Troubleshooting LDAP configuration
search cancel

Troubleshooting LDAP configuration


Article ID: 240050


Updated On:


CA Automic Dollar Universe


When integrating DU with LDAP there are some common errors which are encountered. This document provide details on troubleshooting common error faced during LDAP integration.


Release : 6.x



For explanation purpose the LDAP tree structure we will refer in this knowledge documents is as below:

The most common error encountered during Open LDAP integration with DU are listed below. 

Note: The listed errors and troubleshooting steps are related to Open LDAP. Henceforth, reader discretion is required while troubleshooting integration with Active Directory as the errors may be similar but not identical.

1: Invalid securityPrincipal configuration in ldap.xml (refer document LDAP configuration file)

Error: Cannot connect to ldap server: javax.naming.AuthenticationException: [LDAP: error code 49 - INVALID_CREDENITALS: Bind failed: ERR_268 Cannot find a partition for uid=user1]

Cause: The error message here is not really related to the wrong username/password of the user provided in unicheckldap command instead it refers to wrongly configured securityPrincipal in ldap.xml. The misconfiguration in the ldap.xml is highlighted below. 

On executing unicheckldap command the ldap.xml file is loaded and configuration in the file is used to connect to LDAP server and validate the user authentication provided in unicheckldap command.

Solution: As per the LDAP tree structure, the correct entry for securityPrincipal should be uid=user1,dc=support,dc=broadcom

2: Invalid usersAttributeId or usersListSearchFilter or usersSearchFilter configuration in ldap.xml (refer document LDAP configuration file)

Error: FAILURE login: uid=user1,dc=support,dc=broadcom not found on LDAP server

Cause: The error here is clear which says unable to find the user mentioned within securityPrincipal element in the ldap.xml file. The reason is either usersAttributeId or usersListSearchFilter or usersSearchFilter are wrongly configured. The misconfiguration in the ldap.xml is highlighted below. 

 Solution: While integration with LDAP, the usersAttributeId should be uid and usersListSearchFilter, usersSearchFilter should be adjusted accordingly (refer document LDAP configuration file). 

The correct configuration with respect to above LDAP tree structure is as below

Note: The -login and -password arguments are only necessary to test the LDAP user authentication. The user must belong to usersSearchFilter, usersSearchDepth and usersSearchBase in the ldap.xml file for the unicheckldap -login -password command to be successful(refer document Command: unicheckldap)

Additional Information

For LDAP integration in DU, refer document mentioned below: