Follow

Debugging LDAP configuration

If you run into issues configuring LDAP authentication on your SDE Appliance these are some steps that you can take do debug issues.

To change, verify and debug these you will need to log into the appliance using a shell/ssh, typically this can be done using a program like putty.

Before making changes to the configuration make sure that the server is able to resolve DNS names and has access to the new LDAP server on the designated port(s). Replace <YOUR_LDAP_SERVER> with the actual DNS name of your server.

sdelements@ubuntu: LDAP_SERVER=<YOUR_LDAP_SERVER>
sdelements@ubuntu: nslookup ${LDAP_SERVER} && echo SUCCESS || echo FAILURE

Server:8.8.8.8

Address:8.8.8.8#53

 
Non-authoritative answer:

Name:example.com

Address: 193.18.216.11

SUCCESS

 

In case there is a firewall between your SDE installation and the LDAP server you should test to make sure the SDE Virtual Appliance is allowed to communicate to the LDAP server. (typically port 389 TCP)  Replace <YOUR_LDAP_SERVER> with the actual DNS name or IP address of your server and <YOUR_LDAP_PORT> with the port number to use typically 389.


sdelements@ubuntu: LDAP_SERVER=<YOUR_LDAP_SERVER>
sdelements@ubuntu: LDAP_PORT=<YOUR_LDAP_PORT>
sdelements@ubuntu: nc -z ${YOUR_LDAP_SERVER} ${YOUR_LDAP_PORT} && echo SUCCESS || echo FAILURE

sdelements@ubuntu:~$ nc -z ldap.example.com 389 && echo SUCCESS || echo FAILURE

SUCCESS

 

Finally you should verify all configuration parameters including authentication, authorization and connectivity using the OpenLDAP console command. Please note that we do not cover advanced options or debugging steps, see the man documentation for more information.

LDAP_SERVER=sdelements.security.com
LDAP_PORT=389
LDAP_BIND_DN="uid=gitorious,cn=sysaccounts,cn=etc,dc=security,dc=com"
LDAP_BASE_DN="dc=security,dc=com"
LDAP_TLS=true
LDAP_FILTER='mail=test@security.com'

if $LDAP_TLS; then CRYPTO_FLAGS='-ZZ'; fi
ldapsearch $CRYPTO_FLAGS -h "${LDAP_SERVER}" -p "${LDAP_PORT}" -x -b "${LDAP_BASE_DN}" -D "${LDAP_BIND_DN}" "${LDAP_FILTER}" -W sn givenName cn mail

At this point you will be prompted for your password. Please see OpenLDAP documentation for error codes and debugging information.

Common Errors

1. The Bind DN contains \ , characters. Escape these with the \ character. Do not escape space or _

2. Connecting to MS Active Directory, the search operation results with the diagnostic messages text "In order to perform this operation a successful bind must be completed on the connection.". The issue is that LDAP referrals are turned on. Turn them off:

  1. Edit /docs/sde/live/code/sigma/settings.py
  2. Add the following to the end of the file:

    import ldap
    AUTH_LDAP_CONNECTION_OPTIONS = {
        ldap.OPT_REFERRALS: 0
    }
    
  3. Restart Apache (sde apache restart)

 

Enabling Verbose Logging

In v4.8, verbose logging of LDAP connections was added. To enable this, make the following changes on the SDE instance:

  1. In /docs/sde/live/code/sigma/settings.py, add the value ldap.OPT_DEBUG_LEVEL into the AUTH_LDAP_CONNECTION_OPTIONS variable:

    e.g.

    AUTH_LDAP_CONNECTION_OPTIONS = {
        ...,
        ldap.OPT_DEBUG_LEVEL: 4095
    }
  2. In /docs/sde/live/code/sigma/osd_settings.py, set the logging level of the loggers python_ldap and django_auth_ldap to DEBUG, and the logging level of the ldap handler to DEBUG.

    e.g.

    LOGGING = {
        ...,
        'handlers': {   
        'ldap': {
    'level': 'DEBUG',
    'class': 'logging.handlers.TimedRotatingFileHandler',
    'filename': os.path.join(ROOT_SDE_PATH, 'log/ldap.log'),
    'when': 'W0',
    'formatter': 'file',
    }
    },    
      'loggers': {
        'python_ldap': {
    'handlers': ['ldap'],
    'level': 'DEBUG',
    'propagate': False
    },
    'django_auth_ldap': {
    'handlers': ['ldap'],
    'level': 'DEBUG',
    'propagate': False
    }
    }
    }

  3. Run the command sde apache restart to apply the changes

 The LDAP library should output the verbose logs into the apache_error_main_docs_sde_<sde_version>.log file. Once the debug logs are no longer needed, revert the logging level changes and remove the ldap.OPT_DEBUG_LEVEL setting. Run sde apache restart to apply the changes.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments

  • Avatar
    Antonia Stevens

    In case you are using a self signed cert or our CA is not trusted you will get errors like the following in /docs/sde/log/sdlc.log :

    TLS error -8172:Peer's certificate issuer has been marked as not trusted by the user.", 'desc': "Can't contact LDAP server"|

    TLS error -8157:Certificate extension not found.', 'desc': "Can't contact LDAP server

    To fix this on a RedHat based platform you will need to download a copy of the CA including a trust chain if required and insert it into the OpenSSL cert store:

    wget -O /etc/ca.crt https://server.example.com/ca.crt --no-check-certificate

    certutil -A -d /etc/openldap/certs-n 'Certificate Authority Nickname' -t CTu,Cu,Tuw -a -i /etc/ca.crt

  • Avatar
    Antonia Stevens

    When connecting to an LDAPS server on port 636 you should use this format:

    ldapsearch -v $CRYPTO_FLAGS -H "ldaps://${LDAP_SERVER}" -x -b "${LDAP_BASE_DN}" -D "${LDAP_BIND_DN}" "${LDAP_FILTER}" -W sn givenName cn mail

  • Avatar
    Antonia Stevens

    When attempting to debug SSL/TLS cipher/protocol negotiations the two following parameters might be helpful:

    AUTH_LDAP_CONNECTION_OPTIONS = {
    ldap.OPT_X_TLS_CIPHER_SUITE: 'TLSv1:!NULL'
    ldap.OPT_X_TLS_REQUIRE_CERT: ldap.OPT_X_TLS_NEVER
    }