A lot of authentication request to ADS

somogyi 2023-08-03 09:56:19 UTC #1

Hi!

After we upgrade to 23.1 (23.1.20230728), we noticed a lot of authentication request to the Active Directory server (Samba AD).
The requests are coming when the site is only browsed (after log in).
Maybe the auth cache not workin’?

Can you help with this?

BR.,
Z

RalfBecker 2023-08-03 10:41:57 UTC #2

You can enable now some logging for the authentication in Setup (upper login) > Configuration.

Maybe it gives you some inside, what is causing it.

Normally only posting the login-page and sending HTTP requests with basic authentication, should trigger authentication agains the AD and it should be cached for on hour, so the same user&password should not send an auth request to AD for the next hour.

Ralf

somogyi 2023-08-03 15:53:20 UTC #3

Hi Ralf!

I’ve set the logging option on setup page and this log doesn’t show too much authentication request, but the administrator account that was set in the setup for AD authentication is appearing a lot of time on the AD side server logs.

What can i check also for more accurate information?

Thanks,
Z

somogyi 2023-08-08 08:22:41 UTC #4

The user authentication seems normal. The administrator account that are configured in setup page for AD connection is the problem.

Can you help with this?

Thanks,

BR.,
Z

RalfBecker 2023-08-08 09:04:03 UTC #5

Hi,

I can give some pointers, but LDAP and ActiveDirectory is nothing we support via this forum.
You need to get some support budget so we can handle it via the professional support:

Everything EGroupware needs to query from LDAP/AD requires to login (bind in LDAP speech) to the directory server first. For this the admin account specified in setup is used.

So each request to LDAP requires to bind with the admin account. EGroupware maintains a single LDAP connection per HTTP request, but not between different requests. Thought we apply some caching to not request everything again on each HTTP request …

Since EGroupware 23.1 you can use a periodical import of accounts, groups and memberships, instead a direct access to the LDAP. That import stores everything the the EGroupware database, so EGroupware - apart from authentication and the periodic import - has NOT to talk to the LDAP server.

Ralf