LDAP Troubleshooting Basics

Document ID : KB000027836
Last Modified Date : 14/02/2018
Show Technical Document Details

Introduction: 

This is basic information to LDAP troubleshooting.

 

Environment:  

All versions

 

Background: 

The first and foremost consideration to keep in mind when troubleshooting LDAP servers is to recognize that seldom are any two LDAP implementations wholly identical.

The second consideration is with LDAP servers often requires significant changes and accommodations on both sides.

 

Instructions: 

For most LDAP troubleshooting situations, it is useful to check as an initial step the following:

  1. Output of pdm_status should show ldap_virtdb process running.

  2. Output of slstat should show bopLDAP connected.

  3. All LDAP options should be installed (with the exception of ldap_enable_auto). These options are mandatory. The $NX_ROOT/NX.env from the server will show all defined option values, and also whether or not they've been installed. These will reside at the bottom of the file, and will be in the format of:
    @NX_LDAP_DN=qauser@NX_LDAP_ENABLE=Yes@NX_LDAP_ENABLE_AUTO=Yes@NX_LDAP_HOST=myserver@NX_LDAP_PORT=389@NX_LDAP_PWD=OBUNQXo7CmgbThZlCiMKIwJlA3UXdVNAOjUpHjstfDt2LBIDPgwtWA==@NX_LDAP_SEARCH_BASE=dc=mycontroller, dc=xyz, dc=com@NX_LDAP_SERVICE_TYPE=Active Directory@NX_LDAP_SYNC_ON_NULL=Yes@NX_LDAP_USER_OBJECT_CLASS=person
  4. Run ldap_test -a * which will attempt to connect to the LDAP server using installed options, and print out all attributes that it can find for returned objects. A successful connection to the LDAP server can be determined by whether or not this test successfully fetches information from the LDAP Directory. In some cases it may be necessary to specify additional parameters to this command as appropriate to properly fetch data.

    Note: On Unix systems, you must surround the asterisk character with quotation marks.

  5. If ldap_test output shows LDAP host type=windows, then SASL authentication will be used. If the LDAP server is not Active Directory or is not using SASL, add the following entry in the $NX_ROOT/NX.env file to force the host type to be unix:
          NX_LDAP_HOST_TYPE=unix 
  6. Obtain from the LDAP administrator the authentication method and protocol version of the LDAP server.

  7. Obtain verbose stdlogs, including server startup messages, after searching for LDAP entries in the Administrative Client. Enable verbose logging with:
          pdm_logstat -f ldap_virtdb.c 1000

    stdlog messages

    ===========
  8.  

     

    The first line to look for when analyzing stdlogs for LDAP messages is the startup of the ldap_virtdb process. Service Desk's LDAP awareness begins only when this process starts. Note that even if LDAP integration options are not installed or set up, this process will still run.

          06/03 17:00:18.27 server_name bopLDAP 1964 SIGNIFICANT      ldap_virtdb.c 680 STARTUP of LDAP_virtdb 

    If any of the required LDAP options have not been defined, the stdlog will show that they are missing, as appropriate.

          06/03 17:00:18.72 server_name bopLDAP 1964 SEVERE_ERROR      ldap_virtdb.c 1023 LDAP Server port id missing      06/03 17:00:18.78 server_name bopLDAP 1964 SEVERE_ERROR      ldap_virtdb.c 1023 LDAP Server distinguished name missing      06/03 17:00:18.78 server_name bopLDAP 1964 SEVERE_ERROR      ldap_virtdb.c 1023 LDAP Server distinguished name password missing 

    Otherwise, the stdlog will log entries to indicate that a connection has been successfully established with the LDAP server.

          06/05 12:35:10.41 server_name bopLDAP 1912 SIGNIFICANT      ldap_virtdb.c 958 LDAP_SRVR connecting to host(Francisco.us.danconia.net) port(389)      06/05 12:35:11.01 frisco bopLDAP 1912 SIGNIFICANT      ldap_virtdb.c 987 LDAP_SRVR version 3      06/05 12:35:11.01 frisco bopLDAP 1912 SIGNIFICANT      ldap_virtdb.c 1002 LDAP_SRVR binding with username(simon)

    If a connection cannot be made to the LDAP server for any reason, "LDAP Entries", "Merge LDAP", or any other LDAP functionality will become disconnected and return no results. In such instances the stdlog will show messages similar to the following when accessing those operations:

          06/03 17:00:32.25 server_name bopLDAP 1964 SIGNIFICANT      ldap_virtdb.c 219 LDAP server not available; 'register_producer' not processed
          06/05 10:52:57.63 server_name bopLDAP 1896 SIGNIFICANT      ldap_virtdb.c 219 LDAP server not available; 'select_full' not processed      06/05 10:52:57.66 server_name web:local 1868 ERROR      sel_data_cache. 611 Error in ldap Select_Cache method got_initial_count:      LDAP server not available; 'select_full' not processed
          06/05 10:52:57.66 server_name bopLDAP 1896 SIGNIFICANT      ldap_virtdb.c 219 LDAP server not available; 'select_cancel' not processed 

    Verbose logging for a successful search on the LDAP Entries screen for all LDAP Directory entries will be similar to the following sample. First CA Service Management fetches records from the LDAP Directory according to the search base and filter defined in Options Manager, mapping an id to the distinguishedName value returned for each entry.

          07/07 00:12:20.09 frisco bopLDAP 2364 TRACE ldap_virtdb.c 362      Start select full      07/07 00:12:20.09 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1111      Starting search: filter=(&(objectClass=user));      attributes=(sAMAccountName,distinguishedName)       07/07 00:12:20.15 frisco bopLDAP 2364 TRACE ldap_virtdb.c       1244 Processing next LDAP page...       07/07 00:12:20.17 frisco bopLDAP 2364 TRACE ldap_virtdb.c       1296 Storing value 'CN=Administrator,CN=Users,DC=danconia,DC=net' for attribute 'distinguishedName'      07/07 00:12:20.17 frisco bopLDAP 2364 TRACE ldap_virtdb.c       1320 Storing value 'Administrator' for attribute 'sAMAccountName'      07/07 00:12:20.17 frisco bopLDAP 2364 TRACE ldap_virtdb.c       1296 Storing value 'CN=Guest,CN=Users,DC=danconia,DC=net'      for attribute 'distinguishedName'       07/07 00:12:20.17 frisco bopLDAP 2364 TRACE ldap_virtdb.c       1320 Storing value 'Guest' for attribute 'sAMAccountName'       07/07 00:12:20.18 frisco bopLDAP 2364 TRACE ldap_virtdb.c       1240 Next LDAP page empty...        07/07 00:12:20.18 frisco bopLDAP 2364 TRACE ldap_virtdb.c       456 SELECT_OK: End select full 

    Now, assuming that CA Service Management was able to map to the ldap object's id attribute successfully, the attributes as defined in $NX_ROOT/bopcfg/majic/ldap.maj are retrieved for each entry, or a message is logged indicating that an attribute has not been defined. A sample of this follows.

          07/07 00:12:21.07 frisco bopLDAP 2364 TRACE ldap_virtdb.c 322       Start select short       07/07 00:12:21.07 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1111 Starting search:       filter=(&(objectClass=user)(distinguishedName=CN=Administrator,CN=Users,       DC=danconia,DC=net)); attributes=(modifyTimestamp,sn,givenName,initials,       sAMAccountName,telephoneNumber,mobile,department,facsimileTelephoneNumber,       pager,mail,streetAddress,l,st,postalCode,c,o)        07/07 00:12:21.09 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1244       Processing next LDAP page...       07/07 00:12:21.09 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1296 Storing value       'CN=Administrator,CN=Users,DC=danconia,DC=net' for attribute 'distinguishedName'       07/07 00:12:21.09 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1320 Storing value       'Administrator' for attribute 'sAMAccountName'       07/07 00:12:21.09 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1320 Storing value       '20030629160158.0Z' for attribute 'modifyTimeStamp'       07/07 00:12:21.09 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'modifyTimestamp'       07/07 00:12:21.10 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'sn'       07/07 00:12:21.10 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'givenName'       07/07 00:12:21.10 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'initials'       07/07 00:12:21.10 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'telephoneNumber'       07/07 00:12:21.10 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'mobile'       07/07 00:12:21.12 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'department'       07/07 00:12:21.12 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'facsimileTelephoneNumber'       07/07 00:12:21.12 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not        available for 'pager'       07/07 00:12:21.12 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'mail'       07/07 00:12:21.12 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'streetAddress'       07/07 00:12:21.14 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'l'       07/07 00:12:21.14 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'st'       07/07 00:12:21.14 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'postalCode'       07/07 00:12:21.14 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'c'       07/07 00:12:21.15 frisco bopLDAP 2364 TRACE ldap_virtdb.c 1356 Value not       available for 'o'        07/07 00:12:21.15 frisco bopLDAP 2364 TRACE ldap_virtdb.c 330 End select       short

Integrating With Non-Active Directory Implementations of LDAP:

  1. CA Service Management's LDAP mappings must be modified when the LDAP Directory schema differs from that of Active Directory.

    When Service Desk requests for a list of LDAP entries, such as when searching in the Administrative Client's "LDAP Entry List" screen, it first fetches the distinguished name and user id for each row explicitly as mapped in $NX_ROOT/bopcfg/majic/ldap.maj. However, some LDAP Directory implementations do not use a distinguished name attribute to uniquely identify each entry since it is not required by the LDAP RFCs, and so the search returns no data, although it returns the correct number of resulting entries. In such cases one may find the following sequence of verbose messages in the stdlog.
          06/28 16:55:52.81 serviced bopLDAP 3276 TRACE ldap_virtdb.c       1356 Value not available for 'uid'      06/28 16:55:52.83 serviced bopLDAP 3276 TRACE ldap_virtdb.c       1260 Retrieving next entry...(0x00000000)
    To change CA Service Management 's LDAP mappings, first review the ldap object definition in $NX_ROOT/bopcfg/majic/ldap.maj and compare it with the output from ldap_test -a *. If ldap_test does not yet work with the LDAP implementation then obtain the schema and attribute definitions in use from the LDAP administrator. Then create a file in $NX_ROOT/site/mods/majic directory with a .mod extension to re-map Contact record attributes to LDAP attributes. For example:
          MODIFY ldap userid uid;
    This will map the "userid" field of the Contact table to the "uid" attribute from LDAP.

  2. Service Desk does not automatically detect the version protocol of the LDAP server.

    If there is a mismatch in the LDAP version returned by the ldap_get_option API function call as seen in ldap_test and the actual configured version of the LDAP server, you may see the following sequence of stdlog messages.
          06/13 15:29:47.14 server_name domsrvr 2136 SIGNIFICANT bpobject.c       3168 Timed out trying to do version logon to bopLDAP       06/13 15:29:47.15 server_name domsrvr 2136 ERROR bpobject.c       1737 Unable to determine message version for process 192.168.200.41 | bopLDAP       06/13 15:30:50.28 server_name bopLDAP 2112 SIGNIFICANT       ldap_virtdb.c 987 LDAP_SRVR version 3       06/13 15:30:50.31 server_name bopLDAP 2112 SEVERE_ERROR       ldap_virtdb.c 1023 LDAP_SRVR ldap_bind error(Server Down); username()       06/13 15:30:50.33 server_name domsrvr 2136 ERROR sql_prod.c       417 Restored connection to virtdb bopLDAP       06/13 15:30:50.39 server_name bopLDAP 2112 SIGNIFICANT       ldap_virtdb.c 219 LDAP server not available; 'register_producer' not processed      06/13 15:42:20.22 server_name bopLDAP 2112 SIGNIFICANT       ldap_virtdb.c 219 LDAP server not available; 'select_full' not processed
  3. CA Service Management servers on Windows 2000 or later servers by default use Active Directory style SASL authentication to bind to the LDAP Directory server regardless of the type of authentication for which it is configured.

    If, when binding to the LDAP Directory server with the ldap_bind_s API function call, Service Desk requests an authentication method not supported by the Directory server, the following error message will be logged in the stdlog.
          06/21 17:36:32.63 serviced bopLDAP 2184 SEVERE_ERROR       ldap_virtdb.c 1023 LDAP_SRVR ldap_bind error(Authentication Method       Not Supported); username(dirmanager) 
    Likewise, running ldap_test will show the following output.
    ldap_bind_s() (Authentication method not supported):

    Note that if the host type is windows, it will always pass SASL, because Active Directory always uses SASL. If the LDAP server is not Active Directory or is not using SASL, add the following entry in the $NX_ROOT/NX.env file to force the host type to be unix in order to bind successfully.

          NX_LDAP_HOST_TYPE=unix