/
LDAP Authentication and Authorisation Troubleshooting

LDAP Authentication and Authorisation Troubleshooting

Owned by Zane England, created
Oct 27, 2021
3 min read

 Problem

LDAP authentication and Authorisation issues

 Solution

Inital checklist

  • Confirm Authentication policy configuration

  • Confirm Authenticaiton database configuration

  • Confirm application use of Authentication policy

 

To troubleshoot LDAP authentication the easiest method is to open a SSH session and enable log streaming

yarnman@yarnman:~$ pm2 logs | grep LDAP

 

There is a two step process for authentication and authorisation and there will be a log message for both

6|yarngate | 1632880690775 INFO LDAP Auth user L3-yarngate@lab.yarnlab.io and password has authenticated (bound) successfully. 6|yarngate | 1632880690817 INFO LDAP Client user L3-yarngate@lab.yarnlab.io is a member of one or more allowed groups and is therefore authorized for 1 role(s).

 

Bad Password

The log entry will show the exact username used for authentication

6|yarngate | 1632881058530 INFO LDAP Auth user test@lab.yarnlab.io and password has failed to authenticate (bind).

Typicially the issue is due to username format being sent to the LDAP server and the regex match and repplace may need to be updated

Invalid Group

 

The log entries will note that the user is not a member

6|yarngate | 1632881142622 INFO LDAP Auth user grouptest@lab.yarnlab.io and password has authenticated (bound) successfully. 6|yarngate | 1632881142647 WARN LDAP Client user grouptest@lab.yarnlab.io is not a member of any allowed groups configured in the policy and is therefore not authorized. 6|yarngate | 1632881142648 WARN LDAP Auth user grouptest@lab.yarnlab.io is not a member of allowed groups and is therefore not authorized.

Typically the user does not have the correct LDAP groups or the LDAP group to role mappings is incorrect

 

Cannot connect to LDAP server

 

6|yarngate | 1632881485386 ERROR Unexpected error trying to connect to LDAP server. 6|yarngate | 1632881485389 INFO LDAP Auth user test@lab.yarnlab.io has timed out trying to connect to the LDAP server.

Check the LDAP Server Address and FQDN or network firewalls

LDAPS certificate validation errors

6|yarngate | 1632881579662 ERROR LDAP client certificate error: unable to verify the first certificate (UNABLE_TO_VERIFY_LEAF_SIGNATURE) 6|yarngate | 1632881579664 INFO LDAP Auth user test@lab.yarnlab.io is unable to log in to the LDAP server due to certificate verification error.

Check that the certificate has been uploaded in the administration application for the LDAPS server and the certificate is valid

Related content

yarnlab website