Troubleshooting OpsCenter LDAP

Troubleshooting tips and an error reference when configuring LDAP for OpsCenter.

Debugging LDAP using logback.xml 

To debug LDAP with deep visibility, change the level from INFO to DEBUG in the <logger/> line of logback.xml:
<logger name="org.apache.directory" level="INFO" additivity="false"/>
to 
<logger name="org.apache.directory" level="DEBUG"/>

The DEBUG logging level gives you extreme visibility into the exact queries that Opscenter is sending to the LDAP server along with the responses. Revert the log level when you are done debugging.

Common error messages 

Error: Failed to log in: {'desc': 'Protocol error'}
Error thrown when a group_search_filter_with_dn is not specified in opscenterd.conf.
Error: Failed to log in: Invalid username or password.
This error might occur even with a valid username and password. If so, OpsCenter might not have found a matching role for the user in OpsCenter. Either manually create the role in OpsCenter for the user; or, if the user is an OpsCenter Admin user, set the admin_group_name in opscenterd.conf to the name of the role or group that is returned from the LDAP group query after the group_search_filter has been applied. The filter must filter out all but one of the groups that the user belongs to; otherwise, the User has more than one defined role error is the result.
Error: Failed to log in: User myuser has more than one defined OpsCenter role.
The list of User's groups returned from LDAP must contain exactly one of the roles configured in OpsCenter. OpsCenter allows only one matching role. A user can only have one assigned role in OpsCenter so as to apply the proper permissions associated with the user role.
  • If you are using a group_search_type of directory_search, modify your group_search_filter_with_dn to reduce the number of groups (roles) returned, so that OpsCenter finds only one match. The role corresponds to the user's assigned OpsCenter role.
  • If you are using a group_search_type of memberof_search, ensure the user_memberof_attribute for the user contains a list of LDAP groups that has no more than one OpsCenter role.

For more details, see role prerequisites and creating a role for an LDAP user.

Error: Failed to log in: User myuser has no roles defined in LDAP
This happens when the LDAP search returns zero roles for the authenticated user.
  • If you are using a group_search_type of directory_search, modify your group_search_filter_with_dn so that one or more role names are returned from LDAP. Note that exactly one of those LDAP role names must match an OpsCenter role name for authentication to be successful.
  • If you are using a group_search_type of memberof_search, ensure the user_memberof_attribute for the user contains a list of LDAP groups which names an OpsCenter role.

For more details, see role prerequisites and creating a role for an LDAP user.

Error: Failed to log in: User myuser has no matching OpsCenter role in LDAP group(s): ...
This happens when a user belongs to one or more LDAP groups, but none of those groups match any roles defined in Opscenter. The list of User's groups returned from LDAP must contain exactly one of the roles configured in OpsCenter. See role prerequisites and creating a role for an LDAP user.
  • If you are using a group_search_type of directory_search, modify the group_search_filter_with_dn so that the returned list of LDAP groups contains exactly one of the OpsCenter role names.
  • If you are using a group_search_type of memberof_search, ensure the user_memberof_attribute for the user contains a list of LDAP groups that names an OpsCenter role.
If using Active Directory (AD), the user should belong to at least one non-special group that is not a built-in group. A special group is one of the built-in Active Directory groups such as Domain Users.
Note: All OpsCenter AD users must be part of the Domain Users group for the OpsCenter LDAP integration to function correctly. If Active Directory users are not a member of Domain Users, those users are not found in LDAP directory searches.
Error: Failed to log in: Specified search user username unable to bind.
Result when searching with an incorrect username for the search_dn or the incorrect password for the search_password criteria.
Error: In order to perform this operation a successful bind must be completed on the connection.
The initial search is failing because the user doesn't have enough permissions for the way the query is structured. There are a few things to try:
  • Set user_search_filter to the default value: user_search_filter = (sAMAccountName={0})
  • Try changing user_search_base so that search doesn't start from top-level domain: user_search_base = OU=Users,OU=Corp,DC=[value],DC=[value],DC=com
  • If you have a custom schema, change the group_search_filter and group_search_filter_dn to match it.

opscenterd.conf 

The location of the opscenterd.conf file depends on the type of installation:

  • Package installations: /etc/opscenter/opscenterd.conf
  • Tarball installations: install_location/conf/opscenterd.conf

logback.xml 

The location of the logback.xml file depends on the type of installation:

  • Package installations: /etc/opscenter/logback.xml
  • Tarball installations: install_location/conf/logback.xml