Troubleshoot OpsCenter LDAP

Debug LDAP using logback.xml

Locate the logback.xml file. The location of this file depends on the type of installation:

  • Package installations: /etc/opscenter/logback.xml

  • Tarball installations: INSTALL_DIRECTORY/conf/logback.xml

To debug LDAP with deep visibility, change the level from INFO to DEBUG in the <logger/> line of logback.xml:

Original setting
<logger name="org.apache.directory" level="INFO" additivity="false"/>
New setting
<logger name="org.apache.directory" level="DEBUG"/>

The DEBUG logging level gives you extreme visibility into the exact queries that Opscenter is sending to the LDAP server along with the responses. Revert the log level when you are done debugging.

Error: Failed to log in: {'desc': 'Protocol error'}

Error thrown when a group_search_filter_with_dn is not specified in opscenterd.conf.

Error: Failed to log in: Invalid username or password

This error might occur even with a valid username and password. If so, OpsCenter might not have found a matching role for the user in OpsCenter. Either manually create the role in OpsCenter for the user; or, if the user is an OpsCenter Admin user, set the admin_group_name in opscenterd.conf to the name of the role or group that is returned from the LDAP group query after the group_search_filter has been applied. The filter must filter out all but one of the groups to which the user belongs. Otherwise, an error results saying that the user has more than one defined role error.

Error: Failed to log in: User myuser has no roles defined in LDAP

This happens when the LDAP search returns zero roles for the authenticated user.

  • If you are using a group_search_type of directory_search, modify your group_search_filter_with_dn so that one or more role names are returned from LDAP. Note that exactly one of those LDAP role names must match an OpsCenter role name for authentication to be successful.

  • If you are using a group_search_type of memberof_search, ensure the user_memberof_attribute for the user contains a list of LDAP groups which names an OpsCenter role.

Error: Failed to log in: User myuser has no matching OpsCenter role in LDAP group(s)

This happens when a user belongs to one or more LDAP groups, but none of those groups match any roles defined in Opscenter. The list of User’s groups returned from LDAP must contain at least one of the roles configured in OpsCenter. See role prerequisites and creating a role for an LDAP user.

  • If you are using a group_search_type of directory_search, modify the group_search_filter_with_dn so that the returned list of LDAP groups contains exactly one of the OpsCenter role names.

  • If you are using a group_search_type of memberof_search, ensure the user_memberof_attribute for the user contains a list of LDAP groups that names an OpsCenter role. If using Active Directory (AD), the user should belong to at least one non-special group that is not a built-in group. A special group is one of the built-in Active Directory groups such as Domain Users.

    All OpsCenter AD users must be part of the Domain Users group for the OpsCenter LDAP integration to function correctly. If Active Directory users are not a member of Domain Users, those users are not found in LDAP directory searches.

Error: Failed to log in: Specified search user username unable to bind

Result when searching with an incorrect username for the search_dn or the incorrect password for the search_password criteria.

Error: In order to perform this operation a successful bind must be completed on the connection

The initial search is failing because the user doesn’t have enough permissions for the way the query is structured. There are a few things to try:

  • Set user_search_filter to the default value: user_search_filter = (sAMAccountName={0})

  • Try changing user_search_base so that search doesn’t start from top-level domain: user_search_base = OU=Users,OU=Corp,DC=[value],DC=[value],DC=com

  • If you have a custom schema, change the group_search_filter and group_search_filter_dn to match it.

Was this helpful?

Give Feedback

How can we improve the documentation?

© Copyright IBM Corporation 2025 | Privacy policy | Terms of use Manage Privacy Choices

Apache, Apache Cassandra, Cassandra, Apache Tomcat, Tomcat, Apache Lucene, Apache Solr, Apache Hadoop, Hadoop, Apache Pulsar, Pulsar, Apache Spark, Spark, Apache TinkerPop, TinkerPop, Apache Kafka and Kafka are either registered trademarks or trademarks of the Apache Software Foundation or its subsidiaries in Canada, the United States and/or other countries. Kubernetes is the registered trademark of the Linux Foundation.

General Inquiries: Contact IBM