LDAP Configuration

By Rumena Zlatkova (Deactivated)
2 min

Problems with the configuration of the LDAP identity management settings can prevent user authentication and the determination of group membership. All LDAP configuration items are kept within the root IDSYS document, stored in the Gateway server's file system, the IDSYS documents for tenants, and the storage domain. Start troubleshooting by:

  1. Determining which IDSYS document is being used based on the format of the user name (see Content Application Development for details on the login format). 

  2. Verifying the fields in the IDSYS being used are correct.

After determining the IDSYS that is being used, debug basic connectivity and queries directly with the LDAP server. Look in the Gateway server's log to get the exact LDAP search filter it is trying to use.

Log Level

You must enable debug-level logging on Gateway to see the log entries. See Gateway Logging

To diagnose authentication and authorization issues (e.g., S3 signature errors) in Gateway 8.0.0 and later, set the Root logLevel to debug. Additionally, update the com.caringo.gateway.auth level at the end of logging.yaml from info to debug:

## Extra volume knobs, as these can be quite noisy. - name: com.caringo.gateway.auth level: debug # default is info

This is an example from the log where it checks if a user belongs to an allowed group:

2012-09-13 22:25:47,671 DEBUG [qtp1355087478-37 - /1347593126.86weirdbucket/x/foo.txt?domain=1347593126.86example.com|2155222263AE4638]  Policy: Searching for user in ou=groups,dc=example,dc=com with filter (&(objectclass=*) (memberUid=john)(|(cn=Finance)))

The log entry of the LDAP search filter can be converted to an LDAP URL that can be used by a tool like cURL to query the LDAP server. The format of the URL is:

ldap://HOST:PORT/ROOT??sub?FILTER

Using the LDAP search filter information from the example Gateway log, this shows how to use the cURL command to query the LDAP server directly. Authenticate (bind) using the adminDN and adminPassword from the idsys.

curl -u "cn=admin,dc=example,dc=com:secret" ldap://localhost/ou=groups,dc=example,dc=com??sub?(&(objectclass=*)(memberUid=john)(|(cn=Finance)))"

If the connection is successful and the query finds users with the group, the output is similar to this:

DN: cn=Finance,ou=groups,dc=example,dc=com gidNumber: 10002 memberUid: fred memberUid: john description: Group account objectClass: posixGroup cn: Finance

If there are errors, resolve them and update the IDSYS document with the corrections.

Related content

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.