If you’re having trouble configuring your LDAP connection, this section might help troubleshoot a few common issues.

I’m not able to preview my connection

If you’re not able to preview your groups and users, in many cases this is due to a connection problem between your LDAP server and SaltStack Config, or an invalid entry in the LDAP configuration form. Try the following:

  1. Ensure that TCP connections from SaltStack Config to the selected port on the LDAP server are allowed.
  2. Double-check your form entries and validate syntax using a third-party tool. See How to verify and troubleshoot a Directory Service connection
  3. If neither of the previous items helps resolve the issue, see Other issues.
  4. If none of the above items helps, contact SaltStack Support.

When trying to preview my connection, the page gets stuck loading

If the page gets stuck loading for over two minutes, restart the RaaS service, then delete and re-create the configuration, following these steps:

  1. Open the RaaS log.
    tail -f /var/log/raas/raas

    The log contains an error similar to the following:

    [ERROR    :256][ForkPoolWorker-2:10253][ldap_preview_background_task(some_uuid)]
    Task ldap preview_background_task[some_uuid]raised unexpected: KeyError('ad-1_preview')
  2. Stop and then restart the RaaS service.
    systemctl stop raas
    systemctl start raas
  3. Return to the SaltStack Config user interface and delete the LDAP connection.
    Note:

    You might want to copy and paste your configuration entries into a backup text file before deleting.

  4. Create the LDAP configuration again.

Other issues

If you’ve already configured and saved your LDAP connection but users aren’t able to log in, or if you are encountering any other issues, check the raas logs with extended debugging enabled to help determine the root cause.

To enable extended debugging:

  1. On RaaS, open /etc/raas/raas.
  2. Make the following changes:
    • Under Loggingoptions, uncomment log_file_loglevel:debug
    • Under AD/LDAPdriverconfiguration, uncomment log_level and set to log_level:EXTENDED
  3. Stop and then restart the RaaS service.
    systemctl stop raas
    systemctl start raas
  4. View the raas log. For descriptions of some common error messages, see Common error messages.
    tail -f /var/log/raas/raas

Common error messages

Some common errors you might see in the logs are as follows:

  • Wrong settings for connection (SSL). Adjust your SSL settings.
    [raas.utils.validation.schemas.settings][DEBUG   :546 ][Webserver:9096]
    Error while connecting to AD/LDAP Server. SSL connection issues: socket
    ssl wrapping error: [Errno 104] Connection reset by peer
  • Wrong password for Admin BIND DN. Verify and re-enter your password.
    [raas.utils.rpc   ][DEBUG   :284 ][Webserver:9095]
    Processed RPC request(129360670417695). Response:
    {'riq': 129360670417695, 'ret': None, 'error': {'code': 3004, 'message':
    'Request validation failure.', 'detail': {'_schema':
    ['Credentials are not valid']}}, 'warnings': []}
  • The prefilled default Auth Bind DN Filter is creating a conflict. Leave the field blank, or use {username} instead of {{username}}.
    Note:

    You might encounter this error when you’ve already saved your LDAP connection, but users aren’t able to log in.

    [var.tmp._MEIBCyG76.raas.mods.auth.ldap][DEBUG   :903 ][Webserver:9096]
    Running _get_auth_backend_user with this search_filter: (&(objectclass=person)(sAMAccountName={username}))
    
    [var.tmp._MEIBCyG76.raas.mods.auth.ldap][DEBUG   :931 ][Webserver:9096]
    Could not find any user using '(&(objectclass=person)(sAMAccountName={username}))'
    as the search filter in the ldap backend under the ad-1 configuration.
    Trying remote_uid 'None'
    
    [var.tmp._MEIBCyG76.raas.mods.auth.ldap][DEBUG   :963 ][Webserver:9096]
    Could not find any user using '(&(objectClass=person)(objectGUID=None))'
    as the search filter in the ldap backend under the ad-1 configuration.