Layer7 API Management

Expand all | Collapse all

LDAP error in CA API Gateway

  • 1.  LDAP error in CA API Gateway

    Posted 07-12-2018 11:07 PM

    Hi All,

     

    In my CA API Gateway 9.1, i am seeing these errors and as a result few users are unable to get authenticated:

     

     

    2018-07-13T12:36:41.117+1000 WARNING 314 com.l7tech.server.identity.ldap.LdapUserManagerImpl: LDAP error: Could not establish context on any of the ldap urls.

     

    2018-07-13T12:36:41.118+1000 INFO    314 com.l7tech.server.policy.assertion.identity.ServerAuthenticationAssertion: could not verify identity provider ID 15f0d27b8402c405c72f68ce5d489bb9 with credentials from <username>

     

     

    Can you please help

     

    Regards,

    Varun



  • 2.  Re: LDAP error in CA API Gateway

    Posted 07-12-2018 11:32 PM

    Looking at the "Could not establish context on any of the ldap urls" i think your ldap connectivity is failing.



  • 3.  Re: LDAP error in CA API Gateway

    Posted 07-13-2018 12:19 AM

    Hi,

     

    Thanks for your response.

     

    Issue is being faced by few users only, rest of them are able to authenticate.

     

    Regards,

    Varun



  • 4.  Re: LDAP error in CA API Gateway

    Posted 12-14-2018 01:40 PM

    Varun,

     

    As only a few users are seeing this problem it could be related to a few areas including referrals and/or large group memberships.

     

    By default the gateway will follow referrals which can cause issues if the directory environment is being searched for the top level but all the users are expected in the local environment. You can disable this by setting the cluster wide property ldap.referral to ignore.

     

    The large group membership is controlled through the cluster wide property ldap.group.searchMaxResults which in later versions is set to 1000 but you may need to increase. Lastly I would also look at the nesting setting in the LDAP Provider on the Advanced Configuration page as the nesting may be too deep so look to set this to 1.

     

    Sincerely,

     

    Stephen Hughes

    Broadcom Support