Unable to configure LDAP sources.
Additionally, if you are restricting Access using groups, validate this information:
Group DN: Distinguished Name of Group
Note: Base DN must be inclusive enough to where the search can view any and all groups regardless of location within AD. If the Base DN is too narrow in scope the search query will be unable to search the directory to find desired groups.
Log files and locations:
Location | Description |
/logs/restapilayer/restapilayer.STDOUT-yyyy-mm-dd-hh.mm.ss.log | Logs generated by vRNI UI |
/logs/restapilayer/restapilayer.STDOUT-yyyy-mm-dd-hh.mm.ss.log.error | Logs of vRNI UI errors |
Troubleshooting :
Known errors in /logs/restapilayer/restapilayer.STDOUT-yyyy-mm-dd-hh.mm.ss.log | Resolution |
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17199 - POST /auth/ldapConfiguration] - exception validating ldap registration checks javax.naming.CommunicationException: ldap_ip_fqdn:port at com.sun.jndi.ldap.Connection.<init>(Connection.java:216) at com.sun.jndi.ldap.LdapClient.<init>(LdapClient.java:137) | Check if the AD/LDAP endpoint is reachable from vRNI Platform
|
ERROR [YYYY-DD-MM HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17199 - POST /auth/ldapConfiguration] - exception validating ldap registration checks javax.naming.AuthenticationException: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 52e, v1db1] at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3136) at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:3082) ... | Check if the user's credentials exist in the ldap database.
|
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.ArkinJndiLdapRealm:[?:?:?] - [dw-17212 - POST /auth/ldapConfiguration] - user jdoe is not a member of authorized groups ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17212 - POST /auth/ldapConfiguration] - group authorization failed org.apache.shiro.authc.AuthenticationException: user ktrinh is not a member of authorized groups at com.vnera.restapilayer.ArkinJndiLdapRealm.authorizeViaGroups(ArkinJndiLdapRealm.java:95) at com.vnera.restapilayer.AuthRealmManager.testLdapRealm(AuthRealmManager.java:568) | Check if the group DN is correct:
Example to test the connectivity to the ldap endpoint and capability to retrieves data: From a linux machine: ldapsearch \ -x -hldap_ip_or_fqdn\ -D <username_allowed_to_query_ldap>@<yourdomain.com> \ -w <username_allowed_password> \ -b dc=<yourdomain>,dc=<com> \ -s sub '(cn=<user_cn_that_you_look_for>)' dn cn email sAMAccountName From a Windows machine command line: dsquery group -name your_groupname For example: dsquery group -name * |
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17243 - POST /auth/ldapConfiguration] - group authorization failed javax.naming.CommunicationException: mydomain.com:port at com.sun.jndi.ldap.LdapReferralContext.<init>(LdapReferralContext.java:96) at com.sun.jndi.ldap.LdapReferralException.getReferralContext(LdapReferralException.java:150) | Check if the base DN is correct:
|
ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.ArkinJndiLdapRealm:[?:?:?] - [dw-17283 - POST /auth/ldapConfiguration] - could not find user jdoe under baseDN dc=mydomain,dc=com ERROR [YYYY-MM-DD HH:MM:SS] c.v.r.AuthRealmManager:[?:?:?] - [dw-17283 - POST /auth/ldapConfiguration] - group authorization failed org.apache.shiro.authc.AuthenticationException: could not find user jdoe under baseDN dc=mydomain,dc=com at com.vnera.restapilayer.ArkinJndiLdapRealm.authorizeViaGroups(ArkinJndiLdapRealm.java:74) at com.vnera.restapilayer.AuthRealmManager.testLdapRealm(AuthRealmManager.java:568) | Check if the user search attribute is correct:
|
Example of a working LDAP configuration
Domain | vcloud.local |
LDAP Host URL | ldap://192.168.1.2 |
Group DNs | cn=vrni_auth,cn=users.dc=vcloud,dc=local |
Base DN | dc=vcloud,dc=local |
User Search Attribute | sAMAccountName |
To find out your user and group base DN, you can run a query from any Domain Controller server on your Windows domain.
To find the Group Base DN: