Troubleshooting LDAP authentication

This article outlines some common issues and error messages that you can run into when using LDAP authentication and how to solve them.

When troubleshooting issues related to LDAP authentication, you can use the Test Connection tool located at the bottom of the LDAP Connections page, which is linked to the Sign In Settings page. The tool performs and logs all of the connection and query steps. More importantly, it will consider unsaved changes on the configuration page. This means you can make adjustments to the OU and Search Filter areas and test them without having to save the page. 

Sections in this article: 

Can't find the AD

Error message: 

Could not connect to LDAP server, received follow error message: The LDAP service is unavailable. 

The LDAP server is unavailable.

To solve this issue:

  • Verify that the Server Name and Server Port are correct.
  • Verify that the correct IP and ports are whitelisted by your network firewalls and firewalls local to the AD. 
    • IP: Contact Igloo Support if you do not know which IP to whitelist.
    • Ports: 1024-65535/TCP 

Can't authenticate

Error message:

Could not connect to LDAP server, received follow error message: The supplied credential is invalid.

The supplied credential is invalid

To solve this issue:

  • If all users can't authenticate, verify that the Query user credentials under Account Credentials on the LDAP Connections page in your digital workplace are correct. Check the following:
    • Query User DN
    • Query User Password 
  • If a single user can't authenticate, verify that they are authenticating with the correct username and password.

Can't find the user in the AD

Error message:

LDAP Query successfully made.

Found 0 results from LDAP query, search can only return one result to be successful.

No results found from LDAP query

To solve this issue:

  • Verify that the user's email is correct.
  • Verify that the user is within scope of the Base OU.

One way to directly test whether the user is in the AD or in scope of the current Base OU is to temporarily replace the Search Filter with a query string that contains the user's email address. For example, mail=testemail@igloosoftware.com. Then run the test connection. If they're not found, they're not in the AD or out of scope for the Base OU. Remove a level from the Base OU and rerun it until the user shows up or until you're at the DC level. If it still returns zero results, then either the user isn't in there, or the email is incorrect. 

The query finds more than one user in the AD

Error message:

Could not perform search, received from server: An operation occurred.

An operation error occurred.

To solve this issue:

  • Verify that there are no duplicate emails or usernames in the AD.
  • Verify that the Search Filter scope is not too broad and returns the same users multiple times.
  • Verify that the Search Filter contains the {0} element so that it uses what user's enter when authenticating.

Timeouts and long login times

If users are experiencing long wait times when authenticating, try to use a more specific Base OU.