Troubleshooting OpsCenter LDAP

Unable to connect to LDAP server

When getting the "LDAP server is unavailable" message, a helpful way to debug is to run OpsCenter directly in the foreground instead of as a service. From your install location such as /usr/share/opscenter/bin:

$ bin/opscenter -f

Running OpsCenter in the foreground exposes helpful debug messages from LDAP that currently only get displayed in stdout and not the opsc log because of how the LDAP driver is constructed. To observe debugging, set debug_ssl to true in opscenterd.conf:

[ldap]
debug_ssl = True

OpsCenter LDAP configuration expects the same username for user search and group search

The LDAP configuration for OpsCenter currently expects the username found using the user_search_filter property to match the username found using the group_search_filter.

user_search_base = "CN=Users,DC=devwin2008,DC=datastax,DC=lan"
user_search_filter = "(sAMAccountName={0})"
group_search_base = "CN=Users,DC=devwin2008,DC=datastax,DC=lan"
group_search_filter = "(member=cn={0},CN=Users,DC=devwin2008,DC=datastax,DC=lan)"

Failed to log in: User username has no defined roles in LDAP.

If the sAMAccountName = ssmith but the CN=Sam Smith, the log in is unsuccessful. An AMAccountName = ssmith with a matching CN=ssmith is successful; an AMAccountName = Sam Smith with a matching CN=Sam Smith is successful.

Common error messages

Error: Failed to log in: {'desc': 'Protocol error'}

Error thrown when a group_search_filter is not specified in opscenterd.conf.

Note: The group_search_filter has been deprecated; use the group_search_filter_with_dn instead.

Error: Failed to log in: Invalid username or password.

This error might occur even with a valid username and password. If so, OpsCenter might not have found a matching role for the user in OpsCenter. Either manually create the role in OpsCenter for the user; or, if the user is an OpsCenter Admin user, set the admin_group_name in opscenterd.conf to the name of the role or group that is returned from the LDAP group query after the group_search_filter has been applied. The filter must filter out all but one of the groups that the user belongs to; otherwise, the User has more than one defined role error is the result.

Error: User has more than one defined role (in OpsCenter).

Modify your group_search_filter such that only one role (group) is returned. The role corresponds to the user's assigned OpsCenter role. OpsCenter allows only one matching role. A user can only have one assigned role in OpsCenter so as to apply the proper permissions associated with the user role. For more details, see role prerequisites and creating a role for an LDAP user.

Error: Failed to log in: User myuser has no defined roles in LDAP.

Applicable to Active Directory (AD). The user should belong to at least one non-special group that is not a built-in group. A special group is one of the built-in Active Directory groups such as "Domain Users".

Note: All OpsCenter AD users must be part of the "Domain Users" group for the OpsCenter LDAP integration to function correctly. If Active Directory users are not a member of "Doman Users", those users are not found in LDAP directory searches.

Error: Failed to log in: Specified search user username unable to bind.

Result when searching with an incorrect username for the search_dn or the incorrect password for the search_password criteria.

Error: Problem while calling LoginController... In order to perform this operation, a successful bind must be completed on the connection.

Result when searching for groups or users at the domain level (group_search_base = dc=corp,dc=pcln,dc=com), MS AD returns referrals that fails. See http://www.python-ldap.org/faq.html for more details.

To disable following referrals for LDAP v3, set the opt_referrals option to 0.