IBM DataPower Operations Dashboard v1.0.17.0

A newer version of this product documentation is available.

You are viewing an older version. View latest at IBM DPOD Documentation.

Issues in Configuring LDAP

Symptoms

  • While configuring DPOD to work with LDAP, the LDAP configuration script returns errors.

  • After DPOD is configured to work with LDAP, some users or all of them are unable to sign in to DPOD.

Cause

  • Usually this is the result of using a wrong LDAP configuration. Since the configuration is complex and involves LDAP queries and knowledge of the LDAP tree structure and the objects properties, it often requires trial and error to make the configuration work.

  • Some of the LDAP servers may not be accessible (e.g. because of firewall rules).

  • Some of the LDAP servers may not respond or time out, which may cause random failures.

Resolution

Inspect the Logs of the LDAP Configuration Script

  • When running the LDAP Configuration Script, it will write debug level messages with a lot of information to its log file.

  • Inspect the script’s log file and see if there is information there that can help resolving the issue.

Check the Connectivity to all LDAP Servers

  • It is common to access the LDAP registry via a VIP (Virtual IP), a dynamic DNS record (which returns a different LDAP server IP address every time) or a load balancer.

  • In case of a dynamic DNS record, it is possible to find the list of the LDAP servers represented by the domain name using the nslookup command:

    nslookup <LDAP DNS Name>

    Otherwise, you need to obtain the list of the LDAP servers from the team that manages the LDAP servers in your organization.

  • Make sure it is possible to connect to all LDAP servers from the DPOD server using the telnet command, for example:

    telnet <LDAP Server IP Address> <LDAP Port>

Try working with a Specific LDAP Server

  • When working with multiple LDAP servers, some of them may not respond or time out, which may cause random failures. Troubleshooting such a scenario is very hard. Working directly against a specific LDAP server helps a lot in troubleshooting and is a recommended step to figure out whether the issue is with one of the LDAP servers or within the LDAP configuration of DPOD.

  • Choose one of the LDAP servers and use the LDAP Configuration Script to configure LDAP with the specific LDAP server IP address.

  • If this works, try another LDAP server until you find the one that is malfunctioning and contact the team that manages the LDAP servers in your organization to fix that.

Enable Debug Logging

  • To enable debug logging, which includes the LDAP realm logging, edit the service’s logging configuration file at /app/ui/MonTier-UI/lib/log4j2.xml (for the Web Console) or /app/appadmin/MonTier-AppAdmin/lib/log4j2.xml (for the Admin Console). Change the org.montier logger to level="debug" as described below:

    <Logger name="org.montier" level="debug" additivity="false"> <AppenderRef ref="MONTIER"/> <AppenderRef ref="CATALINA"/> </Logger>

    The logs will be written to /logs/ui/catalina.log and /logs/appadmin/catalina.log.

  • To enable trace logging of custom roles, edit the service’s logging configuration file at /app/ui/MonTier-UI/lib/log4j2.xml (for the Web Console). Change the MNTR_CUSTOM_ROLES logger to level="trace" as described below:

    The logs will be written to /logs/ui/ldapLog.log.

Fixing Referrals Issue

  • In case the following error message appears in the Web Console log file:

  • The issue may be resolved by changing the referrals parameter to ignore and connecting to the greater Active Directory "forest", which acts like a regular LDAP server on port 3268 (or 3269 for LDAPS).

 

 

IBM DataPower Operations Dashboard (DPOD) v1.0.17.0