1. Introduction
Last article about authentication repository I explained how to create a LDAPS repository and how to troubleshoot LDAPS authentication repository. This post is pretty much a complement to that because here we will move the troubleshooting further and enables the lower level trace in order to see more details about the authentication process.
2. Enabling Trace File
To enable the lower level trace file you need to open the file trace.ini located in the folder C:\Whale-Com\e-Gap\common\conf. Go to the end of the file and add the line below:
[Trace\UserMgrUtil]
*=xheavy
Is very important to remember that this should be used only for troubleshooting purpose since it is very CPU intensive and should be removed after the troubleshoot finishes.
3. Using the User Manager Tool
The User Manager utility is a tool that can be used to validate a repository and see if it is functional. The good thing about using this utility is that you can verify if the repository is working before put it in production. Now that we have the repository and the trace file is enabled we can perform the test and see what result we will have it. Follow the steps below to do that:
1) Open command prompt and follow the sequence below:
C:\>Cd Whale-Com\e-Gap\utils\UserMgr
C:\Whale-Com\e-Gap\utils\UserMgr>UserMgrUtil.exe -v LDAPS
User:administrator
Password:********
Domain (Not Mandatory):contoso.com
ParamName (Not Mandatory):
EnableChangePassword(0|1) (Not Mandatory):
Success
As you can see the result for this test was success and you can get more details information about the result reading the log file that it will be located in the folder C:\Whale-Com\e-Gap\logs. The file name should be like this:
SERVERNAME.UserMgrUtil.default.DATE-TIME.log
The log will show verbose information since we increased to heavy in the trace.ini file. The first part shows the repository configuration:
** 16.06.08 03:58:42.312 CONFIGMGR_SERVICE:GENERAL T2240
Read the repository [[CLdapRepositoryInfo:
repository_base_type = [LDAP]
auth_type = [1]
gui_auth_type = [1]
default_domain = [contoso.com]
repository_type = [Active Directory]
address = [dallas.contoso.com]
groups_repository = [LDAPS]
ip = [dallas.contoso.com]
base = [CN=Users,DC=contoso,DC=com]
port = [636]
search_sub_tree = [0]
use_ssl = [1]
user = [administrator]
domain = [contoso.com]
alternate_ip = []
alternate_port = [0]
alternate_use_ssl = [0]
nested_groups_num = [0]]].
* at line 1268, file “src/RepositoryContainer.cpp”.
The second part shows more details about the test performed by User Manager Utility:
** 16.06.08 03:58:42.382 USERMGR_SERVICE:GENERAL T2240
Read [GetDistributionList] [0]
* at line 2110, file “src/Ldap.cpp”.
** 16.06.08 03:58:42.382 USERMGR_SERVICE:GENERAL T2240
Init connection to ip [10.1.1.6] port [636].
* at line 1752, file “src/Ldap.cpp”.
** 16.06.08 03:58:42.382 USERMGR_SERVICE:GENERAL T2240
Use [dallas.contoso.com] instead of [10.1.1.6].
* at line 1762, file “src/Ldap.cpp”.
** 16.06.08 03:58:42.512 USERMGR_SERVICE:GENERAL T2240
The repository ssl option is [1].
* at line 1796, file “src/Ldap.cpp”.
** 16.06.08 03:58:54.920 USERMGR_SERVICE:GENERAL T2240
Authenticate the user [administrator] domain [contoso] in the ldap server [10.1.1.6] port [636] dn [CN=Users,DC=contoso,DC=com] type [Active Directory]
* at line 320, file “src/Ldap.cpp”.
** 16.06.08 03:58:54.920 USERMGR_SERVICE:GENERAL T2240
Connect user [administrator] domain [contoso].
* at line 2178, file “src/Ldap.cpp”.
** 16.06.08 03:58:54.920 USERMGR_SERVICE:GENERAL T2240
Connect with bind auth negotiate.
* at line 2209, file “src/Ldap.cpp”.
** 16.06.08 03:58:54.940 USERMGR_SERVICE:GENERAL T2240
Connect success
* at line 2255, file “src/Ldap.cpp”.
Notice that during the connection we use the FQDN instead of the IP address and then we bind to the LDAPS directory with the credentials provided during the test.
4. Reference
You can download the IAG User Guide and read chapter 10 for more details on generic troubleshooting and tools that can help you on that.