Troubleshooting OpsCenter LDAP
Debugging LDAP using logback.xml
Locate the logback.xml file. The location of this file depends on the type of installation:
-
Package installations: /etc/opscenter/logback.xml
-
Tarball installations: install_location/conf/logback.xml
To debug LDAP with deep visibility, change the level from INFO
to DEBUG
in the <logger/>
line of logback.xml:
<logger name="org.apache.directory" level="INFO" additivity="false"/>
to
<logger name="org.apache.directory" level="DEBUG"/>
The DEBUG
logging level gives you extreme visibility into the exact queries that Opscenter is sending to the LDAP server along with the responses.
Revert the log level when you are done debugging.
Common error messages
-
Error: Failed to log in: {'desc': 'Protocol error'}
Error thrown when a
group_search_filter_with_dn
is not specified in opscenterd.conf. -
Error: Failed to log in: Invalid username or password.
This error might occur even with a valid username and password. If so, OpsCenter might not have found a matching role for the user in OpsCenter. Either manually create the role in OpsCenter for the user; or, if the user is an OpsCenter Admin user, set the
admin_group_name
in opscenterd.conf to the name of the role or group that is returned from the LDAP group query after thegroup_search_filter
has been applied. The filter must filter out all but one of the groups to which the user belongs. Otherwise, an error results saying that the user has more than one defined role error. -
Error: Failed to log in: User myuser has no roles defined in LDAP
This happens when the LDAP search returns zero roles for the authenticated user.
-
If you are using a
group_search_type
ofdirectory_search
, modify yourgroup_search_filter_with_dn
so that one or more role names are returned from LDAP. Note that exactly one of those LDAP role names must match an OpsCenter role name for authentication to be successful. -
If you are using a
group_search_type
ofmemberof_search
, ensure theuser_memberof_attribute
for the user contains a list of LDAP groups which names an OpsCenter role.
-
-
Error: Failed to log in: User myuser has no matching OpsCenter role in LDAP group(s): …
This happens when a user belongs to one or more LDAP groups, but none of those groups match any roles defined in Opscenter. The list of User’s groups returned from LDAP must contain at least one of the roles configured in OpsCenter. See role prerequisites and creating a role for an LDAP user.
-
If you are using a
group_search_type
ofdirectory_search
, modify thegroup_search_filter_with_dn
so that the returned list of LDAP groups contains exactly one of the OpsCenter role names. -
If you are using a
group_search_type
ofmemberof_search
, ensure theuser_memberof_attribute
for the user contains a list of LDAP groups that names an OpsCenter role. If using Active Directory (AD), the user should belong to at least one non-special group that is not a built-in group. A special group is one of the built-in Active Directory groups such as Domain Users.
All OpsCenter AD users must be part of the Domain Users group for the OpsCenter LDAP integration to function correctly. If Active Directory users are not a member of Domain Users, those users are not found in LDAP directory searches.
-
-
Error: Failed to log in: Specified search user username unable to bind.
Result when searching with an incorrect username for the
search_dn
or the incorrect password for thesearch_password
criteria. -
Error: In order to perform this operation a successful bind must be completed on the connection.
The initial search is failing because the user doesn’t have enough permissions for the way the query is structured. There are a few things to try:
-
Set
user_search_filter
to the default value:user_search_filter = (sAMAccountName={0})
-
Try changing
user_search_base
so that search doesn’t start from top-level domain:user_search_base = OU=Users,OU=Corp,DC=[value],DC=[value],DC=com
-
If you have a custom schema, change the
group_search_filter
andgroup_search_filter_dn
to match it.
-