This article is to assist in determining common causes of not being able to authenticate and authorize using LDAP (MS Active Directory or OpenLDAP).
First, make sure you've read How to Enable LDAP Authentication and Authorization for Open-AudIT and for good measure, also check LDAP_Servers.
So, you've read both of those and you still cannot login using LDAP. Open-AudIT has quite extensive logging where LDAP auth is concerned, for exactly this reason. The logs, especially at debug level, will assist you in point out where exactly the process is failing.
NOTE - log_level 7 in the configuration should only be used when troubleshooting. Debug level logging will create a LOT of logs. Your normal level should be 5, not 7.
This process will remove any existing logs, so if you need them for some reason, you can export them using menu -> Admin -> Database -> List Tables -> logs -> Export to SQL | CSV | XML.
First, let's set the log level to 7. Go to menu -> Admin -> Configuration -> List Configuration (or All Configuration if using Pro/Ent). Select the log_level item. Click the edit button and change it to 7. Now log out.
Second, let's remove the logs data. On the command line, on the Open-AudIT server runt he below command.
Linux
mysql -u openaudit -popenauditpassword openaudit -e "DELETE FROM logs;"
Windows
c:\xampplite\mysql\bin\mysql.exe -u openaudit -popenauditpassword openaudit -e "DELETE FROM logs;"
Third, let's try logging in using an LDAP user. I am assuming this will fail (otherwise, why are you still reading this?). Next, run the below in order to set the log level back to 5.
Linux
mysql -u openaudit -popenauditpassword openaudit -e "UPDATE configuration SET value = 5 WHERE name = 'log_level';"
Windows
c:\xampplite\mysql\bin\mysql.exe -u openaudit -popenauditpassword openaudit -e "UPDATE configuration SET value = 5 WHERE name = 'log_level';"
Forth, log back into Open-AudIT using the Admin account. and export the logs from menu -> Admin -> Database -> List Tables -> Logs -> Export to CSV. If there is a minimal amount of log lines, it may display on the bottom of the screen. Scroll down to view it. If you would rather view this in Excel, copy and paste the logs and save them as a text file with a .csv extension. Read through the logs and the final line will likely be the one of most interest. This line should give you the exact point at which the login failed.
Fifth, send the artifacts to Opmantek. If you are a supported Opmantek customer,a couple of items will make helping your easier. Please do save the log output to a CSV. Please generate the support JSON at menu -> Help -> Support and click the Download icon on the right hand side of the header. Save this file. Export your LDAP server from menu -> Admin -> LDAP Servers -> Details. In the URL, add the following .json (so from http:/oa_server/en/omk/open-audit/ldap_servers/1 to http://oa_server/en/omk/open-audit/ldap_servers/1.json). Save that file.
Please send all three files to your support contact at Opmantek and describe your issue.
Sixth, examine the log lines.
| Log Line | Symptom |
|---|---|
| No Roles retrieved from database | Something has gone seriously wrong. Open-AudIT cannot read the 'roles' table. |
| No Orgs retrieved from database. | Something has gone seriously wrong. Open-AudIT cannot read the 'orgs' table. |
| $x LDAP servers retrieved from database. | Where $x is a number. This many LDAP entries are in the DB and have been retrieved. |
| An invalid LDAP server type was supplied $type skipping. | The LDAP server type is invalid. It should be either 'active directory' or 'openldap'. |
| LDAP connect failed for LDAP server at $ip. Check your host, port and secure settings. Attempted to use $ldap_connect_string | The LDAP server could not be connected to. At all. Check it's pingable from the Open-AudIT server. Check the correct port is open to the Open-AudIT server. An nmap from the Open-AudIT server will show this. Substitute your LDAP servers IP for $ip and it's port (usually 389) for $port. Try: nmap -vv -n -p$port $ip |
| LDAP server could not be reached at $ldap->host, skipping. | See above. |
| Invalid user supplied credentials for LDAP server at $ldap->host, skipping. | The credentials supplied by the user have failed. |
| Could not bind to LDAP server at $ldap->host, skipping. | Some other error has occurred when attempting to bind to the LDAP server. It is contactable (ie, the 'connect' above has worked), but for some other reason, binding has not occurred. Check the logs on the LDAP server. |
| Successful bind using credentials for LDAP server at $ldap->host | The LDAP server was connected to and the user credentials accepted for bind. |
| Invalid DN supplied credentials for LDAP server at $ldap->host, skipping | The administrator supplied credentials to bind to the LDAP server, but these are invalid. |
| Bound to LDAP using supplied dn details: $ldap->dn_account | The administrator supplied credentials that were successfully used to bind to LDAP. |
| User $username in LDAP $ldap->name but not in Open-AudIT and not using LDAP for roles. Trying next LDAP Server. | The user that was specified exists in LDAP, but Open-AudIT is not configured to consume the LDAP groups for roles and that user does not exist within Open-AudIT. Either select "Use Roles" on the LDAP Server screen within Open-AudIT, or create this user within Open-AudIT. |
| LDAP search successful for user $username at $ldap->host | LDAP was searched for this user and their account was found. |
| LDAP entries retrieval successful for user $username at $ldap->host | The users details were retrieved from LDAP. |
| LDAP entries retrieval failed for user $username at $ldap->host | The users details were retrieved from LDAP. Check the LDAP server logs. |
| LDAP search failed for user $user->name at $ldap->host | LDAP was searched for this user and their account was not found. Check the LDAP server logs. The user credentials have worked, but they we'ren't found. Also check you have specified the correct Base DN attribute when you created the LDAP Server in Open-AudIT. |
| User $username is a member of LDAP group for Role $role->ad_group | The user is in the LDAP group that matches this Role. |
| No AD group associated with role ' . $role->name . ', skipping. | This Role has no AD group specified. Check the roles details within Open-AudIT. Roles |
| User '$username is a member of LDAP group for Org $org->ad_group | The user is in the LDAP group that matches this Org. |
| No AD group associated with org $org->name, skipping. | This Org has no AD group specified. Check the roles details within Open-AudIT. Orgs |
| LDAP search for role $role->ad_group succeeded, $username is in group. | The user is in the LDAP group that matches this Role. |
| LDAP search for role $role->ad_group succeeded, $username is NOT in group. | The user is not in the LDAP group that matches this Role. |
| LDAP search failed for groups (roles) $user->name at $ldap->host | The search for group on the LDAP server failed. Check the LDAP server logs. Have you created these groups (for roles and orgs) on the LDAP server and assigned LDAP users to them? |
| LDAP search for org $org->ad_group succeeded, $username is in group. | The user is in the LDAP group that matches this Org. |
| LDAP search for org $org->ad_group succeeded, $username is NOT in group. | The user is not in the LDAP group that matches this Org. |
| LDAP search failed for groups (orgs) $user->name at $ldap->host | The search for group on the LDAP server failed. Check the LDAP server logs. Have you created these groups (for roles and orgs) on the LDAP server and assigned LDAP users to them? |
| No AD group associated with org $org->name, skipping. | This Org has no AD group specified. Check the roles details within Open-AudIT. Have you created these groups (for orgs) on the LDAP server and assigned LDAP users to them? |
| New user $username logged on (AD account) | A new user logged in to Open-AudIT and was authenticated and authorized by the LDAP sever. That user was then created in Open-AudIT and logged in. Success. |
| Existing user $username logged on (AD account). | An existing Open-AudIT user was authenticated and authorized by the LDAP server. Success. |
| User $username exists in LDAP (" . $ldap->name . ") and attempted to logon, but does not belong to any OA groups for Roles or Organisations. | |
| User $username exists in LDAP (" . $ldap->name . ") and attempted to logon, but does not belong to any OA groups for Organisations. | |
| User $username exists in LDAP (" . $ldap->name . ") and attempted to logon, but does not belong to any OA groups for Roles. | |