LDAP Authentication and Authorisation Troubleshooting

Owned by Zane England, created
Oct 27, 2021
3 min read

 Problem

LDAP authentication and Authorisation issues

 Solution

Inital checklist

  • Confirm Authentication policy configuration

  • Confirm Authenticaiton database configuration

  • Confirm application use of Authentication policy

 

To troubleshoot LDAP authentication the easiest method is to open a SSH session and enable log streaming

yarnman@yarnman:~$ pm2 logs | grep LDAP

 

There is a two step process for authentication and authorisation and there will be a log message for both

6|yarngate | 1632880690775 INFO LDAP Auth user L3-yarngate@lab.yarnlab.io and password has authenticated (bound) successfully. 6|yarngate | 1632880690817 INFO LDAP Client user L3-yarngate@lab.yarnlab.io is a member of one or more allowed groups and is therefore authorized for 1 role(s).

 

Bad Password

The log entry will show the exact username used for authentication

6|yarngate | 1632881058530 INFO LDAP Auth user test@lab.yarnlab.io and password has failed to authenticate (bind).

Typicially the issue is due to username format being sent to the LDAP server and the regex match and repplace may need to be updated

Invalid Group

 

The log entries will note that the user is not a member

Typically the user does not have the correct LDAP groups or the LDAP group to role mappings is incorrect

 

Cannot connect to LDAP server

 

Check the LDAP Server Address and FQDN or network firewalls

LDAPS certificate validation errors

yarnlab website