Follow

Troubleshooting LDAP Authentication

While saving a new LDAP profile or adding new users you may encounter one or more of the following errors:

Invalid credentials to ldap:/IP:389

  • Ensure bind account is not locked out and the password is correct.
  • Ensure Bind account has the correct DN. In active directory this can be valided on Active directory server -> Choose the Organization Unit OU -> Right Click -> Properties -> AttributeEditor -> DistinguishedName.
  • Ensure Search Filter is correct for active directory. sAMAccountName is the most common for active directory.
  • Check the Directory service log on your Active Directory server for any authentication failures
  • You can validate the Bind account credential and DN using third party tools like ldapsearch example:

    ldapsearch -h ldaphostname -p 389 -x -D "dn=username,ou=People,dc=vectra,dc=com" -b "dc=vectra,dc=com" -W

Could not connect  to ldap://IP - before connection timeout expired

If you see the following error after aprox. 30 seconds when trying to save the profile :

Screen_Shot_2018-08-23_at_10.50.43.png

This is usually an indication of connectivity issues to the LDAP server.

  • Ensure that connectivty to port 389  from the Brain to the LDAP server is allowed in your firewall.
  • If STARTTLS is required make sure you have selected "Use TLS".
  • Ensure your prefixed the URI with ldap:// if using alternative ports add ldap//ip-or-fqdn:port-num.
  • LDAPS is not supported in majority of cases port 636 is for LDAPS only. Remove the port and use STARTTLS with port 389.

Could not find user within provided base DNs

This error may be seen when adding a new user after the profile is already created. Or while saving the LDAP profile.

  • Ensure bind account is not locked out and the password is correct.
  • Ensure Bind account has the correct DN. In active directory this can be valided on the Active directory server -> Choose the Organization Unit OU -> Right Click -> Properties -> AttributeEditor -> DistinguishedName.
  • Ensure Search Filter is correct for active directory. sAMAccountName is the most common for active directory.
  • Verify user has permissions to read users from the base DNs listed. Please note you can have multiple base DNs in the LDAP profile.
  • Ensure that the password for the bind account has been updated if it has changed or expired.

A new user is added but can't login

When this occurs (null) is often present instead of the correct DN next to the user name.

  • Ensure Search Filter is correct for active directory.  sAMAccountName is the most common for active directory

There was a problem creating user

Screenshot_2019-07-03_at_12.25.01.png

This is usually an indication the Bind account credentials are incorrect. Go back to the LDAP profile and enter the correct credentials and hit save. Then try  adding the user again.

Further investigation

If problems persist please contact Vectra Support for further assistance.

Was this article helpful?
0 out of 1 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.