Troubleshooting OpsCenter LDAP

Debugging LDAP using logback.xml

<logger name="org.apache.directory" level="INFO" additivity="false"/>

<logger name="org.apache.directory" level="DEBUG"/>

The DEBUG logging level gives you extreme visibility into the exact queries that Opscenter is sending to the LDAP server along with the responses. Revert the log level when you are done debugging.

Common error messages

Error: Failed to log in: {'desc': 'Protocol error'}

Error thrown when a group_search_filter_with_dn is not specified in opscenterd.conf.

Error: Failed to log in: Invalid username or password.

This error might occur even with a valid username and password. If so, OpsCenter might not have found a matching role for the user in OpsCenter. Either manually create the role in OpsCenter for the user; or, if the user is an OpsCenter Admin user, set the admin_group_name in opscenterd.conf to the name of the role or group that is returned from the LDAP group query after the group_search_filter has been applied. The filter must filter out all but one of the groups that the user belongs to; otherwise, the User has more than one defined role error is the result.

Error: Failed to log in: User myuser has no roles defined in LDAP

This happens when the LDAP search returns zero roles for the authenticated user.

• If you are using a group_search_type of directory_search, modify your group_search_filter_with_dn so that one or more role names are returned from LDAP. Note that exactly one of those LDAP role names must match an OpsCenter role name for authentication to be successful.
• If you are using a group_search_type of memberof_search, ensure the user_memberof_attribute for the user contains a list of LDAP groups which names an OpsCenter role.

Error: Failed to log in: User myuser has no matching OpsCenter role in LDAP group(s): ...

This happens when a user belongs to one or more LDAP groups, but none of those groups match any roles defined in Opscenter. The list of User's groups returned from LDAP must contain at least one of the roles configured in OpsCenter. See role prerequisites and creating a role for an LDAP user.

• If you are using a group_search_type of directory_search, modify the group_search_filter_with_dn so that the returned list of LDAP groups contains exactly one of the OpsCenter role names.
• If you are using a group_search_type of memberof_search, ensure the user_memberof_attribute for the user contains a list of LDAP groups that names an OpsCenter role.

If using Active Directory (AD), the user should belong to at least one non-special group that is not a built-in group. A special group is one of the built-in Active Directory groups such as Domain Users.

Note: All OpsCenter AD users must be part of the Domain Users group for the OpsCenter LDAP integration to function correctly. If Active Directory users are not a member of Domain Users, those users are not found in LDAP directory searches.

Error: Failed to log in: Specified search user username unable to bind.

Result when searching with an incorrect username for the search_dn or the incorrect password for the search_password criteria.

Error: In order to perform this operation a successful bind must be completed on the connection.

The initial search is failing because the user doesn't have enough permissions for the way the query is structured. There are a few things to try:

• Set user_search_filter to the default value: user_search_filter = (sAMAccountName={0})
• Try changing user_search_base so that search doesn't start from top-level domain: user_search_base = OU=Users,OU=Corp,DC=[value],DC=[value],DC=com
• If you have a custom schema, change the group_search_filter and group_search_filter_dn to match it.