Articles in this section

LDAP Troubleshooting Guide

Avatar
Igal
  • Updated
Follow

 

LDAP integration allows the VMS admins to link an already existing User Data Base to the system, while keeping stored in LDAP passwords and providing an option to assign specific access rights.

Instructions on how to integrate and configure an LDAP Server can be fount here.

Before we proceed:

Q: Why I cannot use an IP address while configuring LDAP in the Desktop Client?

A: FQND* standard should be used instead. See more information at the bottom of the page.

Q: Can the system be set to periodically pull LDAP for changes/updates?

A: The Media Server tries to sync with LDAP/AD server every 5 or 10 minutes by default.

Q: Why LDAP users are unable to login to the Web Client until after they have successfully logged into the Desktop Client one time?

A: The functionality is planned to be implemented in the 4.1 release.

Q: When configuring LDAP integration, I cannot specify the domain's base DN as a search base, but can specify OU's underneath the base DN. Why?

A: You cannot filter on OU membership, but you can filter on group membership. To retrieve all users that are members of a specified group, filter on the memberOf attribute. 

Example:

memberOf=CN=Security Users,CN=Users,DC=DOMAIN,DC=LOCAL

Q: Does VMS keep LDAP passwords?

A: No, for security reasons.

Q: Does an LDAP Server have to be a part of a Local Network together with the Media Server?

A: No. An LDAP Server must be available for the Media Server rather on LAN or via WAN.

Q: Why cannot I see the LDAP "button" in the Desktop Client?

A: LDAP users with any role assigned are not allowed to modify LDAP Server settings. Basic concept is that if they accidentally modify these setting they will lose permission to connect. 

Q: Why does LDAPS (LDAP over SSL) not work?

A: Most likely you'll be required to change certificates or to install certificates to both machines: LDAP Server and the Media Server.

What if it still does not work:

Step I

First, let's understand if an issue is related to the VMS. For that we recommend you to use an alternative LDAP Browser/Client to connect to your LDAP Server from the list below:

Win --> Softerra LDAP Browser

Ubuntu --> OpenLDAP

To install (Ubuntu):

sudo apt-get update && sudo apt-get install ldap-utils

A test query can look like the one below:

ldapsearch -LLL -x -H ldap://ad.my.domain.com:389 -s sub -D Administrator@my.domain.com -b CN=Users,DC=my,DC=domain,DC=com -w PaSsWoRd123 -o ldif-wrap=150

where:

URLldap://ad.my.domain.com

port: 389

DN of an admin: Administrator@my.domain.com or CN=Administrator,CN=Users,DC=my,DC=domain,DC=com

Search Base: CN=Users,DC=my,DC=domain,DC=com

password: PaSsWoRd123

Valid output:

dn: CN=Users,DC=my,DC=domain,DC=com
objectClass: top
objectClass: container
cn: Users
description: Default container for upgraded user accounts
distinguishedName: CN=Users,DC=my,DC=domain,DC=com
instanceType: 4
whenCreated: 20151113032937.0Z
whenChanged: 20151113032937.0Z
uSNCreated: 5696
uSNChanged: 5696
showInAdvancedViewOnly: FALSE
name: Users
objectGUID:: puf/DK2dGkCF/7bTR7V+iw==
systemFlags: -1946157056
objectCategory: CN=Container,CN=Schema,CN=Configuration,DC=my,DC=domain,DC=com
isCriticalSystemObject: TRUE
dSCorePropagationData: 20170619233637.0Z
dSCorePropagationData: 16010101000001.0Z
.....

If you manage to fetch / browse the information, please proceed to Step II. Otherwise, we strongly encourage you to talk to your LDAP system administrator for assistance.

Step II

*** If Step I was successful ***

Elevate the main logging level of the media server to DEBUG2 (VERBOSE)

Try to perform / re-create the same LDAP related operation you were unsuccessful with. 

Gather Server Logs and create a ticket via our Support Portal with the files attached. 

 *FQND -  it is necessary to use correct Fully Qualified Domain Name (FQDN) as URL. To determine:

1) Log in to the LDAP server
2) Open command prompt and type:
hostname
ASDDC6
3) Enter:
setspn -L ASDDC6 (ASDDC6 is your hostname). You'll see something like:

Registered ServicePrincipalNames for CN=ASDDC6,OU=Domain Controllers,DC=asd,DC=local:
DNS/ASDDC6.asd.local
RPC/1b3acc4a-88ec-4b0f-a72d-6a67831626c2._msdcs.asd.local
HOST/ASDDC6/ASD
HOST/ASDDC6.asd.local/ASD
GC/ASDDC6.asd.local/asd.local
exchangeAB/ASDDC6.asd.local
HOST/ASDDC6.asd.local/asd.local
exchangeAB/ASDDC6
ldap/ASDDC6/ASD
ldap/1b3acc4a-88ec-4b0f-a72d-6a67831626c2._msdcs.asd.local
ldap/ASDDC6.asd.local/ASD
ldap/ASDDC6
ldap/ASDDC6.asd.local
ldap/ASDDC6.asd.local/DomainDnsZones.asd.local
ldap/ASDDC6.asd.local/ForestDnsZones.asd.local
ldap/ASDDC6.asd.local/asd.local
E3514235-4B06-11D1-AB04-00C04FC2DCD2/1b3acc4a-88ec-4b0f-a72d-6a67831626c2/asd.local
NtFrs-88f5d2bd-b646-11d2-a6d3-00c04fc9b232/ASDDC6.asd.local
Dfsr-12F9A27C-BF97-4787-9364-D31B6C55EB04/ASDDC6.asd.local
WSMAN/ASDDC6.asd.local
WSMAN/ASDDC6
TERMSRV/ASDDC6.asd.local
TERMSRV/ASDDC6
RestrictedKrbHost/ASDDC6
HOST/ASDDC6
RestrictedKrbHost/ASDDC6.asd.local
HOST/ASDDC6.asd.local

ldap/ASDDC6.asd.local is the correct hostname (we use ldap://ASDDC6.asd.local)

Related articles

Comments

0 comments

Please sign in to leave a comment.