When integrating DU with LDAP there are some common errors which are encountered. This document provide details on troubleshooting common error faced during LDAP integration.
Release : 6.x
Component : DOLLAR UNIVERSE
For explanation purpose the LDAP tree structure we will refer in this knowledge documents is as below:
The most common error encountered during Open LDAP integration with DU are listed below.
Note: The listed errors and troubleshooting steps are related to Open LDAP. Henceforth, reader discretion is required while troubleshooting integration with Active Directory as the errors may be similar but not identical.
1: Invalid securityPrincipal configuration in ldap.xml (refer document LDAP configuration file)
Error: Cannot connect to ldap server: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENITALS: Bind failed: ERR_268 Cannot find a partition for uid=user1]
Cause: The error message here is not really related to the wrong username/password of the user provided in unicheckldap command instead it refers to wrongly configured securityPrincipal in ldap.xml. The misconfiguration in the ldap.xml is highlighted below.
On executing unicheckldap command the ldap.xml file is loaded and configuration in the file is used to connect to LDAP server and validate the user authentication provided in unicheckldap command.
Solution: As per the LDAP tree structure, the correct entry for securityPrincipal should be uid=user1,dc=support,dc=broadcom
2: Invalid usersAttributeId or usersListSearchFilter or usersSearchFilter configuration in ldap.xml (refer document LDAP configuration file)
Error: FAILURE login: uid=user1,dc=support,dc=broadcom not found on LDAP server
Cause: The error here is clear which says unable to find the user mentioned within securityPrincipal element in the ldap.xml file. The reason is either usersAttributeId or usersListSearchFilter or usersSearchFilter are wrongly configured. The misconfiguration in the ldap.xml is highlighted below.
Solution: While integration with LDAP, the usersAttributeId should be uid and usersListSearchFilter, usersSearchFilter should be adjusted accordingly (refer document LDAP configuration file).
The correct configuration with respect to above LDAP tree structure is as below
Note: The -login and -password arguments are only necessary to test the LDAP user authentication. The user must belong to usersSearchFilter, usersSearchDepth and usersSearchBase in the ldap.xml file for the unicheckldap -login -password command to be successful(refer document Command: unicheckldap)