If Asset Bank cannot connect to the LDAP server then you should see an error in one of the log files (in [tomcat]/logs). Common problems are:
- The user credentials are not specified correctly in the ApplicationSetting.properties file. Note that the ‘ad-wms-user-distinguished-name’ property must be the Distinguished Name of the user.
- The user created for Asset Bank in the LDAP server does not have permission to search the node specified by ‘ad-ldap-base-list’
- The ‘ad-ldap-base-list’ property is not specified correctly in the ApplicationSetting.properties file. Note that the it must be the Distinguished Name of the node.
- Asset Bank seems to be synching with the LDAP server, but you can't log in as a particular user. If the setting ad-user-search-criteria is set to the default, which is (&(objectClass=user)(mail=*)), check that the user in question has an email address. If they haven't either change the settingad-user-search-criteria to remove the requirement that users have email addresses, or ensure the user does have one.
- Users previously logged in as 'local' Asset Bank users and now are trying to login as LDAP users with the same username. If this is the case then the user will still be setup as a 'local' user in Asset Bank's database. Check the AssetBankUser table in the database. If the user is local then the field NotActiveDirectory should be 1; if the user is from LDAP this field should be 0.
- Your LDAP server does not support paging of search results (in which case you will have set ad-ldap-supports-paging=false).
- Your LDAP synchronisation doesn't work and error 'LDAP: error code 32' is appearing in the logs. This normally indicates that there is a problem with the ad-ldap-base-list setting - if any of the nodes in this list are wrong/invalid the whole synchronisation will fail.
If you have problems, it can be useful to install a Java LDAP browser (such as JXplorer) on the server on which Asset Bank is installed. If you cannot connect to your LDAP server using JXplorer, using the same credentials, then Asset Bank won’t be able to either.
JXplorer can be used to find out the Distinguished Name of the user (and search start node) as Active Directory does not always show these properties.
If you are not able to use the JXplorer GUI, then it is possible to run an LDAP search from the linux command line. The command will look something like this:
ldapsearch -vxW -H ldap://[LDAP Server IP]:389 -b "[base list of LDAP search]" -D "[DN of user connecting to LDAP server]"
For help with this, see the article: How do I find out which settings to use for Active Directory integration
Tips for using JXplorer:
- Install and run the pure Java version, to ensure JXplorer is running in an environment as similar as possible to Asset Bank.
- If you are using SSL: by default, JXplorer uses two keystores, both of which are located in [jxplorer]/security. It is useful to have JXplorer use the same keystore as Asset Bank, i.e. the one in the JRE. You can change this in JXplorer by going to Security->Advanced Keystore Options in the menu. You can use JXplorer to view the certificate in the keystore, e.g. to check it imported ok, or even to add the cert.