Common Issues
The most common reasons for LDAP or Microsoft Active Directory (AD) issues are:
- Incorrect account information for connecting to a directory service.
- Users assumed to be in a directory entry (identified by a Distinguished Name or "DN") don't exist.
- Lookup fields such as mail or userID are incorrectly populated.
- The sub-tree of a DN isn't searchable.
- Required fields such as First Name, Last Name and Email are missing.
Enterprise-on-Premises (EOP) customers configuring an LDAP service or AD may also run into setup and configuration issues, which you can resolve by logging configuration guidance.
AD and LDAP Configurations
Configuring a directory service can be challenging for Contrast administrators. As noted in the configuration guides here and here, there are many pieces of information needed for basic connectivity, as well as dependencies for configuration. Many customers find this administrative task to be the most challenging part of Contrast setup.
Debug a directory service setup
Generally, the default logging for LDAP should be sufficient to troubleshoot most issues. You can review the logs at $CONTRAST_HOME/data/logs/contrast.log
and $CONTRAST_HOME/data/logs/ldap_ad.log
.
If you need more verbose logging, please first review the article on logging for general guidance on changing the log configuration and levels.
Turning on additional logging about directory services is a simple, one-line change to the log4j2.xml
file located in the $CONTRAST_HOME/data/conf
directory. You can edit the file in real-time, and shouldn't have to restart Contrast. Locate the section referencing Logger
, edit the line below, replacing the level
setting with TRACE
.
<Logger name="contrast.teamserver.service.ldap" level="TRACE"></Logger>
Review log messages
Once the setting takes effect (no restart should be required), Contrast begins sending more verbose directory service log messages to the $CONTRAST_HOME/data/logs/ldap_ad.log
file.
Contrast recommends that you walk through the configuration of either LDAP or AD as a SuperAdmin after this setting is added.