The information in this page can be used to help troubleshoot LDAP issues.
Debugging
Enabling UI Service LDAP Trace
...
Symptoms
While configuring DPOD to work with LDAP, the LDAP configuration script returns errors.
After DPOD is configured to work with LDAP, some users or all of them are unable to sign in to DPOD.
Cause
Usually this is the result of using a wrong LDAP configuration. Since the configuration is complex and involves LDAP queries and knowledge of the LDAP tree structure and the objects properties, it often requires trial and error to make the configuration work.
Some of the LDAP servers may not be accessible (e.g. because of firewall rules).
Some of the LDAP servers may not respond or time out, which may cause random failures.
Resolution
Inspect the Logs of the LDAP Configuration Script
When running the LDAP Configuration Script, it will write debug level messages with a lot of information to its log file.
Inspect the script’s log file and see if there is information there that can help resolving the issue.
Check the Connectivity to all LDAP Servers
It is common to access the LDAP registry via a VIP (Virtual IP), a dynamic DNS record (which returns a different LDAP server IP address every time) or a load balancer.
In case of a dynamic DNS record, it is possible to find the list of the LDAP servers represented by the domain name using the
nslookupcommand:Code Block language bash nslookup <LDAP DNS Name>Otherwise, you need to obtain the list of the LDAP servers from the team that manages the LDAP servers in your organization.
Make sure it is possible to connect to all LDAP servers from the DPOD server using the
telnetcommand, for example:Code Block language bash telnet <LDAP Server IP Address> <LDAP Port>
Try working with a Specific LDAP Server
When working with multiple LDAP servers, some of them may not respond or time out, which may cause random failures. Troubleshooting such a scenario is very hard. Working directly against a specific LDAP server helps a lot in troubleshooting and is a recommended step to figure out whether the issue is with one of the LDAP servers or within the LDAP configuration of DPOD.
Choose one of the LDAP servers and use the LDAP Configuration Script to configure LDAP with the specific LDAP server IP address.
If this works, try another LDAP server until you find the one that is malfunctioning and contact the team that manages the LDAP servers in your organization to fix that.
Enable Debug Logging
To enable debug logging, which includes the LDAP realm logging, edit the service’s logging configuration file at
/app/ui/MonTier-UI/lib/log4j2.xml(for the Web Console) or/app/appadmin/MonTier-AppAdmin/lib/log4j2.xml(for the Admin Console). Change theorg.montierlogger tolevel="debug"as described below:Code Block language xml <Logger name="org.montier" level="debug" additivity="false"> <AppenderRef ref="MONTIER"/> <AppenderRef ref="CATALINA"/> </Logger>The logs will be written to
/logs/ui/catalina.logand/logs/appadmin/catalina.log.To enable trace logging of custom roles, edit the service’s logging configuration file at
/app/ui/MonTier-UI/lib/log4j2.xml
...
(for the Web Console). Change the
...
MNTR_CUSTOM_ROLES
...
logger to
level="trace"as
...
described below:
Code Block language xml
...
<Logger name="MNTR_CUSTOM_ROLES" level="trace" additivity="false"> <AppenderRef ref="LDAPLOG"/> </Logger>The
...
logs will be
...
written to
/logs/ui
...
/ldapLog.log.
Common Issues
Fixing Referrals Issue
...
In case the following error message appears in the Web Console log file:
...
Code Block An exception performing authentication javax.naming.PartialResultException: Unprocessed Continuation Reference(s); remaining name 'DC=XX,DC=XX,DC=XX'
The issue may be resolved by changing the
referralsparameter
...
to
...
ignore
...
and connecting to the greater
...
Active Directory "forest", which acts like a regular LDAP server on port 3268 (or 3269 for LDAPS).
...
LDAP authentication error codes
...