IBM Support

QRadar: LDAP users with valid credentials cannot login due to error "Username and password supplied are not valid. Please try again"

Troubleshooting


Problem

Some users report that they can't log in when using LDAP, LDAPS, or LDAP with Active Directory authentication. Other users log in successfully.

Symptom

The reported users might experience login failures at the login page:
image 10541

Cause

The base statement in the LDAP configuration is too narrow leaving users out of the AD/LDAP tree.
For example, a User Base DN is set to look for users on a specific OU (Organization Unit) then users out of that OU cannot log in.

Diagnosing The Problem

  1. From the LDAP Server, open the Powershell utility.
    Note: If you do not have permission to complete queries on your LDAP system, contact your AD/LDAP administrator to provide the information.
  2. To verify the user information, replace <username> in the following command with the username not able to log in: 
    Get-ADUser -Identity <username> -Properties *
  3. The DistinguishedName returned by the query indicates the path to the user. For example, analyst1 has a path of OU=Analysts,OU=IT,DC=test,DC=internal. 
    DistinguishedName                    : CN=analyst1,OU=Analysts,OU=IT,DC=test,DC=internal
  4. Verify the Distinguished Name is correct for your LDAP server in the User Base DN field. 

    Picture1
Results
The previous output states that the path to the analyst1 user is OU=Analysts,OU=IT,DC=test,DC=internal. However, the base statement in QRadar® searches in OU=SEC,OU=IT,DC=test,DC=internal.
The users within the OU=SEC can log in, however, analyst1 cannot as it belongs to the OU=Analysts.

Resolving The Problem

Administrators must change the User Base DN on QRadar® to a wider base statement so that queries include other AD/LDAP databases for user accounts.

Note: A wider base statement can cause logins to be slow or time out.
 
Using the Diagnosing the Section example, the User Base DN can be changed to OU=IT,DC=test,DC=internal.
Figure2
Result
The users in OU=Analysts and OU=SEC can log in.

Document Location

Worldwide

[{"Type":"SW","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwsyAAA","label":"Admin Tasks"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Version(s)"}]

Document Information

Modified date:
17 June 2021

UID

ibm16447247

Page Feedback