LDAP Configuration

Problems with the configuration of the LDAP identity management settings can prevent user authentication and the determination of group membership. All LDAP configuration items are kept within the root IDSYS document, stored in the Gateway server's file system, and the IDSYS documents for tenants and storage domain. Start troubleshooting by:

Determining which IDSYS document is being used based on the format of the user name (see Content Application Development for details on the login format).
Verifying the fields in the IDSYS being used are correct.

After determining the IDSYS that is being used, debug basic connectivity and queries directly with the LDAP server. Look in the Gateway server's log to get the exact LDAP search filter it is trying to use.

This is an example from the log where it checks if a user belongs to an allowed group:

2012-09-13 22:25:47,671 DEBUG [qtp1355087478-37 - /1347593126.86weirdbucket/x/foo.txt?domain=1347593126.86example.com|2155222263AE4638] 
	Policy: Searching for user in ou=groups,dc=example,dc=com 
	with filter (&(objectclass=*) (memberUid=john)(|(cn=Finance)))

The log entry of the LDAP search filter can be converted to an LDAP URL that can be used by a tool like cURL to query the LDAP server. The format of the URL is:

ldap://HOST:PORT/ROOT??sub?FILTER

Using the LDAP search filter information from the example Gateway log, this shows how to use the cURL command to query the LDAP server directly. Authenticate (bind) using the adminDN and adminPassword from the idsys.

curl -u "cn=admin,dc=example,dc=com:secret" ldap://localhost/ou=groups,dc=example,dc=com??sub?(&(objectclass=*)(memberUid=john)(|(cn=Finance)))"

If the connection is successful and the query finds users with the group, the output is similar to this:

If there are errors, resolve them and update the IDSYS document with the corrections.

Swarm Documentation

LDAP Configuration

Analytics

Related content