Avi Load Balancer provides an option for testing authentication profiles configured on the Avi Load Balancer Controller.

Testing an Authentication Profile

To verify the LDAP profile, perform the following steps.

  1. Navigate to Templates > Security > Auth Profile.

  2. Click the verify icon to view the VERIFY AUTH PROFILE.



    Note:

    Depending on whether the LDAP Auth Profile has Administrator Bind or Anonymous Bind configured, the VERIFY AUTH PROFILE screen displays a different set of options.

  3. Enter the details required in the VERIFY AUTH PROFILE.

Verifying LDAP Profile with Anonymous Bind

If the LDAP authentication profile is configured to use anonymous binding for authentication requests, the popup for testing the profile prompts for the LDAP user’s user name and password.



In the VERIFY AUTH PROFILE screen, enter the Username and Password , and click Verify.

Testing whether a user can bind successfully verifies that the LDAP authentication profile is configured correctly to authenticate users with the same user DN pattern.

Verifying LDAP Profile with Administrator Bind

If the LDAP authentication profile is configured to use administrator binding for authentication requests, one of the following types of information can be specified on the verification popup for the profile.

In the VERIFY AUTH PROFILE screen, select the required option to verify and enter the Username.



Test user entry

  • Searches the LDAP server’s database for the specified user name, and returns the corresponding user entry from the LDAP database.

  • This option is useful for listing all attribute key-value pairs for any given user. The user search settings configured in the authentication profile are used.

  • If the Username field is left empty, Avi Load Balancer pulls the entire list of user records from the LDAP database.

Test user group membership

  • Lists all group memberships for the specified user. The group search settings configured in the authentication profile are used.

  • If the Username field is left empty, all groups are returned.

Test base DN

  • Returns all objects under the base DN.

  • This option is useful for testing administrator permissions and for reading the DN tree of the LDAP server.

This process can identify some common error scenarios like:

  • LDAP server IP/port is incorrect

  • Bad user name or user search settings are incorrect

  • User is either not a member of any group or the group search settings are incorrect