LDAP Troubleshooting

To begin troubleshooting you will need to login to the Polarity Server and navigate to:

/app

In the /app directory, run the following command to connect to Elixers IEX framework to start troubleshooting:

docker exec -it polarity_platform bash
prod/rel/polarity_platform/bin/polarity_platform remote
Logger.configure(level: :debug)

Once you have executed those commands, exit out of the IEX and Bash sessions then run the following command to check for different LDAP errors in the logs:

docker-compose logs app | grep "Any error string below to check for ldap errors"

Untrusted SSL Certificate

If you have an untrusted SSL certificate on the ldaps server you will see the following error:

TLS :client: In state :certify at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA

{"level":"notice","message":"TLS :client: In state :certify at ssl_handshake.erl:2111 generated CLIENT ALERT: Fatal - Unknown CA\n","metadata":{},"timestamp":"2024-02-06T20:12:50.208Z"}

Invalid LDAP URL

If the server URL could not be reached (e.g., the provided LDAP url is incorrect), you will see the following error:

connect failed

{"level":"debug","message":"[Elixir.Polarity.Ldap] %{details: %{error: \"'connect failed'\"}}","metadata":{},"timestamp":"2024-02-06T20:23:36.288Z"}

Invalid User Password

If the user account password is incorrect you will see the following error:

LDAP credentials could not be verified

{"level":"debug","message":"[Elixir.Polarity.Ldap] %{details: %{error: \"LDAP credentials could not be verified.\"}}","metadata":{},"timestamp":"2024-02-06T20:14:30.437Z"}

Possible causes

• User is providing the wrong credentials

User account cannot be found

If the user account cannot be found in LDAP you will see the following error:

user search unsuccessful

{"level":"debug","message":"[Elixir.Polarity.Ldap] %{details: %{error: \"%ErrorMessage{code: :unauthorized, message: \\\"user search unsuccessful\\\", details: nil}\"}}","metadata":{},"timestamp":"2024-02-06T20:20:33.574Z"}

Possible causes

• Typo when providing the user account information at the login screen

• The "User Search Filter" could be setup incorrectly. For example, the username provided by the user does not match the attribute set in the "User Search Filter" option.

Invalid Service Account Password

If the service account password is incorrect or the service account username is incorrect (i.e., cannot be found) you will see the following two errors in the logs:

:invalidCredentials

incorrect username or password

{"level":"debug","message":"[Elixir.Polarity.Ldap] %{details: %{error: \":invalidCredentials\"}}","metadata":{},"timestamp":"2024-02-06T20:19:14.660Z"}
{"level":"debug","message":"[Elixir.Polarity.Ldap] %{details: %{error: \"{:error, %ErrorMessage{code: :unauthorized, message: \\\"incorrect username or password\\\", details: nil}}\"}}","metadata":{},"timestamp":"2024-02-06T20:19:14.660Z"}

Possible Causes:

• The service account password is incorrect

• The service account is locked or disabled

• The "Service User DN" is incorrect

Unauthorized User

If the user is not in an authorized group (this error is not particularly specific so there are likely other error conditions that would look like this:

error: \":error\"

{"level":"debug","message":"[Elixir.Polarity.Ldap] %{details: %{error: \":error\"}}","metadata":{},"timestamp":"2024-02-06T20:30:39.613Z"}

Possible Causes:

• The user is not in the authorized groups

• The authorized groups are set incorrectly (e.g., the wrong group name is being used)

• The wrong "Group User DN Attribute" is set

Invalid Email Attribute

If the email attribute provided as part of the LDAP configuration is not correct (can't be found), then you will see the following error in the user interface. This means the user was able to login and was authorized but we couldn't create the account because the "User Email Attribute" attribute was not valid.

"Email: can't be blank"

Invalid User Display Name Attribute

If the "User Display Name" attribute provided as part of the LDAP configuration is not correct (can't be found), then you will see the following error in the user interface. This means the user was able to login and was authorized but we couldn't create the account because the "User Display Name Attribute" attribute was not valid.

Full_name: can't be blank

Users that are not in specified groups can login

If the Group User DN Attribute is set to an attribute that does not exist then the Group Search Filter will have no affect and any user with a valid LDAP account will be able to l