Troubleshooting LDAP configuration

Use the ldapsearch command line tool to troubleshoot your LDAP (Lightweight Directory Access Protocol) configuration.

Install ldapsearch

Install the ldapsearch program.

On Ubuntu, run the following command:

sudo apt-get install ldap-utils

On Red Hat Enterprise Linux (RHEL), run the following command:

sudo yum install openldap-clients

Test LDAP connection

To test your LDAP connection, run the following command:

ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" -w "<LDAP_BINDPASSWORD>" -s sub

Following are the parameter descriptions:

Example commands

ldapsearch -x -H "ldap://<hostname or IP address>:389" -b "o=abc.com" -s sub
ldapsearch -x -H "ldap://<hostname or IP address>:389" -b "dc=abc,dc=com" -D "cn=admin,dc=abc,dc=com" -w "password" -s sub

Validate LDAP filters

Create a search string based on the LDAP filters to retrieve data from your LDAP server. If the search results show one or more LDAP entries, then the LDAP filter configuration is correct. If the search results do not show any entry, then the LDAP filter is not correct or is not compatible with your LDAP server type.

ldapsearch -x -H "<LDAP_URL>" -b "<LDAP_BASEDN>" -D "<LDAP_BINDDN>" -w "<LDAP_BINDPASSWORD>" -s sub "<Search string>"

Following are the parameter descriptions:

IBM Tivoli Directory Server LDAP filters

Attribute name Default value
Group filter (&(cn=%v)(objectclass=groupOfUniqueNames))
Group ID map *:cn
Group Member ID map groupOfUniqueNames:uniqueMember
User filter (&(emailAddress=%v)(objectclass=person))
User ID map *:emailAddress

Microsoft Active Directory LDAP filters

Attribute name Default value
Group filter (&(cn=%v)(objectcategory=group))
Group ID map *:cn
Group Member ID map memberOf:member
User filter (&(sAMAccountName=%v)(objectcategory=user))
User ID map user:sAMAccountName

Custom (OpenLDAP) server LDAP filters

Attribute name Default value
Group filter (&(cn=%v)(objectclass=groupOfUniqueNames))
Group ID map *:cn
Group Member ID map groupOfUniqueNames:uniqueMember
User filter (&(uid=%v)(objectclass=person))
User ID map *:uid

Resolve common issues

Unable to log in as an LDAP user if you used LDAPS to configure your LDAP connection.

You might not be able to log in as an LDAP user even when the connection test and the LDAP configuration are successful.

Causes
Resolution

Unable to log in as an LDAP user because of invalid user credentials

You see an error that indicates an invalid username or password.

Causes
Resolution

Unable to search users or groups while you create a team.

Cause

You used an invalid search string.

Resolution

You must use the value of the cn attribute, or the user or group attribute, such as uid or emailaddress, that you used in the LDAP configuration.

Consider the following parameters that are used for an LDAP configuration:

  dn: uid=testuser,ou=people,dc=abc,dc=com
  objectClass: inetOrgPerson
  objectClass: organizationalPerson
  objectClass: person
  objectClass: top
  cn: TestUser
  givenName: TestUser
  sn: SN
  uid: testuser
  userPassword: testuser
  mail: testuser@abc.com

The USER ID map that is used is *:uid.

The valid values that you can use to search for a user are as follows: