LDAP Troubleshooting Guide

LDAP integration allows System Administrators to link an already existing User Data Base to their Nx Witness System for access and rights management.

Instructions on how to integrate and configure an LDAP Server can be found here.

FAQs

Question: Why an IP address cannot be used when configuring LDAP in the Desktop Client?
Answer: Nx Witness supports the FQDN* standard. 

Question: Can a System be set to periodically poll LDAP for changes/updates?
Answer: The Media Server attempts to synchronize with LDAP/AD server once every 10 minutes by default.

Question: Why are LDAP users unable to login to the Web Client until they have successfully logged into the Desktop Client one time?
Answer: This is currently the way the solution works but we have plans to modify it an upcoming release to make it simpler to use.

Question: When configuring LDAP integration, I cannot specify the domain's base DN as a search base, but can specify OU's underneath the base DN. Why?
Answer: You cannot filter on OU membership, but you can filter on group membership. To retrieve all users that are members of a specified group, filter on the memberOf attribute. 

Example:

memberOf=CN=Security Users,CN=Users,DC=DOMAIN,DC=LOCAL

Question: Does VMS keep LDAP passwords?
Answer: No, for security reasons.

Question: Does an LDAP Server have to be a part of a Local Network together with the Media Server?
Answer: No. An LDAP Server must be available for the Media Server rather on LAN or via WAN.

Question: Why cannot I see the LDAP "button" in the Desktop Client?
Answer: LDAP users with any role assigned are not allowed to modify LDAP Server settings. Basic concept is that if they accidentally modify these setting they will lose permission to connect. 

Question: Why does LDAPS (LDAP over SSL) not work?
Answer: Most likely you'll be required to change certificates or to install certificates to both machines: LDAP Server and the Media Server.

Troubleshooting an LDAP Connection

Step 1: Test your LDAP Server with a 3rd Party LDAP Browser / Client

First, let's understand if an issue is related to Nx Witness. For that we recommend you to use an alternative LDAP Browser/Client to connect to your LDAP Server from the list below:

• Win --> Softerra LDAP Browser
• Ubuntu --> OpenLDAP

To install LDAP Utilities (Ubuntu):

sudo apt-get update && sudo apt-get install ldap-utils

A test query can look like the one below:

ldapsearch -LLL -x -H ldap://ad.my.domain.com:389 -s sub -D Administrator@my.domain.com -b CN=Users,DC=my,DC=domain,DC=com -w PaSsWoRd123 -o ldif-wrap=150

where:

• URL: ldap://ad.my.domain.com
• port: 389
• DN of an admin: Administrator@my.domain.com or CN=Administrator,CN=Users,DC=my,DC=domain,DC=com
• Search Base: CN=Users,DC=my,DC=domain,DC=com
• password: PaSsWoRd123

A valid output would look something like this: 

dn: CN=Users,DC=my,DC=domain,DC=com
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=my,DC=domain,DC=com
instanceType: 4
whenCreated: 20151113032937.0Z
whenChanged: 20151113032937.0Z
uSNCreated: 5696
uSNChanged: 5696
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: puf/DK2dGkCF/7bTR7V+iw==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
isCriticalSystemObject: TRUE
dSCorePropagationData: 20170619233637.0Z
dSCorePropagationData: 16010101000001.0Z
.....

If you manage to fetch / browse the information from your LDAP Server using the 3rd party Browser / Client please proceed to Step II.

Otherwise, we strongly encourage you to talk to your LDAP system administrator for further assistance before proceeding the Step 2 below.

Step 2: Gather Server Logs

*** If Step I was successful ***

1. Elevate the main logging level of the media server to DEBUG2 (VERBOSE)
2. Try to perform / re-create the same LDAP related operation you were unsuccessful with.
3. Gather Server Logs and share them with our support team or your local reseller.

Questions

If you have any questions related to this topic or you want to share your experience with other community members or our team, please visit and engage in our support community or reach out to your local reseller.