1. Introduction

 

Last article about authentication repository I explained how to create a LDAPS repository and how to troubleshoot LDAPS authentication repository. This post is pretty much a complement to that because here we will move the troubleshooting further and enables the lower level trace in order to see more details about the authentication process.

 

2. Enabling Trace File

 

To enable the lower level trace file you need to open the file trace.ini located in the folder C:\Whale-Com\e-Gap\common\conf. Go to the end of the file and add the line below:

 

[Trace\UserMgrUtil]

*=xheavy

 

Is very important to remember that this should be used only for troubleshooting purpose since it is very CPU intensive and should be removed after the troubleshoot finishes.

 

3. Using the User Manager Tool

 

The User Manager utility is a tool that can be used to validate a repository and see if it is functional. The good thing about using this utility is that you can verify if the repository is working before put it in production. Now that we have the repository and the trace file is enabled we can perform the test and see what result we will have it. Follow the steps below to do that:

 

1) Open command prompt and follow the sequence below:

 

C:\>Cd Whale-Com\e-Gap\utils\UserMgr

C:\Whale-Com\e-Gap\utils\UserMgr>UserMgrUtil.exe -v LDAPS

User:administrator

Password:********

Domain (Not Mandatory):contoso.com

ParamName (Not Mandatory):

EnableChangePassword(0|1) (Not Mandatory):

Success

 

As you can see the result for this test was success and you can get more details information about the result reading the log file that it will be located in the folder C:\Whale-Com\e-Gap\logs. The file name should be like this:

 

SERVERNAME.UserMgrUtil.default.DATE-TIME.log

 

The log will show verbose information since we increased to heavy in the trace.ini file. The first part shows the repository configuration:

 

** 16.06.08 03:58:42.312 CONFIGMGR_SERVICE:GENERAL T2240

Read the repository [[CLdapRepositoryInfo:

repository_base_type     = [LDAP]

auth_type                = [1]

gui_auth_type            = [1]

default_domain           = [contoso.com]

repository_type          = [Active Directory]

address                  = [dallas.contoso.com]

groups_repository        = [LDAPS]

ip                       = [dallas.contoso.com]

base                     = [CN=Users,DC=contoso,DC=com]

port                     = [636]

search_sub_tree          = [0]

use_ssl                  = [1]

user                     = [administrator]

domain                   = [contoso.com]

alternate_ip             = []

alternate_port           = [0]

alternate_use_ssl        = [0]

nested_groups_num        = [0]]].

* at line 1268, file "src/RepositoryContainer.cpp".

 

The second part shows more details about the test performed by User Manager Utility:

 

** 16.06.08 03:58:42.382 USERMGR_SERVICE:GENERAL T2240

Read [GetDistributionList] [0]

* at line 2110, file "src/Ldap.cpp".

 

** 16.06.08 03:58:42.382 USERMGR_SERVICE:GENERAL T2240

Init connection to ip [10.1.1.6] port [636].

* at line 1752, file "src/Ldap.cpp".

 

** 16.06.08 03:58:42.382 USERMGR_SERVICE:GENERAL T2240

Use [dallas.contoso.com] instead of [10.1.1.6].

* at line 1762, file "src/Ldap.cpp".

 

** 16.06.08 03:58:42.512 USERMGR_SERVICE:GENERAL T2240

The repository ssl option is [1].

* at line 1796, file "src/Ldap.cpp".

 

** 16.06.08 03:58:54.920 USERMGR_SERVICE:GENERAL T2240

Authenticate the user [administrator] domain [contoso] in the ldap server [10.1.1.6] port [636] dn [CN=Users,DC=contoso,DC=com] type [Active Directory]

* at line 320, file "src/Ldap.cpp".

 

** 16.06.08 03:58:54.920 USERMGR_SERVICE:GENERAL T2240

Connect user [administrator] domain [contoso].

* at line 2178, file "src/Ldap.cpp".

 

** 16.06.08 03:58:54.920 USERMGR_SERVICE:GENERAL T2240

Connect with bind auth negotiate.

* at line 2209, file "src/Ldap.cpp".

 

** 16.06.08 03:58:54.940 USERMGR_SERVICE:GENERAL T2240

Connect success

* at line 2255, file "src/Ldap.cpp".

 

Notice that during the connection we use the FQDN instead of the IP address and then we bind to the LDAPS directory with the credentials provided during the test.

 

4. Reference

 

You can download the IAG User Guide and read chapter 10 for more details on generic troubleshooting and tools that can help you on that.