|Agent Mode||Assess & Protect|
|Main Product Category||Contrast UI|
The most common reasons for LDAP or Microsoft Active Directory (AD) issues:
- Account information for connecting to a directory service isn't correct.
- Users assumed to be in a DN don't exist.
- Lookup fields such as mail or userID aren't correctly populated.
- The sub-tree of a DN isn't searchable.
- Required fields such as First Name, Last Name and Email are missing.
Enterprise-on-Premises (EOP) customers configuring an LDAP service or AD may also run into setup and configuration issues, which you can resolve by logging configuration guidance.
Configuring a directory service can be challenging for Contrast administrators. As noted in the configuration guide, there are many pieces of information needed for basic connectivity, as well as dependencies for configuration. Many customers find this administrative task to be the most challenging part of Contrast setup.
Generally the default logging for LDAP should be sufficient to troubleshoot most issues. You can review the following log.
Should more verbose logging be required, review the article on logging to get up to speed on changing the log configuration and levels.
Turning on additional logging about directory services is a simple, one-line change to the log4j2.xml file located in $CONTRAST_HOME/data/conf directory. Change directories through a Unix command prompt or Windows Explorer window. You can edit the file in real-time, and shouldn't have to restart Contrast. Locate the section referencing
Logger, edit the line below, replacing the
TRACE. Contrast picks up the change and begin writing log messages to the ldap_ad.log.
<Logger name="contrast.teamserver.ldap" level="TRACE"></Logger>
Once the setting takes effect, Contrast begins sending directory service log messages to the $CONTRAST_HOME/data/logs/ldap_ad.log file. Contrast recommends that you walk through the configuration of either LDAP or AD as a SuperAdmin after this setting is added.