LDAP - too many requests

Hello, All,

I`m using Camunda v 7.9 with LDAP integration.

We noticed that on every request via REST API, LDAP plugin is trying to authenticate.
It doesn`t matter if it is for getting tasks, getting filters, etc…
it is easy to see in the stack-trace when there is no connection to the server:

This results in too many requests to LDAP server and problematic behavior when the server is temporary unavailable.

I also found this feature request, explaining the same situation
https://app.camunda.com/jira/browse/CAM-7993

According to the documentation:
https://docs.camunda.org/manual/7.9/user-guide/process-engine/identity-service/
There is a property authorizationCheckEnabled which should (in my opinion) prevent exactly this situation, but it doesn’t work this way. Maybe it is a bug with it.

Any thoughts,Ideas and comments would be most appreciated.

Thanks a lot !

Best Regards,
Yordan

Hi @stelt0,

here is a snippet to bypass the LDAP query for a single userId: https://github.com/camunda/camunda-consulting/tree/master/snippets/authentication-filter-with-bypass

Maybe it’s a workaround for you?

Cheers, Ingo

Hi @Ingo_Richtsmeier,

Hope you are well. Thanks for sharing the link. We also face similar issue with poor LDAP authentication performance as it takes 2-3 seconds per LDAP request. Is there a chance with this filter to enable a configuration to authorise only non-local requests to Camunda REST API and bypass requests from the local host?
So we want any process on the same host with camunda rest engine to be eligible to make calls without authenticating against LDAP.

Best regards,
Ilya

Hello Ingo,

Thanks for sharing this with us !

I see that it works for the local demo user.

But my problem is a bit in the direction that when we do something like GET /filter/count
we should`t call the LDAP server.

In my opinion, LDAP should be called only when user login (to check it`s password) and when the application starts and Camunda is loading and mapping groups and permissions. At least that is my experience with other Enterprise Systems.

BR,
Yordan

Hi @Ilya_Malyarenko

if you overwrite the https://github.com/camunda/camunda-bpm-platform/blob/master/engine-rest/engine-rest/src/main/java/org/camunda/bpm/engine/rest/security/auth/ProcessEngineAuthenticationFilter.java#L107-L160 as well, you get access to the request and the setAuthenticatedUser()-Method is called here, too.

It should be possible.

Cheers, Ingo

1 Like

Hi @stelt0,

the security layer of the engine is designed in a way to check each request against the authorizations. Otherwise it would be possible with a known REST-endpoint to delete process instances or do something even worse. Have a look into the Authorization chapter of the docs for further backgound: https://docs.camunda.org/manual/7.9/user-guide/process-engine/authorization-service/

But with a changed implementation in the doFilter()-method it should be possible to fullfil your request. (See my response to Ilya)

Cheers, Ingo

1 Like

Hi Ingo,

thanks for your reply !

Then what is the purpose of the property authorizationCheckEnabled in the LDAP configuration ?

*I make clear difference between authentication and authorization.

This property looks to me that it should exactly prevent from invoking LDAP on authorization.

BR,
Yordan

If you set the property to false, you disable the check of authorization only to user or group queries. (see LdasIdentityProviderSession.isAuthorizationEnabled() and the usage in findUsersWithoutGroupId() and findGroupByQueryCriteria()

I think, it’s independent from the engine authorization checks to all other commands.

Hope this helps, Ingo

1 Like

Ok, thanks fro the clarifications !

We will look for a way to implement it on our end.

Any suggestion how to check what kind of request is ? So, that we can exclude all but the one for login ?

BR,
Yordan

HI Everyone ,

Can anyone post the complete working solution for this issue

Thanks & Regards,
Praveen