LDAP connection test fails in the NuGenesis LMS client - WKB23103
Article number: 23103
SYMPTOMS
- When testing the LDAP server configuration in NuGenesis LMS, the following error message appears: "User or password is incorrect!"
- The same LDAP username and password are successful when logging in to Windows, NuGenesis SDMS, or Empower
ENVIRONMENT
- NuGenesis 9 LMS
- NuGenesis 8 LMS
- NuGenesis 8 ELN
CAUSE
- An invalid LDAP configuration prevents the LMS server from connecting to the LDAP server;
- The LDAP server is offline; or
- The username entered into the Test Connection dialog box matches none, or more than one, of the entries in the LDAP server
FIX or WORKAROUND
- Verify each part of the LDAP configuration in LMS:
- Check the protocol type and server name in the URL field
- NuGenesis 8 - 9.2: The protocol should be ldap:// if using non-secure LDAP, or ldaps:// if using secure LDAP
- NuGenesis 9.3+: The Authentication type should be "LDAP SSL" or "LDAP TLS"
- The server name in the URL must be the name or full-qualified name of a valid LDAP server
- Confirm that the port is correct
- NuGenesis 8 - 9.2: The default port is 389 for non-secure LDAP and 636 for secure LDAP
- NuGenesis 9.3+: Use port 389 with "LDAP" and "LDAP TLS" authentication types, or 636 for "LDAP SSL", unless specified otherwise by the customer's IT team
- Confirm that the Bind User and Password are correct
- Confirm that the Base DN is correct
- Clear the LDAP Filter
- Use the correct LDAP attribute for the User ID: sAMAccountName for Active Directory servers; UID for non-Active Directory servers
- Check the protocol type and server name in the URL field
- An LDAP filter, if present, must use the LDAP query syntax. Example: (objectClass=user)
- In most cases, an LDAP filter is not required
- If it is required, use parentheses - ( ) - around the filter. The LMS server appends the filter to the default filter. Example: (&(uid=username)(objectClass=user))
- If using secure LDAP, then add a certificate to the LMS server per the instructions in the linked article
- Check the LMS server log file for error messages related to LDAP
- Use the Softerra LDAP Browser tool to connect to the LDAP server, and run the same query
- If the LDAP server returns more than one match for the search result, LMS displays the error message
ADDITIONAL INFORMATION
One example error message in server.log indicates a problem with the certificate as supplied by the LDAP server:
- Problem accessing LDAP Server, e.g user not available in LDAP: javax.naming.CommunicationException: simple bind failed: ldapserver:636 [Root exception is javax.net.ssl.SSLHandshakeException: KeyUsage does not allow digital signatures]
This message is seen in NuGenesis 9.3+ servers where the LDAP server's own certificate does not have "digitalSignatures" specified in it's KeyUsage parameter.
id23103, comms, ELN, NGLMS, NGLMSLIC, NGLMSOPT, SUPNG