows username, email, etc. and permissions.

Is there any way to see the extended attributes in there as well? It would be kind of handy to know if the attributes mapped correctly and which user has what attribute value.

Is there a way to transfer/save permissions mapping for external authentication sources?

sorin — Mon, 30 Mar 2020 06:46:58 -0400

I have a couple of servers that do authentication via some LDAP, ActiveDirectory or something. There is a permission mapping in place between the user groups and Axon.ivy permissions. If I want to change said mapping, do I have to manually do so on each server, or is there a file/table that I can write to? Question also applies for new installations.

Trigger LDAP/AD role mapping by API

mhoffmann — Tue, 10 Mar 2020 04:57:14 -0400

Cheers,

is there any way to trigger the synchronization with the LDAP / ActiveDirectory by calling an API endpoint? Or can I schedule the cron to run more than once daily?

The background is that a customer might be modifying some role mappings on demand or shortly before starting a workflow.

The version in question unfortunately is still 7.2.1, which contains a sync button in the RIA only.

Change Ivy 3.9 LDAP to LDAPS not working

sys-adm — Tue, 28 Jan 2020 11:06:34 -0500

Hello,

We need to change our LDAP connection to LDAPS but we received the following error. simple bind failed: dc.domain.local With a 3rd party LDAP Browser it is working from this machine.

Thanks Regards sys-adm

Troubleshoot ActiveDirectory user import to my ivy 3.9 webApp

SupportIvyTeam — Wed, 01 May 2019 03:02:29 -0400

I have to maintain a legacy workflow app still running with XpertIvy 3.9. The users of the application are synchronized from our MS Active Directory.

Recently I got reports that some users are not able to connect to the WebApp. What can I do to verify and trace the ActiveDirectory user synchronization?

Lazy / On-demand Synchronization of LDAP Users

SupportIvyTeam — Mon, 29 Apr 2019 09:53:15 -0400

In our project we are using Microsoft AD as our security system. Our access policy is that anyone working in our company is allowed to access our Ivy application.

Our problem now is that daily user synchronization and user filtering in our code is quite slow as we have over 50'000 possible users to synchronize, even though our application is only used by a couple of thousand users.

Is it possible to 'lazy load' users, only adding users to our Ivy system database on first usage / login? And not on first synchronization with our AD system? But still updating users that have been changed in AD during synchronization?

How can I troubleshoot problems with the user synchronisation from Active Directory or another LDAP server?

Reto Weiss — Tue, 16 Apr 2019 07:53:11 -0400

How can I troubleshoot problems with the user synchronisation from Active Directory or any other LDAP server?

For example if the synchronisation runs successfully but not all my users gets imported.

Fast LDAP user lookup at runtime

SupportIvyTeam — Wed, 14 Nov 2018 03:08:54 -0500

In my project I read users at runtime via Ivy API: SecurityContext.findUser("theUser");

This works reasonably well in my company environment. But if I deploy the project the the productive engine (to the cloud) this user lookups can take up to 2 minutes. At least if I search for a not existing user? How can I speed it up? The security system here is configured to use an LDAP. Shouldn't this be a fast protocol?

Local and AD Users

Thomas Wirz — Fri, 17 Feb 2017 07:53:42 -0500

We synchronize our users with the AD. Is it possible to add local Users not existing in AD to the users? How can we do this, the Button for adding an user is disabled in the Axon.Ivy Administration. Can we add them in the application by code?

Failed to deserialize ch.ivyteam.ivy.security.internal.jndi.JndiUser

matej_smetana — Tue, 08 Sep 2015 10:09:05 -0400

Hi everyone, We have an application which uses LDAP users. I have a question regarding to the message in log:

Failed to de-serialize java object of class ch.ivyteam.ivy.security.internal.jndi.JndiUser. Object will be null.

What does it mean and how can we prevent this issue?

Thanks

Matej

How to map AD group to Ivy role?

Adrian Imfeld — Thu, 23 Jul 2015 12:24:42 -0400

We like to manage the rights for our ivy applications over the Microsoft Active Directory. According the AD groups, ivy roles should automatically added to the ivy user. We have in mind to build some technical processes to do that. But we have some questions...

Is it possible to read (lower) OU's of a user?
If we have the OU "ivy" to import all users and there is a OU "admin" under the OU "ivy", can we find out which users are in the OU "admin"? How can we get this information. Maybe some how like reading AD attributes?

Is it possible to listen to the LDAP synchronisation of the ivy server?
Every times when the user synchronisation is finished, our code should be executed to add specified ivy roles to the user based on the AD OU's.

Thank you for your support

LDAP API call cache

tauser — Fri, 30 Jan 2015 15:26:48 -0500

Hi, we have some performance problems by communication with LDAP after switching from 4.3 to 5.0. I have two questions

were there any changes intern by calling API (see bellow)
are there any API methods which doesn't communicate with LDAP (using direct only ivy system database) ?

Especially we use the following method

ISecurityContext.findRole(...)
IWorkflowSession.hasRole(IRole, Boolean)

How can I specify additional properties/attributes for an External Security System?

SupportIvyTeam — Tue, 05 Aug 2014 11:43:02 -0400

If I use Microsoft Active Directory or Novel eDirectory as External Security System is there any possibility to specify an additional environment property / attribute? Examples are java.naming.referral (which is on Ivy set to follow per default) or java.naming.ldap.derefAliases etc.

How to read and synchronize users from multiple Active directory domains?

Alex Zeiter — Mon, 17 Mar 2014 17:09:23 -0400

We have 3 different AD domains and should have the users of all of them in our ivy5 application

How to read LDAP/Active Directory/Novell Directory-attributes of a user?

Urs Buri — Mon, 13 Jan 2014 11:48:49 -0500

I'm using Active Directory/Novell Directory as security-system for Xpert.ivy. How to read LDAP/Active Directory/Novell Directory attributes of a user?

How can I prevent to import deactived users from Microsoft Active Directory ?

Reto Weiss — Tue, 07 Jan 2014 15:13:56 -0500

If I use active directory to synchronize AD users with Xpert.ivy Server also deactivated users are imported. How can I prevent that?