Troubleshoooting LDAP
Revision as of 11:00, 1 April 2024 by IVSWikiBlue (talk | contribs)
Often times, configuring the VALT appliance for LDAP authentication can prove challenging. Most often these issues are caused by communications problems, incorrect credentials or using the wrong distinguished name. In order to troubleshoot the issue, it's recommended you take the VALT application out of the equation.
Validate Connection
- Connect to the VALT server via SSH or access the terminal.
- If accessing via the terminal, you will need to exit to Shell.
- Ping the LDAP server:
EX: Ping ldap.ipivs.com
- If the server responds, you are able communicate with that server.
- If the server does not respond, you may have a networking issue, or ICMP may be blocked. You may need to contact the customer's IT department to investigate. If ICMP is just blocked, you do not need ICMP in order to perform LDAP queries.
- Verify you have the correct server address, and check if the server is set to accept queries via LDAP or LDAPS.
- Check to see if the VALT server can communicate with the LDAP server on the appropriate port:
For LDAP: nc -zv ldapserver 389
- This command should return: Connection to ldapserver 389 port [tcp/ldap] succeeded!.
- For LDAPS:
nc -zv ldapserver 636
- This command should return: Connection to ldapserver 636 port [tcp/ldaps] succeeded!.
- If the appropriate command returns a failure message, the VALT server is unable to communicate with the LDAP server on the appropriate port. This could be caused by a firewall or other security appliance between the two servers, or you may have the incorrect LDAP server. You should contact the customer's IT department, and notify them that the VALT server is unable to connect to the provided LDAP server on the appropriate port.
Validate LDAP Query/Credentials
After verifying communication between the VALT server and the LDAP server, you can validate the credentials you were provided by attempting to connect to the LDAP server from the command line.
- Connect to the VALT server via SSH or access the terminal.
- If accessing via the terminal, you will need to exit to shell.
- Enter the following:
ldapsearch -H ldap://ldapserver -x -b "distinguishedname" -D username -W
- Be sure to replace the ldapserver, distinguishedname, and username with the appropriate information.
- Example:
- LDAP Server: ivs2012r2dc.internal.ipivs.com
- Protocol: LDAPS
- Distinguished Name of Group: CN=IVS Users,CN=Users,DC=internal,DC=ipivs,DC=com
- Username: ivs@internal.ipivs.com
-
ldapsearch -H ldaps://ivs2012r2dc.internal.ipivs.com -x -b "CN=IVS Users,CN=Users,DC=internal,DC=ipivs,DC=com" -D ivs@internal.ipivs.com -W
- Enter the password when prompted.
- The query should return a list of group members.
- If a list of group members was returned successfully, then LDAP authentication should be working. If you are still experiencing issues, it is most likely a configuration problem with the application.
- If a list of group members was returned successfully, then LDAP authentication should be working. If you are still experiencing issues, it is most likely a configuration problem with the application.
- If you received a message stating No Such Object, the distinguished name of the group you entered is incorrect. The next section contains information on verifying the distinguished name or the group, or you can contact the customer's IT department.
- If you received a message stating No Such Object, the distinguished name of the group you entered is incorrect. The next section contains information on verifying the distinguished name or the group, or you can contact the customer's IT department.
- If you received a message stating Invalid credentials, the username or password you entered is incorrect. You will need to contact the customer's IT department.
- If you received a message stating Invalid credentials, the username or password you entered is incorrect. You will need to contact the customer's IT department.
Validate LDAP Server Database Entry
If the Server and Credentials are correct, make sure that the database entry has the correct information
- Go to the phpmyadmin interface for the server
http://<server_ip>/phpmyadmin - In the V3 database, find the table called ldap_server and copy the contents of the field "base_dn" into the field "dn" if not already present
- Test the ldap import again and see if it is working now
Verify Distinguished Name of Groups
If you believe the distinguished name of the group is incorrect, you can verify it by accessing the customer's directory using LDAP Admin and the credentials they have provided you.
- Download and run LDAP Admin.
- Click Connect.
- Double click on New Connection.
