Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Table of Contents

This article is to assist in determining common causes of not being able to authenticate and authorize using LDAP (MS Active Directory or OpenLDAP).First, make


Before you start

Make sure you've read How to Enable LDAP Authentication and Authorization for Open-AudIT and for good measure, also check LDAP_Servers. You might even watch the video,

...

So, you've read both of those, you've watched the video and you still cannot login using LDAP. Open-AudIT has quite extensive logging where LDAP auth is concerned, for exactly this reason. The logs, especially at debug level, will assist you in point out where exactly the process is failing.

Using LDAPS

By default, we skip certificate validation because customer tend to use self-signed certificates. To enable certificate validation, edit the file -

Linux

Code Block
/usr/local/open-audit/code_igniter/application/models/m_logon.php

Windows

Code Block
c:\xampp\open-audit\code_igniter\application\models\m_logon.php

Comment out the below line (about line 170 or so). Just place a hash # at the start of the line.

Code Block
putenv('LDAPTLS_REQCERT=never'); 

Once commented out, your certificate will be validated, but may also fail this validation if you're using self-signed certificates and haven't configured your server correctly.

More information about debugging this can be found on a helpful Stack Overflow thread - https://stackoverflow.com/questions/25424622/authenticating-a-self-signed-certificate-for-ldaps-connection

One other item to be careful of - make sure you use the hostname (or fqdn) of your LDAP Server that matches what is in the certificate (not just the LDAP Servers IP address) when creating the LDAP entry in Open-AudIT.

Troubleshooting


NOTE - log_level 7 in the configuration should only be used when troubleshooting. Debug level logging will create a LOT of logs. Your normal level should be 5, not 7.

...

This process will remove any existing logs, so if you need them for some reason, you can export them using menu -> Admin -> Database -> List Tables -> logs -> Export to SQL | CSV | XML.


First

...

Let's set the log level to 7. Go to menu -> Admin -> Configuration -> List Configuration (or All Configuration if using Pro/Ent). Select the log_level item. Click the edit button and change it to 7. Now log out.


Second

...

Let's remove the logs data. On the command line, on the Open-AudIT server runt he below command.

...

Code Block
c:\xampplite\mysql\bin\mysql.exe -u openaudit -popenauditpassword openaudit -e "DELETE FROM logs;"


Third

...

Let's try logging in using an LDAP user. I am assuming this will fail (otherwise, why are you still reading this?). Next, run the below in order to set the log level back to 5.

Linux

Code Block
mysql -u openaudit -popenauditpassword openaudit -e "UPDATE configuration SET value = 5 WHERE name = 'log_level';"

Windows

Code Block
c:\xampplite\mysql\bin\mysql.exe -u openaudit -popenauditpassword openaudit -e "UPDATE configuration SET value = 5 WHERE name = 'log_level';"


Forth

...

Log back into Open-AudIT using the Admin account. and export the logs from menu -> Admin -> Database -> List Tables -> Logs -> Export to CSV. If there is a minimal amount of log lines, it may display on the bottom of the screen. Scroll down to view it. If you would rather view this in Excel, copy and paste the logs and save them as a text file with a .csv extension. Read through the logs and the final line will likely be the one of most interest. This line should give you the exact point at which the login failed.


Fifth

...

Send the artifacts to Opmantek. If you are a supported Opmantek customer,a couple of items will make helping your easier. Please do save the log output to a CSV. Please generate the support JSON at menu -> Help -> Support and click the Download icon on the right hand side of the header. Save this file. Export your LDAP server from menu -> Admin -> LDAP Servers -> Details. In the URL, add the following .json (so from http:/oa_server/en/omk/open-audit/ldap_servers/1 to http://oa_server/en/omk/open-audit/ldap_servers/1.json). Save that file.

Please send all three files to your support contact at Opmantek and describe your issue.


Sixth

...

Examine the log lines.

Log LineSymptomStatus
No Roles retrieved from databaseSomething has gone seriously wrong. Open-AudIT cannot read the 'roles' table.error
No Orgs retrieved from database.Something has gone seriously wrong. Open-AudIT cannot read the 'orgs' table.error
$x LDAP servers retrieved from database.Where $x is a number. This many LDAP entries are in the DB and have been retrieved.debug
An invalid LDAP server type was supplied $ldap->type skipping.The LDAP server type is invalid. It should be either 'active directory' or 'openldap'.error
An invalid LDAP version was supplied $ldap->version, skipping.Usually should be set to 3.error
LDAP connect failed for LDAP server at $ip. Check your host, port and secure settings. Attempted to use $ldap_connect_string

The LDAP server could not be connected to. At all. Check it's pingable from the Open-AudIT server. Check the correct port is open to the Open-AudIT server. An nmap from the Open-AudIT server will show this. Substitute your LDAP servers IP for $ip. Try:

Code Block
nmap -vv $ip


notice
LDAP server could not be reached at $ldap->host, skipping.See above. NOTE - This could also be caused by a self-signed certificate on the LDAP server. We are working to allow for this in a future release.notice
Invalid user supplied credentials for LDAP server at $ldap->host, skipping.The credentials supplied by the user have failed.info
Could not bind to LDAP server at $ldap->host, skipping.Some other error has occurred when attempting to bind to the LDAP server. It is contactable (ie, the 'connect' above has worked), but for some other reason, binding has not occurred. Check the logs on the LDAP server.info
Successful bind using credentials for LDAP server at $ldap->hostThe LDAP server was connected to and the user credentials accepted for bind.debug
Invalid DN supplied credentials for LDAP server at $ldap->host, skippingThe administrator supplied credentials to bind to the LDAP server, but they have not been accepted by the LDAP sevrer. Double check the credentials work on the LDAP server, and then check (or reset them) in the Open-AudIT LDAP Server entry.info
Bound to LDAP using supplied dn details: $ldap->dn_accountThe administrator supplied credentials that were successfully used to bind to LDAP.debug
User $username in LDAP $ldap->name but not in Open-AudIT and not using LDAP for roles. Trying next LDAP Server.The user that was specified exists in LDAP, but Open-AudIT is not configured to consume the LDAP groups for roles and that user does not exist within Open-AudIT. Either select "Use LDAP for Roles" on the Open-AudIT LDAP Server screen or create this user within Open-AudIT and assign roles and orgs.info
LDAP search successful for user $username at $ldap->hostLDAP was searched for this user and their account was found.debug
LDAP entries retrieval successful for user $username at $ldap->hostThe users details were retrieved from LDAP.debug
LDAP entries retrieval failed for user $username at $ldap->hostThe users details were not retrieved from LDAP. Check the LDAP server logs.info
LDAP search failed for user $username at $ldap->hostLDAP was searched for this user and their account was not found. Check the LDAP server logs. The user credentials have worked, but the user wasn't found. Also check you have specified the correct Base DN attribute when you created the LDAP Server in Open-AudIT.info
Checking AD group membership for $user->nameInformation only.debug
User $username is a member of LDAP group for Role $role->ad_groupThe user is in the LDAP group that matches this Role.debug
No AD group associated with role $role->name, skipping.This Role has no AD group specified. Check the roles details within Open-AudIT. Rolesdebug
User $username is a member of LDAP group for Org $org->ad_groupThe user is in the LDAP group that matches this Org.debug
No AD group associated with org $org->name, skipping.This Org has no AD group specified. Check the roles details within Open-AudIT. Orgsdebug
LDAP search for role $role->ad_group succeeded, $username is in group.The user is in the LDAP group that matches this Role.debug
LDAP search for role $role->ad_group succeeded, $username is NOT in group.The user is not in the LDAP group that matches this Role.debug
LDAP search failed for groups (roles) $user->name at $ldap->hostThe search for group on the LDAP server failed. Check the LDAP server logs. Have you created these groups (for roles and orgs) on the LDAP server and assigned LDAP users to them?debug
LDAP search for org $org->ad_group succeeded, $username is in group.The user is in the LDAP group that matches this Org.debug
LDAP search for org $org->ad_group succeeded, $username is NOT in group.The user is not in the LDAP group that matches this Org.debug
LDAP search failed for groups (orgs) $user->name at $ldap->hostThe search for group on the LDAP server failed. Check the LDAP server logs. Have you created these groups (for roles and orgs) on the LDAP server and assigned LDAP users to them?debug
No AD group associated with org $org->name, skipping.This Org has no AD group specified. Check the roles details within Open-AudIT. Have you created these groups (for orgs) on the LDAP server and assigned LDAP users to them?debug
New user $username logged on (AD account)A new user logged in to Open-AudIT and was authenticated and authorized by the LDAP sever. That user was then created in Open-AudIT and logged in. Success.notice
Existing user $username logged on (AD account).An existing Open-AudIT user was authenticated and authorized by the LDAP server. Success.debug
User $username exists in LDAP $ldap->name and attempted to logon, but does not belong to any OA groups for Roles or Organisations.The user is in LDAP and their credentials are valid, but is not in any of the required Open-AudIT LDAP groups.info
User $username exists in LDAP $ldap->name and attempted to logon, but does not belong to any OA groups for Organisations.The user is in LDAP and their credentials are valid, but is not in any of the Open-AudIT LDAP groups for Orgs.info
User $username exists in LDAP $ldap->name and attempted to logon, but does not belong to any OA groups for Roles.The user is in LDAP and their credentials are valid, but is not in any of the Open-AudIT LDAP groups for Roles.info

...