Troubleshooting an LDAP connection and query
In working with an LDAP database, we have found two general areas where problems occur:
- Making a connection to the LDAP server
- Getting the desired results (list of users) from an LDAP query.
This topic provides some ideas for troubleshooting both types of problems.
Testing the LDAP Connection and Query
On the LDAP Configuration page, the Test button runs a script that simulates a connection to the LDAP server and tests the query by using the information you have provided on this page. The test results are displayed in a log window, these results can be copied and pasted to an email or other report. You can use this log to determine if there is a connection error or if the specified query returns the appropriate list of users.
LDAP connection problems
To connect to your LDAP database, you will need:
- the IP address or hostname for the LDAP server
- an account (user name and password) on the LDAP database
The following errors indicate a connection error:
- LDAP server is down, or IP address or hostname is not valid:
Initializing LDAP...Connecting...Log entry: Command=ldap_bind : Message=Server DownDisconnecting...Initializing user search...***Test Complete*** - User name or password is not valid:
Initializing LDAP...Connecting...Server asked for a client certificate.Failed to match the client cert with server CA list.Verifying server certificate...Server certificate has been verifiedLog entry: Command=ldap_bind : Message=Invalid CredentialsDisconnecting...Initializing user search...***Test Complete*** - If you select to use SSL and select a certificate to use, and the LDAP server does not allow the certificate, you'll see the following error:
Initializing LDAP...Connecting...Server asked for a client certificate.Failed to match the client cert with server CA list.Verifying server certificate...Server certificate has been verifiedInitializing user search...Getting first user...Processing retrieved user data...Closing user search...***Test Complete***
LDAP Queries
To get a list of users from your LDAP database, you need to know the structure (schema) of your database. This allows you to create a query that returns a specific list of users.
If there is a problem with the LDAP query you specified, the log will show the following:
Initializing LDAP...
Connecting...
Server asked for a client certificate.
Failed to match the client cert with server CA list.
Verifying server certificate...
Server certificate has been verified
Initializing user search...
Getting first user...
Processing retrieved user data...
Closing user search...
***Test Complete***
This section provides an example of how you can query an LDAP database (or Active Directory, which is an LDAP database) to return the specific list of users that you want to add to a WS_FTP Server host.
We first use an LDAP browser to view the LDAP database. This will allow us to see the database structure so we can set up an appropriate query when configuring the host in WS_FTP Server.
We use the Softera browser, which you can download from: http://download.softerra.com/files/ldapbrowser26.msi
Using Softerra, or another LDAP browser, we connect to the LDAP server using the following:
- IP address of LDAP Server: 192.168.196.135
- LDAP user name: cn=Suse Number1 Queue,dc=ipswitch,dc=com
To view the structure of the LDAP database, we have selected LDAP Test (the name of our LDAP server) in the left pane. Each "cn" listed under LDAP test represents a user. If we start an LDAP query for users at the Base DN (dc=Ipswitch,dc=com), the query will return all of the users in this database.
On the LDAP Configuration page, this query would be specified as follows:
If we use a Base DN that specifies a specific user (for example, cn=Suse Number1 Queue,dc=Ipswitch,dc=com), the query will return one user. Also note that this OpenLDAP database uses "sn" to identify the user's Login name, so sn is entered in the Login box.