Troubleshoot LDAP Authentication

For information about configuring LDAP authentication, see Configuring Authentication. For information about managing Loftware Enterprise SP users, see Controlling Access in Loftware Enterprise SP.

Tip: By default, LDAP communication between a client application and a server application is not encrypted. However, you can secure LDAP communication by using LDAP over SSL (LDAPS). To use LDAPS with Loftware Enterprise SP, obtain a copy of your SSL certificate from your LDAP server and import the certificate into the Java certificate keystore on the Loftware Application Server (the certificate must be configured for your environment — LDAPS does not function with the Loftware Enterprise SP self-signed certificate). To locate the Java certificate keystore, open the server.xml file in <LOFTWARE_HOME>/product/conf and find the "keystoreFile" keyword. The java "keytool" utility is used to add the certificate to this file. For more information, see Importing the LDAP Server's Certificate. StartTLS and Simple Authentication and Security Layer (SASL) are not supported.

Symptom	Resolution
Users are unable to sign in to Loftware Enterprise SP.	If authentication has failed unexpectedly, one of the following approaches may resolve the issue: Ensure that the user has an account configured in Loftware Enterprise SP with the same user name. If you are using auto-provisioning, ensure you have completed all the fields required for your LDAP service (even if not indicated as required by Loftware Enterprise SP). For more information, see User Interface: LDAP Authentication. If a base distinguished name (DN Distinguished name. A unique entry in a directory managed using Lightweight Directory Access Protocol (LDAP).) is included in the Provider URL, ensure that the URL does not end with a slash. Ensure that the correct port is included in the Provider URL. The default port for LDAP over SSL (LDAPS) is 636. The default port for LDAP is 389. Review the Provider URL and the Search Base to ensure that the resulting search base is as intended. You can specify a Search Base in the Search Base field, as part of the Provider URL, or both. If both, they are concatenated with the portion in the Search Base field first. If a Security service not available message is displayed to users, see Troubleshoot General Issues. If your Loftware Enterprise SP environment is configured to support single-sign on (SSO) using Integrated Windows authentication, ensure that users' web browsers are configured to support the Kerberos version 5 protocol.
After configuring single-sign on, errors appear in the log file.	If errors such as "java.lang.IllegalStateException: Cannot unload the page file when it is not loaded" appear in the Loftware Enterprise SP log file after configuring single-sign on (SSO) using Integrated Windows authentication, do the following: Stop the Loftware Spectrum service. Delete the following file from the Loftware Application Server: <LOFTWARE_HOME>\product\jms-data\db-1.log Restart the Loftware Spectrum service.

Symptom

Resolution

Users are unable to sign in to Loftware Enterprise SP.

If authentication has failed unexpectedly, one of the following approaches may resolve the issue:

Ensure that the user has an account configured in Loftware Enterprise SP with the same user name.
If you are using auto-provisioning, ensure you have completed all the fields required for your LDAP service (even if not indicated as required by Loftware Enterprise SP). For more information, see User Interface: LDAP Authentication.
If a base distinguished name (DN Distinguished name. A unique entry in a directory managed using Lightweight Directory Access Protocol (LDAP).) is included in the Provider URL, ensure that the URL does not end with a slash.
Ensure that the correct port is included in the Provider URL. The default port for LDAP over SSL (LDAPS) is 636. The default port for LDAP is 389.
Review the Provider URL and the Search Base to ensure that the resulting search base is as intended. You can specify a Search Base in the Search Base field, as part of the Provider URL, or both. If both, they are concatenated with the portion in the Search Base field first.

If a Security service not available message is displayed to users, see Troubleshoot General Issues.

If your Loftware Enterprise SP environment is configured to support single-sign on (SSO) using Integrated Windows authentication, ensure that users' web browsers are configured to support the Kerberos version 5 protocol.

After configuring single-sign on, errors appear in the log file.

If errors such as "java.lang.IllegalStateException: Cannot unload the page file when it is not loaded" appear in the Loftware Enterprise SP log file after configuring single-sign on (SSO) using Integrated Windows authentication, do the following:

Stop the Loftware Spectrum service.
Delete the following file from the Loftware Application Server:
<LOFTWARE_HOME>\product\jms-data\db-1.log
Restart the Loftware Spectrum service.