Testing LDAP authentication settings

When configuring search filter parameters for Lightweight Directory Access Protocol (LDAP) servers, always perform authentication tests to confirm that your search filters are successful. All search filters must be working properly to ensure a successful integration with your LDAP server.

Before you begin

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.

Procedure

  1. Click System > System Security.
  2. Click Test LDAP authentication settings.
  3. Test the LDAP user name search filter. In the LDAP user name field, type the name of an existing LDAP user, for example user1. Next, click Test LDAP query. If the query is successful, a check mark displays beside the Test LDAP authentication settings button. If the query is not successful, an error message displays.
  4. Test the LDAP group name search filter. In the LDAP group name field, type the name of an existing LDAP group, for example g1-10. Next, click Test LDAP query. If the query is successful, a check mark displays beside the Test LDAP authentication settings button. If the query is not successful, an error message displays.
  5. Test the LDAP membership (user name) to make sure that the query syntax is correct and that LDAP user group role inheritance works properly.
    1. In the LDAP membership(user name) field, type the name of an existing user who is member of an LDAP group, for example user1. Then, click Test LDAP query. If the query syntax for the search filter is correct, a check mark displays beside the LDAP membership(user name) button. Note that the check mark only indicates that the syntax is correct.
    2. Next, test that the membership search works properly. First, register an LDAP group with PureApplication® Software. Then, attempt to log in to the system with a user name that belongs to that group but has not yet registered with the system. If the login is successful and that user is added automatically to the system as an LDAP user, the membership search filter works properly.
  6. If one or more authentication tests are not successful, run the following commands to find out a typical user or group name to use as a valid parameter in your search filter: 
    ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base users DN>" "uid=user1"
    ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base groups DN>" "uid=user1"

What to do next

To troubleshoot LDAP connection issues, see the instructions at https://www.ibm.com/support/knowledgecenter/en/SSZMMH_2.2.5/doc/iwd/tst_trbl_ldap_conn.html.