This article covers various troubleshooting steps for common issues users run into after configuring Definition Center with LDAP authentication. If you have not setup this configuration, you can find instructions on how to do so here.
If you are having issues logging in after saving your LDAP changes, make sure that you have restarted your Definition Center service. Verify that you can still log in to Definition Center with an Administrator account using the Definition Center password, (not your network password). In a pinch, you can do this, and turn the LDAP settings off if you need to get a production server back up and running quickly.
You first want to verify that you have the Bind DN and LDAP Search Base added correctly. Some common mistakes are as follows:
- Leaving out an OU
- The bind DN does not have permissions in the AD
- The bind DN is in a different group in the AD than the user logging in
- The port is not currently configured to allow traffic or the wrong port is being used.
389 for non-SSL
636 for SSL
3268 Global Catalog non-SSL
3269 Global Catalog SSL
- Search base is too restricting
If possible, an easy way to make sure that the settings are correct is to copy the Bind DN and LDAP Search Base from another program that is authenticating with LDAP. You can just copy/paste the settings and this will help avoid typos, etc.
A good tool to download is the LDAP browser by Softerra. You can download the free version from their website, (LDAP browser, not LDAP Administrator) and select the correct bit installer. Make sure to install this on the Definition Center server.
Once installed go to File>New>New Profile and choose any name. Select the LDAP server name you are connecting to for the host field, (same host you listed in Definition Center LDAP settings). The Base DN will be the LDAP Search Base you listed in Definition Center.
For the next screen, enter your username for the 'Principal'. This is what is authenticating the client to the server.
On the User Authentication Information screen, you can test two scenarios:
- Use the CN/UID for the Bind DN you are using in Definition Center
- Use the CN/UID that you would use personally, to login to the Definition Center
If one of these tests fails, you now know that there is something wrong on the LDAP side that prohibits that user from logging in or having the correct permissions.
If you can connect successfully, check to make sure you can find a user. You can right click the profile>Directory Search and add the full Bind DN you listed in the Definition Center settings, and change the UID/sAMAccountName to what you want to search for. After you find the user, you can highlight them, and look at the detailed information for that user. You can make sure the UID/sAMAccountName is listed and correct, and they are listed correctly in the tree. You can look at the distinquishedName for example, manually scroll on the left navigation pane, or look at the top of LDAP browser.
If you have any questions or need help, feel free to contact us in Support.