How To Troubleshoot LDAP Login Errors

Document ID : KB000109945
Last Modified Date : 07/08/2018
Show Technical Document Details
Introduction:
If LDAP users are not able to authenticate while logging into Automation Studio or ROC then these steps can help identify the cause. 
Background:
CA Release Automation can integrate with LDAP in two ways:
  1. Import/Add LDAP Users
  2. Import/Add LDAP Groups

In version 6.6 there are some changes worth noting:
  1. User and Directory Server management is now done via the ROC. In versions prior to 6.6 you needed to:
    • Specify your directory servers in your distributed.properties file.
    • Manage your users and their permissions in Automation Studio.
  2. Permissions for users and groups aggregate. When you assign a user to a group, the user has the group permissions and individual user permissions.
  3. In 6.5 and earlier, when groups were imported, group members could access CA Release Automation with group permissions but did not appear in the user list in the user interface. In 6.6, when groups are imported, group members who log in are displayed in the user list and can be assigned permissions individually just like regular users.

 
Environment:
CA Release Automation
Non-Active Directory LDAP (Example: Sun LDAP, OpenLDAP, ApacheDS, etc..)
Active Directory
Instructions:
The following information is helpful to understand what is happening when trying to troubleshoot an issue yourself or when opening an incident with CA Support. When opening an incident with CA Support please provide all of the following. 
  • The userid that is failing. 
  • A zip of the logs directory after the problem has been reproduced. Preferably with the relevant log file trace levels increased. Sometimes the standard log levels is not sufficient. Please see "Additional Information" below for details on which log levels to increase.
  • A screenshot of the error. 
  • A screenshot of:
    • The users details via user management
    • The groups details via user management (if the user is getting permissions via a group).
  • A copy of the distributed.properties file if you're on version 6.5 or below.
  • A screenshot of the Directory Server page and a screenshot of the details for the directory server in question if you're using version 6.6.
  • If you're using version 6.6 then does the test connection button for the directory server return connection successful or an error? This should be done while troubleshooting and not assumed to be okay. If it had worked okay previous then that is good. But it doesn't guarantee that it will work every single day. Sometimes there are unexpected scenarios like a connection error with LDAP, password expired, account locked, etc.. If this connection isn't successful then other user logins will not work. 
  • Has the user ever logged in before?
  • Has anything in the environment (CA Release Automation or Directory Server) changed?
Additional Information:

Increase Log Levels For LDAP Login Errors
  1. On the management server open: webapps/datamanagement/WEB-INF/log4j.properties.
  2. Make sure that the following entries are set to ALL and that they are uncommented:
    1. log4j.logger.com.nolio.platform.server.dataservices.services.auth.providers.NolioActiveDirectoryAuthenticationProvider=WARN
    2. log4j.logger.org.springframework.security=ALL, Spring (commented by default. uncomment)
  3. Wait at least two minutes after changing and saving the file. Stopping and starting the management servers services are not necessary. But it does take about 2 minutes for the change to take effect. Once you have waited, reproduce the issue and the additional logging should be included in the nolio_dm_all.log.