Troubleshooting LDAP authentication on Avi Load balancer

search cancel

Troubleshooting LDAP authentication on Avi Load balancer

book

Article ID: 391359

calendar_today

Updated On: 05-15-2025

Products

VMware Avi Load Balancer

Issue/Introduction

Due to LDAP authentication failures, you may observe the following issues:

LDAP user login attempts fail, preventing access to the Avi Controller UI or API.
Administrative users configured via LDAP are unable to authenticate.
Login attempts via CLI or API using LDAP accounts are unsuccessful.
Fallback to local users may occur if configured, while LDAP users remain affected.

Environment

Avi Load Balancer

Resolution

Verifying User, Group, and Base DN in LDAP

To ensure correct LDAP configuration, follow these steps to verify the User DN, Group DN, and Base DN settings:

Navigate to:
Path: Templates > Security > Auth Profile
In the Auth Profile section, locate and click the Verify button (highlighted below) to validate the configured LDAP Distinguished Names (DNs).

This verification confirms that the LDAP connection is properly established and the specified DNs are reachable.

Verification Options

You will be presented with the following three verification options:

Test User Entry – Verifies the existence and correctness of a specific user entry in the LDAP directory.
Test User Group Membership – Confirms the user's membership within the configured LDAP groups.
Test Base DN – Validates the accessibility and structure of the specified Base Distinguished Name (Base DN).

Test User Entry

The Test User Entry option searches the LDAP server’s directory for the specified username and retrieves the corresponding user entry from the LDAP database.

To perform the test:

Enter the username in the provided field.
Click the Verify button.

If the user exists and the LDAP query is successful, the system will return the matching user entry, as shown in the output.

Error on Test User Entry Failure

If the Test User Entry fails, you will see the following error message in the GUI.

This error indicates that the system was unable to locate the user in the LDAP directory.
Please double-check the entered user details (such as CN, OU, DC) and ensure that the credentials are correct.

Test User Group Membership

The Test User Group Membership option retrieves and lists all group memberships associated with the specified user in the LDAP directory.

To execute this test:

Enter the Common Name (CN), Organizational Unit (OU), and Domain Component (DC) for the user.
Click the Verify button to initiate the search.

If the user entry is valid, the system will return a list of the user's group memberships.

Test Group Membership Failure

If the Test Group Membership test fails—such as when using a non-existent user (e.g., Test_User1)—you will encounter the following error message:

This error occurs when the specified user cannot be found in the LDAP directory, which prevents the system from retrieving any associated group memberships.

Test Base DN

The Test Base DN option retrieves and lists all objects under the specified Base Distinguished Name (Base DN) in the LDAP directory.

To perform the Base DN verification:

Select the Base DN from the configuration settings.
Click the Verify button to initiate the search.

If successful, the system will return all LDAP objects within the scope of the Base DN, confirming that the directory is accessible and the Base DN is correctly configured.

Error on Base DN Verification Failure

If the Base DN verification fails, the following error message will be displayed in the GUI:

This indicates that the specified Base DN could not be accessed or does not exist in the directory.
To resolve this issue:

Ensure that the Base DN is correctly configured.
Confirm that the LDAP server is reachable.

Ensure that the Base DN is correctly specified in the Authentication Profile configuration. An incorrect or improperly formatted Base DN will result in lookup failures during verification.

Cross-verify the configured Base DN in the Authentication Profile with the actual Base DN defined on the LDAP server.Discrepancies between the configured and actual Base DN may result in lookup or access failures during verification.

-Logging into Avi Using an LDAP User Account
Once LDAP authentication is successfully configured and verified, users can log in to the Avi Controller using their LDAP user credentials.

Ensure that:

The user exists in the LDAP directory.

The user has appropriate role mappings assigned in Avi.

Authentication is routed through the correct Authentication Profile.

Successful login confirms end-to-end LDAP integration with Avi.

Event Logging for LDAP User Login
When an LDAP user logs in to the Avi Controller, a corresponding event is recorded in the system logs. This event provides visibility into successful authentication activity.

-CLI Logs :

Login to Controller via ssh

Log Path: /var/lib/avi/log/apiserver.INFO

2025-05-06T05:46:59.541Z    I  1195633      authserver/authenticator.go:172  [T-ID=7ddfa2b3] [AuthServer Authenticate]: Authentication started
2025-05-06T05:46:59.543Z    I  1195633      authserver/authenticator.go:230  [T-ID=7ddfa2b3] [AuthServer authenticateBackends]: Available auth backends - [2 3 5 6]
2025-05-06T05:46:59.544Z    I  1195633      authserver/authenticator.go:234  [T-ID=7ddfa2b3] [AuthServer authenticateBackends]: Trying KEYSTONE authbackend
2025-05-06T05:46:59.544Z    I  27476    authserver/authenticator.go:234  [T-ID=7ddfa2b3] [AuthServer authenticateBackends]: Trying LDAP authbackend
2025-05-06T05:46:59.546Z    I  1195633      ldap_auth/ldap.go:187    [T-ID=7ddfa2b3] [LDAP AUTH]: [user:test_user] Groups: [search-dn:ou=Test_OU,dc=trilab,dc=lab] [search-filter:(objectClass=*)] [scope:2]
2025-05-06T05:46:59.562Z    I  1195633      utils/remote_auth_utils.go:167   [T-ID=7ddfa2b3] [GetOrCreateUser]: [LDAP Auth], User exists test_user
2025-05-06T05:46:59.566Z    I  1195633      utils/auth_rules.go:365  [T-ID=7ddfa2b3] [AUTH RULES]: [test_user] mapped tenants: tenant-8da487b7-8184-46c3-9ae5-7636da55a842
2025-05-06T05:46:59.566Z    I  1195633      utils/auth_rules.go:473  [T-ID=7ddfa2b3] [AUTH RULES]: [test_user] mapped roles: role-2466ff5c-0e83-44f9-bba4-2533bb5103c3
2025-05-06T05:46:59.567Z    I  27476    utils/auth_rules.go:532  [T-ID=7ddfa2b3] [AUTH RULES]: [test_user] mapped user account profiles: Default-User-Account-Profile
2025-05-06T05:46:59.567Z    I  27476    utils/auth_rules.go:698  [T-ID=7ddfa2b3] [AUTH RULES]: UserAuthZEvent EventId - USER_AUTHORIZED_BY_RULE, objType - User, eventModule - CONFIG, eventTenant - admin
2025-05-06T05:46:59.603Z    I  27476    ldap_auth/ldap.go:296    [T-ID=7ddfa2b3] [LDAP AUTH]: end user auth. [test_user]: uuid:"user-af1ebcbe-a26e-4075-8992-5ba73bc39de6" username:"test_user" password:"!ixEeGBorX5cYbH2sNJ8JVl1AJWRYRorwTn39GtUZ" name:"test_user" email:"" access:<role_uuid:"role-2466ff5c-0e83-44f9-bba4-2533bb5103c3" tenant_uuid:"tenant-8da487b7-8184-46c3-9ae5-7636da55a842" all_tenants:false > is_superuser:false local:false full_name:"Test_User" user_profile_uuid:"useraccountprofile-1b7f375b-f3b9-49ad-a5b6-592b8a25346b" passwordless:false is_internal_user:false is_active:true is_staff:false date_joined:"2025-04-14 03:45:27" ui_property:"" logged_in:false anonymous_user:false service_user:false default_tenant_uuid:"tenant-8da487b7-8184-46c3-9ae5-7636da55a842"
2025-05-06T05:46:59.638Z    I  5765     alert/config_log.go:333 [UserLoginEvent] EventId: USER_LOGIN, objType: User, eventModule: CONFIG, eventTenant: admin

-You can view LDAP user details by navigating to:
Path: Administrator > Accounts > Users
This section displays all LDAP users along with relevant account information, as shown below.

When experiencing LDAP authentication issues, you can follow these troubleshooting steps to identify the root cause:

1. Verify LDAP Server Availability

If the Avi Controller is unable to establish IP or port-level connectivity with the LDAP server, you will encounter the following error message:

This typically indicates a network-level issue, such as:

Incorrect LDAP server IP address or port
Firewall or security group blocking the connection
LDAP service not running on the target server

Recommended Action:
Verify the IP address and port configuration in the Authentication Profile, and ensure that the LDAP server is reachable from the Avi Controller using tools like ping or nc.

2. Invalid User Credentials/Password

If the provided user credentials or password are incorrect during authentication, the following error will be displayed in the GUI:

This error indicates that the username or password entered does not match the records in the LDAP directory.

Recommended Action:
Verify that the username is correct and that the entered password is accurate and not expired. If necessary, reset the user's password in the LDAP directory and try again.

When an LDAP user attempts to log in with invalid credentials, an event is logged to indicate the failure. This log entry helps track authentication issues and provides insight into failed login attempts.

CLI Logs:

If an incorrect or non-existent LDAP username is used during login, the following messages will be logged in /var/lib/avi/log/apiserver.INFO


2025-05-13T13:34:37.887Z        I  27476        middleware/auth_middleware.go:33         [T-ID=70589fb4] [AUTH MIDDLEWARE]: Proceeding for rest Authentication
2025-05-13T13:34:37.888Z        I  27476        middleware/gslb_middleware.go:482       [GSLB MIDDLEWARE] Started for %!(EXTRA string=/login, string=POST)
2025-05-13T13:34:37.889Z        I  5784         middleware/gslb_middleware.go:215       [GslbFlowMiddleware] Started for %!(EXTRA string=/login, string=POST)
2025-05-13T13:34:37.891Z        I  5784         authserver/authenticator.go:172  [T-ID=70589fb4] [AuthServer Authenticate]: Authentication started
2025-05-13T13:34:37.892Z        I  27476        authserver/authenticator.go:230  [T-ID=70589fb4] [AuthServer authenticateBackends]: Available auth backends - [2 3 5 6]
2025-05-13T13:34:37.892Z        I  27476        authserver/authenticator.go:234  [T-ID=70589fb4] [AuthServer authenticateBackends]: Trying KEYSTONE authbackend
2025-05-13T13:34:37.893Z        I  5784         authserver/authenticator.go:234  [T-ID=70589fb4] [AuthServer authenticateBackends]: Trying LDAP authbackend
2025-05-13T13:34:37.895Z        I  27476        ldap_auth/ldap.go:187    [T-ID=70589fb4] [LDAP AUTH]: [user:test_user1] Groups: [search-dn:ou=Test_OU,dc=trilab,dc=lab] [search-filter:(objectClass=*)] [scope:2]
2025-05-13T13:34:37.905Z        E  5816         ldap_auth/ldap.go:256    [T-ID=70589fb4] [LDAP AUTH]: user test_user1 LDAP authentication failure
2025-05-13T13:34:37.908Z        I  1195633      alert/config_log.go:333 [UserLoginEvent] EventId: USER_LOGIN, objType: User, eventModule: CONFIG, eventTenant: admin
2025-05-13T13:34:37.908Z        E  1195633      apihandlers/custom_auth_apihandlers.go:127       [T-ID=70589fb4] [handleLoginException]: LoginHandler Exception: Invalid credentials
2025-05-13T13:34:37.908Z        E  5784         apihandlers/base_apihandlers.go:521      [T-ID=70589fb4] Error encountered during /login - Invalid credentials

If the correct LDAP username is used but the password is incorrect, the following log entries will appear in  /var/lib/avi/log/apiserver.INFO:


2025-05-13T13:36:06.883Z        I  5816         middleware/auth_middleware.go:33         [T-ID=9756d7a7] [AUTH MIDDLEWARE]: Proceeding for rest Authentication
2025-05-13T13:36:06.884Z        I  5816         middleware/gslb_middleware.go:482       [GSLB MIDDLEWARE] Started for %!(EXTRA string=/login, string=POST)
2025-05-13T13:36:06.885Z        I  5926         middleware/gslb_middleware.go:215       [GslbFlowMiddleware] Started for %!(EXTRA string=/login, string=POST)
2025-05-13T13:36:06.891Z        I  5783         authserver/authenticator.go:172  [T-ID=9756d7a7] [AuthServer Authenticate]: Authentication started
2025-05-13T13:36:06.893Z        I  1195633      authserver/authenticator.go:230  [T-ID=9756d7a7] [AuthServer authenticateBackends]: Available auth backends - [2 3 5 6]
2025-05-13T13:36:06.893Z        I  1195633      authserver/authenticator.go:234  [T-ID=9756d7a7] [AuthServer authenticateBackends]: Trying KEYSTONE authbackend
2025-05-13T13:36:06.894Z        I  5783         authserver/authenticator.go:234  [T-ID=9756d7a7] [AuthServer authenticateBackends]: Trying LDAP authbackend
2025-05-13T13:36:06.896Z        I  1195633      ldap_auth/ldap.go:187    [T-ID=9756d7a7] [LDAP AUTH]: [user:test_user] Groups: [search-dn:ou=Test_OU,dc=trilab,dc=lab] [search-filter:(objectClass=*)] [scope:2]
2025-05-13T13:36:06.915Z        E  5926         ldap_auth/ldap.go:381    [T-ID=9756d7a7] [LDAP AUTH]: error during user password bind - LDAP Result Code 49 "Invalid Credentials": 80090308: LdapErr: DSID-0C090510, comment: AcceptSecurityContext error, data 52e, v4563
2025-05-13T13:36:06.915Z        E  5926         ldap_auth/ldap.go:245    [T-ID=9756d7a7] [LDAP AUTH]: Error during Authentication - user DN/password rejected by LDAP server.
2025-05-13T13:36:06.924Z        I  5926         alert/config_log.go:333 [UserLoginEvent] EventId: USER_LOGIN, objType: User, eventModule: CONFIG, eventTenant: admin
2025-05-13T13:36:06.924Z        E  5926         apihandlers/custom_auth_apihandlers.go:127       [T-ID=9756d7a7] [handleLoginException]: LoginHandler Exception: Invalid credentials
2025-05-13T13:36:06.936Z        E  27476        apihandlers/base_apihandlers.go:521      [T-ID=9756d7a7] Error encountered during /login - Invalid credentials

3. If the LDAP Bind credentials are incorrect or invalid, the following error message will be observed:

The LDAP Bind operation is responsible for authenticating the Avi Controller to the LDAP directory using the specified Bind DN and password. A failure during this step indicates that the Avi Controller is unable to establish a valid session with the LDAP server due to authentication issues.

Recommended Action:
Verify that the Bind DN and corresponding password are correctly configured in the Authentication Profile, and ensure that the credentials have sufficient permissions to query the LDAP directory.

Resolution for Invalid Credentials Error:
If you encounter an invalid credentials error during LDAP bind, verify the Bind DN account configured under the Authentication Profile. Ensure that both the username (Bind DN) and password are correct and correspond to a valid user account on the LDAP server with appropriate permissions.

Update the credentials in the Authentication Profile as needed to match the LDAP server's user account configuration.

4. Error Due to Authentication Mapping Profile Configuration:

If an Authentication Mapping Profile is configured with specific rules for user attributes (such as group membership or other parameters), these rules will be evaluated during the login attempt. If any of the conditions specified in the mapping profile fail, an error will be generated.

This error occurs when the user’s LDAP attributes (such as group membership, role, or other parameters) do not match the rules configured in the Authentication Mapping Profile.

Recommended Action:

Review the Authentication Mapping Profile settings to ensure the correct user attributes (group, role, etc.) are specified.
Verify that the user meets the criteria defined in the profile, such as appropriate group membership or other parameters.

5. LDAP Search Command Output for User Reference

To assist with troubleshooting and validating LDAP queries, you can use the following ldapsearch command. Below is an example of the command output, which can help users perform LDAP searches and understand the available options:

For example, the following command queries the LDAP server 10.91.5.123.


root@:/var/lib/avi/log# ldapsearch -x -h 10.91.5.123 -D "CN=Administrator,CN=Users,DC=trilab,DC=lab" -w avipass -b 'DC=trilab,DC=lab' '(sAMAccountName=Test_User)'
# extended LDIF
#
# LDAPv3
# base <DC=trilab,DC=lab> with scope subtree
# filter: (sAMAccountName=Test_User)
# requesting: ALL
#

# Test_User, Test_OU, trilab.lab
dn: CN=Test_User,OU=Test_OU,DC=trilab,DC=lab
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Test_User
givenName: Test_User
distinguishedName: CN=Test_User,OU=Test_OU,DC=trilab,DC=lab
instanceType: 4
whenCreated: 20250414034726.0Z
whenChanged: 20250428052030.0Z
displayName: Test_User
uSNCreated: 41945
memberOf: CN=Test_Group,OU=Test_OU,DC=trilab,DC=lab
uSNChanged: 53279
name: Test_User
objectGUID:: W9lGigzJdUudPklANu7hnA==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 133890925336300517
lastLogoff: 0
lastLogon: 133890927490988844
pwdLastSet: 133890760461898157
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAAJyKKQ+RwZSHabY40VwQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: Test_User
sAMAccountType: 805306368
userPrincipalName: Test_User@trilab.lab
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=trilab,DC=lab
dSCorePropagationData: 20250414040353.0Z
dSCorePropagationData: 16010101000000.0Z
lastLogonTimestamp: 133902912308135280

# search reference
ref: ldap://ForestDnsZones.trilab.lab/DC=ForestDnsZones,DC=trilab,DC=lab

# search reference
ref: ldap://DomainDnsZones.trilab.lab/DC=DomainDnsZones,DC=trilab,DC=lab

# search reference
ref: ldap://trilab.lab/CN=Configuration,DC=trilab,DC=lab

# search result
search: 2
result: 0 Success

# numResponses: 5
# numEntries: 1
# numReferences: 3

6. Packet tracing LDAP traffic

You may need to run tcpdump packet captures to troubleshoot LDAP sessions. When reviewing LDAP tcpdump output, it is helpful to understand the sequence of an LDAP session in the context of authenticating LDAP users.

To capture LDAP traffic, follow the steps below:

Impact of procedure: Performing the following steps should not negatively impact your system.

Log in to the Controller via ssh.
Capture LDAP traffic using one of the following tcpdump commands:

tcpdump -s0 -ni eth0 port 389 -vw /home/admin/ldap.pcap

You can open and analyze the capture file in Wireshark for further debugging.

Feedback

Was this article helpful?

thumb_up Yes

thumb_down No