The information in this page can be used to help troubleshoot LDAP issues.
References
- https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
- https://wiki.apache.org/tomcat/JNDI_HowTo
- https://www.ibm.com/support/knowledgecenter/SSZH4A_6.0.0/com.ibm.worklight.help.doc/appcenter/r_ac_tom_ldap.html
Debugging
Enabling UI Service LDAP Trace
...
Working Directly with a Specific LDAP Server
It is common to access LDAP via a VIP (Virtual IP), a dynamic DNS record (which returns a different LDAP server every time) or a load balancer. Such a setup can cause indeterminate behavior if one of the LDAP server is malfunctioning, and debugging is much harder.
Working directly against a specific LDAP server helps a lot in troubleshooting and is the first recommended step to figure out whether the issue is with one of the LDAP servers or within the LDAP configuration of DPOD.
In case of a dynamic DNS record, it is possible to find the list of LDAP servers represented by the domain name using the nslookup command:
Code Block | ||||
---|---|---|---|---|
| ||||
nslookup <LDAP DNS Name> |
Make sure you can connect to all LDAP servers from DPOD server using the telnet command, for example:
Code Block | ||||
---|---|---|---|---|
| ||||
telnet <LDAP Server IP Address> <LDAP Port> |
Choose one of the LDAP servers and use the LDAP Configuration Script to configure LDAP with the specific LDAP server IP address.
Debugging
To enable debug logging, which includes the LDAP realm, edit the service log4j2 configuration file at /app/ui/MonTier-UI/lib/log4j2.xml or /app/appadmin/MonTier-AppAdmin/lib/log4j2.xml.
Change the "org.montier" logger to level="debug" as describe below:
Code Block | ||||
---|---|---|---|---|
| ||||
<Logger name="org.montier" level="debug" additivity="false">
<AppenderRef ref="MONTIER"/>
<AppenderRef ref="CATALINA"/>
</Logger> |
To enable trace logging of custom roles, edit the UI service log4j configuration file : at /app/ui/MonTier-UI/lib/log4j2.xml.
Change the "MNTR_CUSTOM_ROLES" logger to level="trace" as describe below:
...
The output log file will be created in the UI service log directory: /logs/ui with the name ldapLog.log
Common Issues
Referrals
You might get the following error message:
...
The issue may be resolved by changing the referrals parameter (both inside the server.xml file and system parameters) to "ignore" and connecting to the greater AD "forest", which acts like a regular LDAP server on port 3268 (or 3269 for LDAPS).
LDAP authentication error codes
See the following link: http://www-01.ibm.com/support/docview.wss?uid=swg21290631