Cannot authenticate with LDAPs after configuring LDAP Settings in DevTest 10.4.0

Document ID : KB000118621
Last Modified Date : 30/10/2018
Show Technical Document Details
Issue:
Getting LDAP error in server.log after configuring LDAPS in DevTest 10.4.0 Identity Access Manager.

2018-10-25 10:35:58,159 INFO [org.keycloak.services] (default task-117) KC-SERVICES0087: Syncing data for mapper 'group mapper' of type 'group-ldap-mapper'. Direction: fedToKeycloak 2018-10-25 10:35:58,181 ERROR [org.keycloak.storage.ldap.idm.store.ldap.LDAPOperationManager] (default task-117) Could not query server using DN [OU=NAO,OU=global,OU=gmacfs,OU=com] and filter [(&(objectclass=group))]: javax.naming.NamingException: [LDAP: error code 1 - 000020D6: SvcErr: DSID-031007DB, problem 5012 (DIR_ERROR), data 0 ]; remaining name 'OU=NAO,OU=global,OU=gmacfs,OU=com'
Environment:
DevTest 10.4.0
Cause:
Needed to import Certificates to the IAM truststore since using secured LDAPS. 

Used Jxplorer to view the LDAP server to determine the values to be set. This is a very good tool for troubleshooting LDAP. 

Logged into IAM with admin/admin. 

Needed to make some changes on the User Federation Settings and Groups Settings.
Resolution:
Needed to import Certificates to the IAM truststore since using secured LDAPS. 

Used Jxplorer to view the LDAP server to determine the values to be set. This is a very good tool for troubleshooting LDAP. 

Logged into IAM with admin/admin. 

Needed to make some changes on the User Federation Settings and Groups Settings: 

Settings: 

Username LDAP Attribute needed to be set to sAMAccountName. 
RDN LDAP Attribute needed to be set to sAMAccountName. 
Default Role set to Runtime User. 
Needed to tweek the User DN value. 

Group Settings: 

Needed to tweek the LDAP Groups DN value. 
Group Name LDAP Attribute needed to be set to sAMAccountName. 
Membership User LDAP Attribute needed to be set to sAMAccountName. 

Was then able to Sync LDAP Groups to Identity and Access Manager. 

Was then able to go to Group(s) to Role Mapper and view the imported LDAP groups. 

Logged out of IAM. 

Logged in with  user1 LDAP credentials and got error that he did not have permissions (valid error). 

Logged back in to IAM with admin/admin. 

Choose Users. 

Choose View All Users. 

Could see user1 Username. 

Edit user1 Username. 

Choose Role Mappings. 

Add Available Roles of Super User, IAM Administrator and Virtual Service Catalog Administrator. 

Logged out of IAM. 

user1 logged back into IAM with LDAP credentials and was successful. 

user2 was also able to login. 

Started all DevTest components and was able to log into Portal with LDAP credentials.