Troubleshooting Credential LookupCommon Redwood Server Errors

on-site-related topic Common LDAP Errors

There are three primary failures that can happen when trying to access LDAP

  1. Login failed due to server error. - There are multiple possible reasons for this, and to determine the cause you'll need to look into the debug logs of com.example.scheduler.security.impl.external.ldap..
  2. Username or Password incorrect - this means you've put in the wrong username or password.
  3. Login details correct, but you are not allowed to access the scheduler - this means that a username and password was found and authenticated correctly in LDAP - but the user did not have the appropriate (mapped) role; for example, it didn't have scheduler-user or the search criteria for the group was not correct (for example Group Search Expression was wrong, or the Group Base DN was wrong).

To troubleshoot LDAP, you access the debug logs of com.example.scheduler.security.impl.external.ldap. In there you'll see a corresponding error message:

Login Failed

Login attempt, username=<username> failed

Followed by the stack trace of the cause.

Connection Refused

javax.naming.CommunicationException: localhost:10389 [Root exception is java.net.ConnectException: Connection refused]

This means that Redwood Server cannot connect to the server

Invalid Search Request

javax.naming.NameNotFoundException: [LDAP: error code 32 - NO_SUCH_OBJECT: failed for MessageType : SEARCH_REQUEST

This means that there was a configuration error. By looking at the next lines in the stack trace you can see which field was in error. For example if you look at the baseDn value it is likely to be the cause:

Invalid Base DN

Message ID : 2
SearchRequest
baseDn : 'ou=groups,o=example'
filter: '(uniqueMember=2.5.4.3=kirk,2.5.4.11=users,2.5.4.11=directory,2.5.4.10=example)'

In this case the baseDn should be ou=groups,ou=directory,o=example as ou=groups,o=example doesn't exist in the tree so it throws the NameNotFoundException.

Note that if the Base DN is incorrect but maps to an existing node, you'll end up with a message Login details correct, but you are not allowed to access the scheduler rather than the server message that gets thrown because it doesn't exist.

onsiteTopic

Troubleshooting Credential LookupCommon Redwood Server Errors