LDAP Authentication and Authorisation Troubleshooting
Problem
LDAP authentication and Authorisation issues
Solution
Inital checklist
Confirm Authentication policy configuration
Confirm Authenticaiton database configuration
Confirm application use of Authentication policy
To troubleshoot LDAP authentication the easiest method is to open a SSH session and enable log streaming
yarnman@yarnman:~$ pm2 logs | grep LDAP
There is a two step process for authentication and authorisation and there will be a log message for both
6|yarngate | 1632880690775 INFO LDAP Auth user L3-yarngate@lab.yarnlab.io and password has authenticated (bound) successfully.
6|yarngate | 1632880690817 INFO LDAP Client user L3-yarngate@lab.yarnlab.io is a member of one or more allowed groups and is therefore authorized for 1 role(s).
Bad Password
The log entry will show the exact username used for authentication
6|yarngate | 1632881058530 INFO LDAP Auth user test@lab.yarnlab.io and password has failed to authenticate (bind).
Typicially the issue is due to username format being sent to the LDAP server and the regex match and repplace may need to be updated
Invalid Group
The log entries will note that the user is not a member
Typically the user does not have the correct LDAP groups or the LDAP group to role mappings is incorrect
Cannot connect to LDAP server
Check the LDAP Server Address and FQDN or network firewalls