Troubleshooting LDAPS connection

Condition

LDAP connection failure.

Cause

It is optional to configure MDM server with LDAP credentials. If you enter wrong values or values in incorrect format, it displays an error as “invalid”. However, the Fixlet actions complete successfully, which might cause connection issues at times.

Solution

Using the command-line utility BESmdmldaputil, you can validate LDAP parameters, email, and user authentication to troubleshoot your LDAP connection issues.
Note: If you change LDAP parameters in .env file, you must restart idservice for the changes to take effect.
To validate LDAP parameters, run the following command from the MDM server:
docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil <options>
where the options include the following:
-a : Authenticate user
-c : Clear cache
-e : Validate email 
-f : Get all AD/AAD groups
-g : Get group list
-h : Help Content
-l : List cache names
-p : Get attribute list
-u : Get user configuration
-v : Validate .env variables, values, and AD/Azure AD connectivity
The following are some of the examples on how to use the options;
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -h 
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -v 
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -e user@example.com
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -a username:password 
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -e user@example.com -a username:password
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -c groupNames
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -l 
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -f
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -p
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -u user@example.com
 docker exec -it idservice /opt/bigfix/bin/BESmdmldaputil -g
  • This utility validates LDAP parameters that were provided through WebUI Identity Service Configuration. as shown in the following image:LDAPS DebugLDAPS Debug

  • The following is an example of the validation messages when you use the option -v to validate LDAP env arguments.

  • The following is an example of the validation messages when you use the option -a to authenticate a specific user.

  • You can also combine more than one option to get the desired result. The following image shows the result for the options -e and -a for the values provided:
  • The following is an example to clear cache with the option -c.
  • The following is an example to list cache names with the option -l.
  • The following is an example to list all group names with the option -f.
  • The following is an example to list attributes names with the option -p.
  • The following is an example to get user configuration with the option -u.
  • The following is an example to get group names with the option -g.
With this, you can understand if the configured connection is working, and if not, what specifically to look for.