KB18579: Steps to take to troubleshoot LDAP integration - connectivity and initial authentication from the MicroStrategy Intelligence Server

• Strategy

These technical notes can help users to understand the various configuration options available for the MicroStrategy Intelligence Server and the setup necessary for successful integration with a LDAP server.

Users interested in setting up the Strategy Intelligence Server 9.x-10.x to authenticate users against a LDAP server should refer to the information provided in the following Strategy Knowledge Base technical notes:

These technical notes can help users to understand the various configuration options available for the Strategy Intelligence Server 9.x-10.x and the setup necessary for successful integration with a LDAP server.

Typically, LDAP integration issues within Strategy Intelligence Server 9.x-10.x usually fall into one of the following categories:

Intelligence Server Connectivity and initial authentication with the LDAP Server.
User Login authentication failure.
Functionality problems/questions regarding Importing of Users/Groups/synchronization of the LDAP users within the Strategy Intelligence Server 9.x Metadata.

This technical note explains the details of the LDAP integration initialization as carried out by the Strategy Intelligence Server 9.x-10.x. Users may be able to use this information to troubleshoot the initial Strategy Intelligence Server connectivity and initial authentication against the LDAP server.

Connectivity and Initial Authentication related issues:
The Strategy Intelligence Server 9.x, as far as LDAP integration is concerned, is a client of the Directory Server. To be able to connect to the Directory Server however, Strategy Intelligence Server 9.x-10.x uses third party client libraries. The client libraries are certified for use with the Strategy Intelligence Server by operating system platform. For details on the platform specific configuration necessary, refer to one of the following applicable Strategy Knowledge Base technical notes:

Some things to note:

For Unix/Linux platforms, the 64 bit versions of the libraries are required (since the Strategy Intelligence Server process is 64 bit). The libraries should also be for the appropriate CPU architecture (e.g. SPARC for Solaris).
Also for Unix/Linux platforms, it may be necessary to specify the path to the client libraries in the LDAP.sh file. If this path is incorrect, the libraries may not be loaded by the Strategy Intelligence Server process.

Sample errors:

If the Strategy Intelligence Server is unable to load the dynamic library specified in its configuration, it will display the following error:


An error occured during authentication. Please contact your administrator: the required LDAP components could not be found or are not LDAP v3 compliant.

On Strategy Intelligence Server startup, or when the Strategy Intelligence Server LDAP configuration is changed, the Strategy Intelligence Server will attempt to make a connection to the specified LDAP Server host and will then attempt to bind (authenticate) itself as the "Authentication User" specified in the Intelligence Server LDAP configuration.

If the authentication user is invalid, or the credentials for the user as provided in the Strategy Intelligence Server configuration are incorrect, users may see the following error in the DSSErrors log:


2008-05-27 12:56:56.557-05:00 An error occured during authentication. Please contact your administrator: the LDAP authentication user is invalid.

Another possibility is that the incorrect LDAP server information may have been entered in the Strategy Intelligence Server configuration. In this case errors similar to the following may be seen in the Authentication Server Trace logs:


2008-05-27 17:47:39.041-05:00 LDAP authentication trace: user 'CN=hector1,OU=businessunit1,OU=test,dc=ads2003-labs,dc=Strategy,dc=com' failed in bind to LDAP server 'ads2003-labs.Strategy.com' on port '389'.
2008-05-27 17:47:42.338-05:00 Login using LDAP with LDAP User='hector1'
2008-05-27 17:47:42.369-05:00 LDAP authentication trace: user 'CN=hector1,OU=businessunit1,OU=test,dc=ads2003-labs,dc=Strategy,dc=com' failed in bind to LDAP server 'ads2003-labs.Strategy.com' on port '389'.

Error message may also be seen if attempting SSL connection when no valid LDAP Server certificate can be found, or an incorrect location is specified for the LDAP server certificate file.


2008-05-27 17:59:20.713-05:00 An error occured during authentication. Please contact your administrator: LDAP Server error (81): Server Down.

If the user turns on the Authentication Server > Trace logs the following entries may be seen on successful initial authentication by the Strategy Intelligence Server:


2008-05-27 13:12:47.838-05:00 Initialize Authentication
2008-05-27 13:12:47.900-05:00 LDAP authentication trace: The attribute, 'MSTRUserGUID', is not existed in this LDAP server
2008-05-27 13:12:47.932-05:00 LDAP authentication trace: The attribute, 'MSTRImport', is not existed in this LDAP server

Follow the steps below when testing the initial setup and configuration of the Strategy Intelligence Server for LDAP integration:

Initially - wherever possible try authenticating using the 'Clear Text' method for contacting the LDAP Server. Check whether the authentication user can log in as an LDAP user.

Verify whether the Authentication user DN string correct?
Verify whether the password for the authentication user correct?

Users should attempt to verify the authentication user credentials using any third party tool on the same machine as the Intelligence Server. This will also identify any possible network connectivity issues between the machine and the LDAP server. If initial authentication continues to fail, the likely cause of the issue would be the failure by the Strategy Intelligence Server to load the client libraries. Users should verify that the correct setup has been performed as explained above and contact Strategy Technical Support for assistance.
If 'Clear text' authentication is successful against the LDAP server, but authentication fails when using 'SSL' for the connection. The most likely causes of this behaviour could be:

LDAP over SSL may not be enabled on the LDAP server, or may be enabled on a different port other than the default one (port 636).
The LDAP client libraries being used do not support LDAP over SSL. This is not an issue for the supported client libraries.
The server certificate for the LDAP Server may not have a valid Certificate Authority (CA), or the CA used to sign the SSL certificates is not a trusted root.
Is the certificate available on the Strategy Intelligence Server machine in the correct path specified in the Intelligence Server configuration?

For certificate related issues, the specific setup required depends on the client libraries being used by the Strategy Intelligence Server. This in turn is specific to the OS platform in use. Users should refer to the platform specific technical notes mentioned above for setup information.

Comment

0 comments

Details

Knowledge Article

Published:

April 26, 2017

Last Updated:

April 27, 2021

2008-05-27 17:47:39.041-05:00 LDAP authentication trace: user 'CN=hector1,OU=businessunit1,OU=test,dc=ads2003-labs,dc=Strategy,dc=com' failed in bind to LDAP server 'ads2003-labs.Strategy.com' on port '389'. 2008-05-27 17:47:42.338-05:00 Login using LDAP with LDAP User='hector1' 2008-05-27 17:47:42.369-05:00 LDAP authentication trace: user 'CN=hector1,OU=businessunit1,OU=test,dc=ads2003-labs,dc=Strategy,dc=com' failed in bind to LDAP server 'ads2003-labs.Strategy.com' on port '389'.

2008-05-27 13:12:47.838-05:00 Initialize Authentication 2008-05-27 13:12:47.900-05:00 LDAP authentication trace: The attribute, 'MSTRUserGUID', is not existed in this LDAP server 2008-05-27 13:12:47.932-05:00 LDAP authentication trace: The attribute, 'MSTRImport', is not existed in this LDAP server