Troubleshooting LDAP configuration

Use the ldapsearch command line tool to troubleshoot your LDAP (Lightweight Directory Access Protocol) configuration.

Install ldapsearch

Install the ldapsearch program.

On Ubuntu, run the following command:

sudo apt-get install ldap-utils

On Red Hat Enterprise Linux (RHEL), run the following command:

sudo yum install openldap-clients

Test LDAP connection

To test your LDAP connection, run the following command:

ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" -w "<LDAP_BINDPASSWORD>" -s sub

Following are the parameter descriptions:

Example commands

ldapsearch -x -H "ldap://<hostname or IP address>:389" -b "o=abc.com" -s sub
ldapsearch -x -H "ldap://<hostname or IP address>:389" -b "dc=abc,dc=com" -D "cn=admin,dc=abc,dc=com" -w "password" -s sub

Validate LDAP filters

Create a search string based on the LDAP filters to retrieve data from your LDAP server. If the search results show one or more LDAP entries, then the LDAP filter configuration is correct. If the search results do not show any entry, then the LDAP filter is not correct or is not compatible with your LDAP server type.

ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" -w "<LDAP_BINDPASSWORD>" -s sub "<Search string>"

Following are the parameter descriptions:

IBM Tivoli Directory Server LDAP filters

Table 1. IBM Tivoli Directory Server LDAP filters
Attribute name Default value
Group filter (&(cn=%v)(objectclass=groupOfUniqueNames))
Group ID map *:cn
Group Member ID map groupOfUniqueNames:uniqueMember
User filter (&(emailAddress=%v)(objectclass=person))
User ID map *:emailAddress

Microsoft Active Directory LDAP filters

Table 2. Microsoft Active Directory LDAP filters
Attribute name Default value
Group filter (&(cn=%v)(objectcategory=group))
Group ID map *:cn
Group Member ID map memberOf:member
User filter (&(sAMAccountName=%v)(objectcategory=user))
User ID map user:sAMAccountName

Custom (OpenLDAP) server LDAP filters

Table 3. Custom (OpenLDAP) server LDAP filters
Attribute name Default value
Group filter (&(cn=%v)(objectclass=groupOfUniqueNames))
Group ID map *:cn
Group Member ID map groupOfUniqueNames:uniqueMember
User filter (&(uid=%v)(objectclass=person))
User ID map *:uid

Resolve common login issues

Unable to login to cp-console or cpd using LDAP authentication

The ClassCastException error is displayed if the ObjectClass or ObjectCategory attribute is not defined in the Liberty XML file. The following error is displayed in the logs of the auth-service pods:

Exception = java.lang.ClassCastException
Source = com.ibm.ws.security.oauth20.plugins.jose4j.OidcUserClaims
probeid = 178
Stack Dump = java.lang.ClassCastException: com.ibm.wsspi.security.wim.model.Entity incompatible with com.ibm.wsspi.security.wim.model.PersonAccount
    at com.ibm.ws.security.oauth20.plugins.jose4j.OidcUserClaims.getUserinfoFromRegistryMap(OidcUserClaims.java:136)
    at com.ibm.ws.security.oauth20.plugins.jose4j.OidcUserClaims.getUserinfoFromRegistry(OidcUserClaims.java:177)
    at com.ibm.ws.security.openidconnect.web.OidcEndpointServices.getUserinfoFromRegistry(OidcEndpointServices.java:1001)
    at com.ibm.ws.security.openidconnect.web.OidcEndpointServices.userinfo(OidcEndpointServices.java:922)
    at com.ibm.ws.security.openidconnect.web.OidcEndpointServices.handleOidcRequest(OidcEndpointServices.java:281)
    at com.ibm.ws.security.openidconnect.web.OidcEndpointServlet.handleRequest(OidcEndpointServlet.java:111)
    at com.ibm.ws.security.openidconnect.web.OidcEndpointServlet.doPost(OidcEndpointServlet.java:69)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:707)
Resolving the issue

IM supports the LDAP Entity type configuration for LDAP User and Group entities to define the ObjectClass or ObjectCategory attributes automatically in the Liberty XML file.

For the existing LDAP connection, you need to restart the platform-auth-service pods to enable the LDAPEntityType configuration.

  1. Get the platform-auth-service pod name.

    oc get pods -n <your-foundational-services-namespace> | grep platform-auth-service
    
  2. Delete the platform-auth-service pod.

    oc delete pod <platform-auth-service-pod-name> -n <your-foundational-services-namespace>
    

The following is the sample Liberty XML file with the LDAP configuration:

<server>
    <featureManager>
        <feature>ldapRegistry-3.0</feature>
    </featureManager>
    <ldapRegistry id="SunOneLDAP" realm="REALM" host="[dd103bgpvip1165.virginia.ms.com](https://dd103bgpvip1165.virginia.ms.com/)" port="389"
            ignoreCase="false" baseDN="o=Morgan Stanley" bindDN="msfwid=2053167,ou=prodids,o=Morgan Stanley"
            bindPassword="{xor}OQ9mHBIlFQVoaGk4NSgK" ldapType="Sun Java System Directory Server" recursiveSearch="true" sslEnabled="false"
            certificateMapMode="CERTIFICATE_FILTER" certificateFilter="uid=${SubjectCN}">
         <ldapEntityType name="PersonAccount">
                <objectClass>msperson</objectClass>
         </ldapEntityType>
         <!-- For Groups -->
        <ldapEntityType name="Group">
                  <objectClass>msaclgroup</objectClass>
       </ldapEntityType>
        <iplanetFilters
            userFilter="(&amp;(objectClass=msperson)(uid=%v))"
            groupFilter="(&amp;(cn=%v)(objectclass=msaclgroup)(mseonid=24507))"
            userIdMap="*:uid"
            groupIdMap="*:cn"
            groupMemberIdMap="groupofuniquenames:uniquemember" />
        <ldapCache>
          <attributesCache size="2000" timeout="1200s" enabled="true" sizeLimit="2000"/>
          <searchResultsCache size="2000" timeout="1200s" enabled="true" resultsSizeLimit="2000"/>
        </ldapCache>
    </ldapRegistry>
</server>

Unable to log in as LDAP user after you configure an LDAP connection

You might not be able to log in as an LDAP user even when the connection test and the LDAP configuration are successful.

You see an error that indicates an invalid username or password.

You might see the following error in the log files of the platform-auth-service container:

CWIML4537E: The login operation could not be completed. The specified principal name XXXXXX is not found in the back-end repository.

To identify the error, enable trace for Liberty service to know the exact error in First failure data capture (FFDC) logs. For more information, see Enable debugging for user authentication issues.

Following are the possible causes. A resolution is provided for each cause.

Cause 1 - Invalid username value is used when you logged in

The user name value is not the same as the userIdMap filter attribute value.

Resolution for cause 1

Ensure that you enter the correct user name. The user name must be the same as the userIdMap filter attribute value. The user name is case-sensitive.

Consider the following example:

LDAP user details on an LDAP server:

dn: uid=testuser,ou=people,dc=abc,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: TestUser
givenName: TestUser
sn: SN
uid: testuser
userPassword: testuser
mail: testuser@abc.com

LDAP configuration:

User filter: (&(uid=%v)(objectclass=person))
User ID map: *:uid

If you use *:uid as the userIdMap filter, then you must use the uid value testuser as the user name when you log in.

Cause 2 - LDAP login user or Bind DN user is disabled or locked at the LDAP server
Resolution for cause 2
Cause 3 - Invalid Password value is used to log in
Resolution for cause 3
Cause 4 - LDAP configuration might not be synchronized across all the pods in a high availability (HA) cluster

The login request might be going to a pod in an HA cluster that does not have the LDAP configuration.

Resolution for cause 4

Restart the platform-auth-service pod. If the issue is still not resolved, restart the platform-auth-service, platform-identity-provider, and platform-identity-management pods.

Cause 5 - LDAP connection issues due to various reasons
Resolution for cause 5
Cause 6 - External database connection failed in the platform-auth-service container

You can see external database connection failure errors in the logs of the platform-auth-service container.

Resolution for cause 6

Restart the platform-auth-service pod that is configured with the external database.

Resolve common issues with search users or groups

Unable to search users or groups while you create a team.

Cause

You used an invalid search string.

Resolution

You must use the value of the cn attribute or the user or group attribute such as uid or emailaddress that you used in the LDAP configuration.

Consider the following example:

LDAP user details on an LDAP server
  dn: uid=testuser,ou=people,dc=abc,dc=com
  objectClass: inetOrgPerson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  cn: TestUser
  givenName: TestUser
  sn: SN
  uid: testuser
  userPassword: testuser
  mail: testuser@abc.com

Following filters are used in the LDAP configuration:

The userIdMap that is used is *:uid.

The valid values that you can use to search for a user are as follows: