Testing LDAP authentication settings

When configuring search filter parameters for Lightweight Directory Access Protocol (LDAP) servers, always perform authentication tests to confirm that your search filters are successful. All search filters must be working properly to ensure a successful integration with your LDAP server.

Before you begin

You must be assigned the Security administration role with permission to Manage security (Full permission) to perform these steps.
Note:
When Single-Sign-On is enabled, LDAP settings can not be tested or changed.

Procedure

  1. Click System > System Security (or Security and access > System Security if in 2.3.3.3).
  2. Click Test LDAP Authentication Settings.
  3. Test the external (LDAP) user name search filter. In the LDAP user name field, type the name of an existing external user, for example user1, and click Test LDAP query. If the query is successful, a check mark displays beside the Test LDAP query button. If the query is not successful, an error message displays.
  4. Test the external (LDAP) group name search filter. In the LDAP group name field, type the name of an existing external group, for example g1-10, and click Test LDAP query. If the query is successful, a check mark displays beside the Test LDAP query button. If the query is not successful, an error message displays.
  5. Test the LDAP membership (user name) to make sure that the query syntax is correct and that LDAP user group role inheritance works properly.
    1. In the LDAP membership (user name) field, type the name of an existing user who is member of an external (LDAP) group, for example user1, and click Test LDAP query. If the query syntax for the search filter is correct, a check mark displays beside the Test LDAP query button. Note that the check mark only indicates that the syntax is correct.
    2. Test that the membership search works properly. First, register an external (LDAP) group with Cloud Pak System Software. Then, attempt to log in to the system with a user name that belongs to that group but has not yet registered with the system. If the login is successful and that user is added automatically to the system as an external user, the membership search filter works properly.
  6. If one or more authentication tests are not successful, run the following commands to find out a typical user or group name to use as a valid parameter in your search filter:
    ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base users DN>" "uid=user1"
    ldapsearch -x -h <ldap hostname> -p <ldap port> -D "<bind DN>" -w "<bind password>" -b "<base groups DN>" "uid=user1"

What to do next

To troubleshoot LDAP connection issues, see the instructions at Troubleshooting LDAP connection issues .