LDAP auth performance

Dear Camunda community,

We have completed a configuration of the LDAP plugin for user auth. LDAP server is using SSL with a “non-trusted certificate”. LDAP directory has several thousands of user records. From the functional prospective, it works OK.

However, we experience significant delay between user credentials entry / sign-in button click and Camunda system response (5-10 sec.). This is not happening for other apps authenticating against LDAP, so this is probably caused by some business logic within the plugin.

Are there any practical tips on increasing user auth performance?

Question no. 2
What is the correct syntax for adding several admin accounts into bpm-platform.xml?

 <plugin>
        <class>org.camunda.bpm.engine.impl.plugin.AdministratorAuthorizationPlugin</class>
        <properties>
          <property name="administratorUserName">admin1</property>
        </properties>
  </plugin>

Best regards,
Ilya

Hi,

I will make a suggestion on the first part of your question. The LDAP integrtaion needs to perform two functions;

Authenticate the user principle.
Extract the set of groups the user belongs to for the purpose of authorisation.

Hence if you have a lot of groups, or the schema/structure of your directory could affect performance. Hence I would derive the LDAP query your config is produce and run some diagnostics on the LDAP query performance. It could be you can tune your directory with an index or other to assist with the query…

regards

Rob

1 Like

Hi,

with regard to the second part of your question, have a look at the docs here [1]

You could consider using an administration group rather than an individual account.

administratorGroupName The name of the administrator group. If this name is set to a non-null and non-empty value, the plugin will create group-level Administrator authorizations on all built-in resources.

(Note: I have not used this, but thats my interpretation)

[1] https://docs.camunda.org/manual/7.8/user-guide/process-engine/authorization-service/#the-administrator-authorization-plugin

Hi Rob,

Thank you for a prompt reply. Your comment makes a perfect sense to me as we indeed have a large number of groups per user. So, what we would be keen to do right now is to disable group membership checking at all. Further on we are planning to limit the number of group membership checks. So we will have a list of groups in a config to test membership. I would appreciate your advice on the way to disable group membership checking at all. Is it possible to achieve membership checking against a closed list of groups taking into account that we don’t have specific attributes or object classes that could help to distinguish those groups from the rest of the groups (besides a list of the group names)?

So our original config defining a query looks this way:

  <property name="serverUrl">ldaps://ldap_server:6360/</property>
  <property name="acceptUntrustedCertificates">true</property>
  <property name="managerDn">CN=admin,OU=People,DC=pxed,DC=ACME,DC=com</property>
  <property name="managerPassword">password</property>

  <property name="baseDn">dc=pxed,dc=ACME,dc=com</property>

  <property name="userSearchBase">OU=People</property>
  <property name="userSearchFilter">(objectclass=person)</property>

  <property name="userIdAttribute">cn</property>
  <property name="userFirstnameAttribute">givenName</property>
  <property name="userLastnameAttribute">sn</property>
  <property name="userEmailAttribute">mail</property>
  <property name="userPasswordAttribute">userPassword</property>

  <property name="groupSearchBase"></property>
  <property name="groupSearchFilter">(objectclass=groupOfNames)</property>
  <property name="groupIdAttribute">cn</property>
  <property name="groupNameAttribute">cn</property>

  <property name="groupMemberAttribute">uniquemember</property>
  <property name="sortControlSupported">false</property>

</properties>

Thank you so much for this insight.

Best regards,
Ilya

Hi Rob,

Thank you for this suggestion. Yes, we are considering to add a group of camunda_admins to play with. And, yes it works as explained in the documentation. However, at the moment I was looking for a way to have several listed admins from the directory.

Best regards,
Ilya

Hi,

perhaps you could configure the group search filter to search a particular group, eg

(&(objectclass=groupOfNames) (cn=Camunda))

or something like this…

1 Like

Hi Rob,

Thank you for your solution. It indeed works. I just escaped ampersand for XML and voila.

<property name="groupSearchFilter">(&amp;(objectclass=groupOfNames)(cn=JDE_Users))</property>

Thank you so much!

Best regards,
Ilya

Hi llya,

I am trying to connect to ldaps from camunda, could you please explain how you configured the certs in camunda?

Hi… could you please provide the details if you were able to do so…?