Troubleshooting LDAP configuration
Use the ldapsearch command line tool to troubleshoot your LDAP (Lightweight Directory Access Protocol) configuration.
Install ldapsearch
Install the ldapsearch program.
On Ubuntu, run the following command:
sudo apt-get install ldap-utils
On Red Hat Enterprise Linux (RHEL), run the following command:
sudo yum install openldap-clients
Test LDAP connection
To test your LDAP connection, run the following command:
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" -w "<LDAP_BINDPASSWORD>" -s sub
Following are the parameter descriptions:
<LDAP_URL>is the URL of the LDAP server. For example,ldap://<LDAP server domain name or IP address>:<port>orldaps://<LDAP server domain name>:<port>. The default port number is 389 for LDAP protocol and 636 for LDAP over Secure Sockets Layer (LDAPS) protocol.<LDAP_BASEDN>is the LDAP distinguished name (DN) of the search base. For example,dc=abc,dc=com.<LDAP_BINDDN>is the LDAP user who is allowed to search the base DN. For example,cn=admin,dc=abc,dc=com.<LDAP_BINDPASSWORD>is the password of the user who is mentioned in the bind DN.
Example commands
ldapsearch -x -H "ldap://<hostname or IP address>:389" -b "o=abc.com" -s sub
ldapsearch -x -H "ldap://<hostname or IP address>:389" -b "dc=abc,dc=com" -D "cn=admin,dc=abc,dc=com" -w "password" -s sub
Validate LDAP filters
Create a search string based on the LDAP filters to retrieve data from your LDAP server. If the search results show one or more LDAP entries, then the LDAP filter configuration is correct. If the search results do not show any entry, then the LDAP filter is not correct or is not compatible with your LDAP server type.
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" -w "<LDAP_BINDPASSWORD>" -s sub "<Search string>"
Following are the parameter descriptions:
<LDAP_URL>is the URL of the LDAP server. For example,ldap://<LDAP server domain name or IP address>:<port>orldaps://<LDAP server domain name>:<port>. The default port number is 389 for LDAP protocol and 636 for LDAPS protocol.<LDAP_BASEDN>is the LDAP DN of the search base. For example,dc=abc,dc=com.<LDAP_BINDDN>is the LDAP user who is allowed to search the base DN. For example,cn=admin,dc=abc,dc=com.<LDAP_BINDPASSWORD>is the password of the user who is mentioned in the bind DN.<search string>is the search string that is used to search your LDAP server.
IBM Tivoli Directory Server LDAP filters
| Attribute name | Default value |
|---|---|
| Group filter | (&(cn=%v)(objectclass=groupOfUniqueNames)) |
| Group ID map | *:cn |
| Group Member ID map | groupOfUniqueNames:uniqueMember |
| User filter | (&(emailAddress=%v)(objectclass=person)) |
| User ID map | *:emailAddress |
-
Example command to validate group filter
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(cn=*)(objectclass=groupOfUniqueNames))" -
Example command to validate group ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectclass=*)(cn=*))" -
Example command to validate group member ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" -
Example command to validate user filter
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(emailAddress=*)(objectclass=person))" -
Example command to validate user ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectclass=*)(emailAddress=*))"
Microsoft Active Directory LDAP filters
| Attribute name | Default value |
|---|---|
| Group filter | (&(cn=%v)(objectcategory=group)) |
| Group ID map | *:cn |
| Group Member ID map | memberOf:member |
| User filter | (&(sAMAccountName=%v)(objectcategory=user)) |
| User ID map | user:sAMAccountName |
-
Example command to validate group filter
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(cn=*)(objectcategory=group))" -
Example command to validate group ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectcategory=*)(cn=*))" -
Example command to validate group member ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectcategory=*)(member=*))" -
Example command to validate user filter
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(sAMAccountName=*)(objectcategory=user))" -
Example command to validate user ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectcategory=user)(sAMAccountName=*))"
Custom (OpenLDAP) server LDAP filters
| Attribute name | Default value |
|---|---|
| Group filter | (&(cn=%v)(objectclass=groupOfUniqueNames)) |
| Group ID map | *:cn |
| Group Member ID map | groupOfUniqueNames:uniqueMember |
| User filter | (&(uid=%v)(objectclass=person)) |
| User ID map | *:uid |
-
Example command to validate group filter
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(cn=*)(objectclass=groupOfUniqueNames))" -
Example command to validate group ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectclass=*)(cn=*))" -
Example command to validate group member ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectclass=groupOfUniqueNames)(uniqueMember=*))" -
Example command to validate user filter
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(uid=*)(objectclass=person))" -
Example command to validate user ID map
ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" \ -w "<LDAP_BINDPASSWORD>" -s sub "(&(objectclass=*)(uid=*))"
Resolve common login issues
Unable to log in as LDAP user after you configure an LDAP connection
You might not be able to log in as an LDAP user even when the connection test and the LDAP configuration are successful.
You see an error that indicates an invalid username or password.
You might see the following error in the log files of the platform-auth-service container of the auth-idp pod:
CWIML4537E: The login operation could not be completed. The specified principal name XXXXXX is not found in the back-end repository.
To identify the error, enable trace for Liberty service to know the exact error in First failure data capture (FFDC) logs. For more information, see Enable debugging for user authentication issues 
.
Following are the possible causes. A resolution is provided for each cause.
Cause 1 - Invalid username value is used when you logged in
The user name value is not the same as the userIdMap filter attribute value.
Resolution
Ensure that you enter the correct user name. The user name must be the same as the userIdMap filter attribute value. The user name is case-sensitive.
Consider the following example:
LDAP user details on an LDAP server:
dn: uid=testuser,ou=people,dc=abc,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: TestUser
givenName: TestUser
sn: SN
uid: testuser
userPassword: testuser
mail: testuser@abc.com
LDAP configuration:
User filter: (&(uid=%v)(objectclass=person))
User ID map: *:uid
If you use *:uid as the userIdMap filter, then you must use the uid value testuser as the user name when you log in.
Cause 2 - LDAP login user or Bind DN user is disabled or locked at the LDAP server
- The LDAP login user is disabled or locked at the LDAP server due to many unsuccessful login attempts.
- The Bind DN user is disabled or locked at LDAP server due to many unsuccessful login attempts.
Resolution
- Use the
ldapsearchtool to test the LDAP connection. - Enable or unlock the LDAP login user or Bind DN user at the LDAP server.
Cause 3 - Invalid Password value is used to log in
- The LDAP user password might be wrong.
- The Bind DN password might contain some unsupported special characters.
Resolution
- Enter the correct password and try logging in.
- If the Bind DN password has special characters, change the password and do not use special characters in the changed password.
Cause 4 - LDAP configuration might not be synchronized across all the pods in a high availability (HA) cluster
The login request might be going to a pod in an HA cluster that does not have the LDAP configuration.
Resolution
Restart the auth-idp pods.
Cause 5 - LDAP connection issues due to various reasons
- The LDAP server is not reachable.
- You used the LDAP server hostname in the LDAP server URL, and the hostname is not reachable. This issue might be because the correct DNS server entries were not added during cluster installation.
- If LDAPS is used to configure the LDAP connection, following might be the possible causes:
- An IP address is used instead of the LDAP server hostname in the LDAP server URL.
- The LDAP server certificate is not imported into your cluster.
- The LDAP server certificate does not match with the LDAP server hostname (or certificate SANs (Subject Alternative Names)).
Resolution
- Test the LDAP connection by using the
ldapsearchtool. - Add the LDAP server hostname in the
/etc/hostsfile either on the master node or in theplatform-auth-servicecontainer of theauth-idppod. - For configuring an LDAPS connection, use the LDAP server hostname in the LDAP server URL and the LDAP server certificate is imported into your cluster. Followed all the required steps for Configuring LDAP over SSL.
- Change the hostname, or get a new certificate that matches with the LDAP server hostname or any one of the certificate SANs.
Cause 6 - MongoDB connection failed in the platform-auth-service container of the auth-idp pod
You might see MongoDB connection failure errors in the logs of the platform-auth-service container of the auth-idp pod.
Resolution
Check the status of all icp-mongodb-x** pods and restart the pods if the status is not Running. Then, restart all auth-idp pods.
Resolve common issues with search users or groups
Unable to search users or groups while you create a team.
Cause
You used an invalid search string.
Resolution
You must use the value of the cn attribute or the user or group attribute such as uid or emailaddress that you used in the LDAP configuration.
Consider the following example:
LDAP user details on an LDAP server
dn: uid=testuser,ou=people,dc=abc,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: TestUser
givenName: TestUser
sn: SN
uid: testuser
userPassword: testuser
mail: testuser@abc.com
Following filters are used in the LDAP configuration:
- User filter: (&(uid=%v)(objectclass=person))
- User ID map: *:uid
The userIdMap that is used is *:uid.
The valid values that you can use to search for a user are as follows:
- TestUser (
cnvalue) - testuser (
uidvalue)