- Administrator has configured LDAP authentication, and is seeing login errors. - Fiddler and Windows event logs do not indicate what the problem is. |
Administrator should use LDP to verify that the test user account can log into the LDAP server. If a subset of user accounts can not log in, the administrator should verify whether the bind output is the same for both a working and offending user account. In below example, the directory service in Tridion MMC is configured as in screenshot. Note that: - The directory servername (or IP in this case) is 10.9.20.1 - The CN is Administrator - The LDAP port is 389 - The users base DN is "CN=Users,DC=USTridionCS,DC=com" In LDP utility, the LDAP information can be used to test whether the correct information is being used. - LDP connection screenshot and output ld = ldap_open("10.9.20.1", 389); Established connection to 10.9.20.1. Retrieving base DSA information... Result <0>: (null) Matched DNs: Getting 1 entries: >> Dn: 1> currentTime: 12/01/2019 04:36:35 Pacific Standard Time Pacific Daylight Time; 1> subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=USTridionCS,DC=com; 1> dsServiceName: CN=NTDS Settings,CN=W03AD01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=USTridionCS,DC=com; 5> namingContexts: DC=USTridionCS,DC=com; CN=Configuration,DC=USTridionCS,DC=com; CN=Schema,CN=Configuration,DC=USTridionCS,DC=com; DC=DomainDnsZones,DC=USTridionCS,DC=com; DC=ForestDnsZones,DC=USTridionCS,DC=com; ... 1> highestCommittedUSN: 2918858; 4> supportedSASLMechanisms: GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5; 1> dnsHostName: W03AD01.USTridionCS.com; 1> ldapServiceName: USTridionCS.com:w03ad01$@USTRIDIONCS.COM; 1> serverName: CN=W03AD01,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=USTridionCS,DC=com; 3> supportedCapabilities: 1.2.840.113556.1.4.800; 1.2.840.113556.1.4.1670; 1.2.840.113556.1.4.1791; 1> isSynchronized: TRUE; 1> isGlobalCatalogReady: TRUE; 1> domainFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> forestFunctionality: 0 = ( DS_BEHAVIOR_WIN2000 ); 1> domainControllerFunctionality: 2 = ( DS_BEHAVIOR_WIN2003 ); ------------ Test Bind connection using Domain, User, and Password - Test Search using "DC=USTridionCS,DC=com" with filter "objectclass=*" or more granular search criteria. Example output for correct search criteria is something like ***Searching... ldap_search_s(ld, "DC=USTridionCS,DC=com", 1, "objectclass=*", attrList, 0, &msg) Result <0>: (null) Matched DNs: Getting 14 entries: >> Dn: CN=Builtin,DC=USTridionCS,DC=com 2> objectClass: top; builtinDomain; 1> cn: Builtin; 1> distinguishedName: CN=Builtin,DC=USTridionCS,DC=com; 1> name: Builtin; 1> canonicalName: USTridionCS.com/Builtin; >> Dn: CN=Computers,DC=USTridionCS,DC=com 2> objectClass: top; container; 1> cn: Computers; 1> description: Default container for upgraded computer accounts; 1> distinguishedName: CN=Computers,DC=USTridionCS,DC=com; 1> name: Computers; 1> canonicalName: USTridionCS.com/Computers; >> Dn: OU=Domain Controllers,DC=USTridionCS,DC=com 2> objectClass: top; organizationalUnit; 1> ou: Domain Controllers; 1> description: Default container for domain controllers; 1> distinguishedName: OU=Domain Controllers,DC=USTridionCS,DC=com; 1> name: Domain Controllers; 1> canonicalName: USTridionCS.com/Domain Controllers; ... >> Dn: CN=TridionUserAcct4752,CN=Users,DC=USTridionCS,DC=com 4> objectClass: top; person; organizationalPerson; user; 1> cn: TridionUserAcct4752; 1> description: Tridion User4752; 1> distinguishedName: CN=TridionUserAcct4752,CN=Users,DC=USTridionCS,DC=com; 1> name: TridionUserAcct4752; 1> canonicalName: USTridionCS.com/Users/TridionUserAcct4752;- If troubleshooting an unsuccessful LDAP authentication issue for SDL Web, send the LDP output when configured with the same connection information. - If troubleshooting a subset of users who are not able to connect, send the LDP output for both a successful and unsuccessful connection attempt, in respective text files. - It may also be helpful to get a Wireshark trace of the LDAP authentication, for both successful and unsuccessful attempts. |