How to Troubleshoot AD and LDAP Authentication Issues

  • Updated

Common Issues

The most common reasons for LDAP or Microsoft Active Directory (AD) issues are:

  • Incorrect account information for connecting to a directory service.
  • Users assumed to be in a directory entry (identified by a Distinguished Name or "DN") don't exist.
  • Lookup fields such as mail or userID are incorrectly populated.
  • The sub-tree of a DN isn't searchable.
  • Required fields such as First Name, Last Name and Email are missing.

Enterprise-on-Premises (EOP) customers configuring an LDAP service or AD may also run into setup and configuration issues, which you can resolve by logging configuration guidance.

AD and LDAP Configurations

Configuring a directory service can be challenging for Contrast administrators. As noted in the configuration guides here and here, there are many pieces of information needed for basic connectivity, as well as dependencies for configuration. Many customers find this administrative task to be the most challenging part of Contrast setup.

Debug a directory service setup

Generally, the default logging for LDAP should be sufficient to troubleshoot most issues.  You can review the logs at $CONTRAST_HOME/data/logs/contrast.log and $CONTRAST_HOME/data/logs/ldap_ad.log.

If you need more verbose logging, please first review the article on logging for general guidance on changing the log configuration and levels.

Turning on additional logging about directory services is a simple, one-line change to the log4j2.xml file located in the $CONTRAST_HOME/data/conf directory.  You can edit the file in real-time, and shouldn't have to restart Contrast. Locate the section referencing Logger, edit the line below, replacing the level setting with TRACE.

<Logger name="contrast.teamserver.service.ldap" level="TRACE"></Logger>

Review log messages

Once the setting takes effect (no restart should be required), Contrast begins sending more verbose directory service log messages to the  $CONTRAST_HOME/data/logs/ldap_ad.log file.

Contrast recommends that you walk through the configuration of either LDAP or AD as a SuperAdmin after this setting is added.

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request