The most common reasons for LDAP or Microsoft Active Directory (AD) issues are:
- Incorrect account information for connecting to a directory service.
- Users assumed to be in a directory entry (identified by a Distinguished Name or "DN") don't exist.
- Lookup fields such as mail or userID are incorrectly populated.
- The sub-tree of a DN isn't searchable.
- Required fields such as First Name, Last Name and Email are missing.
Enterprise-on-Premises (EOP) customers configuring an LDAP service or AD may also run into setup and configuration issues, which you can resolve by logging configuration guidance.
Configuring a directory service can be challenging for Contrast administrators. As noted in the configuration guides here and here, there are many pieces of information needed for basic connectivity, as well as dependencies for configuration. Many customers find this administrative task to be the most challenging part of Contrast setup.
Generally, the default logging for LDAP should be sufficient to troubleshoot most issues. You can review the logs at
If you need more verbose logging, please first review the article on logging for general guidance on changing the log configuration and levels.
Turning on additional logging about directory services is a simple, one-line change to the
log4j2.xml file located in the
$CONTRAST_HOME/data/conf directory. You can edit the file in real-time, and shouldn't have to restart Contrast. Locate the section referencing
Logger, edit the line below, replacing the
level setting with
<Logger name="contrast.teamserver.service.ldap" level="TRACE"></Logger>
Once the setting takes effect (no restart should be required), Contrast begins sending more verbose directory service log messages to the
Contrast recommends that you walk through the configuration of either LDAP or AD as a SuperAdmin after this setting is added.