Troubleshooting LDAP authentication

Having trouble with LDAP authentication? This article walks you through common issues and how to fix them.

When troubleshooting issues related to LDAP authentication, you can use the Test Connection tool located at the bottom of the LDAP Connections page, access from the Sign In Settings page. The tool performs and logs all of the connection and query steps. More importantly, it will consider unsaved changes on the configuration page. This means you can make adjustments to the OU and Search Filter areas and test them without having to save the page. 

Sections in this article: 

• Cause: Can't find the AD
• Cause: Can't find the user in the AD
• Cause: The query finds more than one user in the AD
• Cause: Timeouts and long login times

Cause: Can't find the AD

Error message: 

Could not connect to LDAP server, received follow error message: The LDAP service is unavailable. 

The LDAP server is unavailable.

Resolve by

Verify the following: 

• The Server Name and Server Port are correct.
• The correct IP and ports are whitelisted by your network firewalls and firewalls local to the AD. 
  • IP: Contact Igloo Support if you do not know which IP to whitelist.
  • Ports: 1024-65535/TCP 

Cause: Can't authenticate

Error message:

Could not connect to LDAP server, received follow error message: The supplied credential is invalid.

The supplied credential is invalid

Resolve by

• If all users can't authenticate, verify that the Query user credentials under Account Credentials on the LDAP Connections page in your digital workplace are correct. Check the following:
  • Query User DN
  • Query User Password 
• If a single user can't authenticate, verify that they are authenticating with the correct username and password.

Cause: Can't find the user in the AD

Error message:

LDAP Query successfully made.

Found 0 results from LDAP query, search can only return one result to be successful.

No results found from LDAP query

Resolve by

Verify the following: 

• The user's email is correct.
• The user is within scope of the Base OU.

One way to directly test whether the user is in the AD or in scope of the current Base OU is to temporarily replace the Search Filter with a query string that contains the user's email address. For example, mail=testemail@igloosoftware.com. Then run the test connection. If they're not found, they're not in the AD or out of scope for the Base OU. Remove a level from the Base OU and rerun it until the user shows up or until you're at the DC level. If it still returns zero results, then either the user isn't in there, or the email is incorrect. 

Cause: The query finds more than one user in the AD

Error message:

Could not perform search, received from server: An operation occurred.

An operation error occurred.

Resolve by

Verify the following: 

• There are no duplicate emails or usernames in the AD.
• The Search Filter scope is not too broad and returns the same users multiple times.
• The Search Filter contains the {0} element so that it uses what user's enter when authenticating.

Cause: Timeouts and long login times

Users may experience long wait times when authenticating.

Resolve by

Try to use a more specific Base OU.