Troubleshoot LDAP & AD Connection Issues in Mideye
LDAP/Active Directory connectivity issues prevent Mideye Server from authenticating users and retrieving user attributes such as phone numbers. Most LDAP configuration is managed through LDAP Profiles in the web interface.
Overview
Section titled “Overview”Mideye Server connects to LDAP/AD for:
- User authentication — Validating credentials
- User lookup — Finding users and retrieving attributes (phone number, email)
- Group membership — Checking authorization groups
Connection issues typically fall into these categories:
- Network connectivity (firewalls, DNS)
- TLS/certificate issues (LDAPS)
- Credential or permission issues
- Search filter or attribute mapping
- Stale connections in load-balanced environments
Common Issues
Section titled “Common Issues”1. Connection Timeout
Section titled “1. Connection Timeout”Problem: Mideye Server cannot reach the LDAP server.
Symptoms:
- “Connection timed out” in logs
- Slow authentication or no authentication
- Web interface shows LDAP connection error
Diagnostic Steps:
Linux:
# Test network connectivitync -zv ldap.example.com 389nc -zv ldap.example.com 636 # LDAPS
# Test DNS resolutionnslookup ldap.example.comdig ldap.example.comWindows:
# Test network connectivityTest-NetConnection -ComputerName ldap.example.com -Port 389Test-NetConnection -ComputerName ldap.example.com -Port 636
# Test DNS resolutionResolve-DnsName ldap.example.comSolution:
- Verify the LDAP server address and port in LDAP Profiles
- Check firewall rules allow traffic on port 389 (LDAP) or 636 (LDAPS)
- Verify DNS resolution returns the correct IP address
- If using a load balancer, check load balancer health
2. LDAPS Certificate Validation Failure
Section titled “2. LDAPS Certificate Validation Failure”Problem: Secure LDAP (LDAPS) connection fails due to certificate issues.
Symptoms:
- “PKIX path building failed” in logs
- “unable to find valid certification path to requested target”
- Connection works with plain LDAP (389) but not LDAPS (636)
Root Causes:
- LDAP server uses a self-signed certificate
- LDAP server uses a certificate signed by an internal CA
- Certificate has expired
- Certificate hostname doesn’t match server address
Diagnostic Steps:
Linux:
# View the LDAP server certificateopenssl s_client -connect ldap.example.com:636 -showcerts 2>/dev/null | openssl x509 -noout -subject -issuer -dates
# Check certificate chainopenssl s_client -connect ldap.example.com:636 </dev/null 2>/dev/nullWindows:
# View the LDAP server certificate$tcpClient = New-Object System.Net.Sockets.TcpClient("ldap.example.com", 636)$ssl = New-Object System.Net.Security.SslStream($tcpClient.GetStream())$ssl.AuthenticateAsClient("ldap.example.com")$cert = $ssl.RemoteCertificateWrite-Host "Subject: $($cert.Subject)"Write-Host "Issuer: $($cert.Issuer)"Write-Host "Expires: $($cert.GetExpirationDateString())"$ssl.Dispose(); $tcpClient.Dispose()Solution:
Option A — Import the CA certificate (recommended):
- Navigate to the Certificate Management page in the web interface
- Import the LDAP server’s CA certificate into the trust store
- Restart Mideye Server
Option B — Skip certificate validation (testing only):
- Navigate to LDAP Profiles
- Edit the LDAP profile
- Set certificate validation to Skip (not recommended for production)
- Save and test the connection
3. Bind Credential Failures
Section titled “3. Bind Credential Failures”Problem: LDAP connection fails with authentication errors.
Symptoms:
- “Invalid credentials” error in logs
- “LDAP error code 49” (invalid credentials)
- Web interface shows LDAP connection failure
Root Causes:
- Wrong bind DN or username
- Wrong password
- Password expired
- Account locked
Solution:
-
Navigate to LDAP Profiles and verify:
- Bind DN is correct:
CN=svc-mideye,OU=Service Accounts,DC=example,DC=com - Bind password is correct (re-enter if unsure)
- Bind DN is correct:
-
Verify credentials work:
Linux:
Terminal window ldapsearch -x -H ldap://ldap.example.com:389 \-D "CN=svc-mideye,OU=Service Accounts,DC=example,DC=com" \-W -b "DC=example,DC=com" "(sAMAccountName=testuser)"Windows:
Terminal window # Test AD credentials$credential = Get-CredentialGet-ADUser -Identity testuser -Server ldap.example.com -Credential $credential -
Check that the service account:
- Is not locked
- Password has not expired
- Has read permissions to the user OU
4. User Not Found
Section titled “4. User Not Found”Problem: LDAP connection works, but specific users cannot be found.
Symptoms:
- “User not found” during authentication
- Some users work, others don’t
- LDAP connection test succeeds but authentication fails
Root Causes:
- User is in a different OU than the configured search base
- Search filter doesn’t match the user
- User account is disabled in AD
Solution:
-
Navigate to LDAP Profiles and verify:
- Search base is broad enough to include all users
- Search filter matches the username attribute being sent
-
Test the search manually:
Linux:
Terminal window # Search for specific userldapsearch -x -H ldap://ldap.example.com:389 \-D "CN=svc-mideye,OU=Service Accounts,DC=example,DC=com" \-W -b "DC=example,DC=com" "(sAMAccountName=username)" dnWindows:
Terminal window # Find user and their OUGet-ADUser -Identity username -Properties DistinguishedName | Select-Object DistinguishedName -
Common search filter patterns:
(sAMAccountName={0})— Most common for AD(userPrincipalName={0})— If using UPN format (user@domain.com)(uid={0})— For non-AD LDAP servers(mail={0})— If matching by email
-
Ensure the search base covers the user’s OU:
- Too narrow:
OU=Users,DC=example,DC=com(only finds users in this specific OU) - Better:
DC=example,DC=com(searches entire domain)
- Too narrow:
5. DNS Resolution Issues
Section titled “5. DNS Resolution Issues”Problem: LDAP server hostname cannot be resolved.
Symptoms:
- “UnknownHostException” or “Name resolution failed”
- Connection works by IP but not by hostname
Diagnostic Steps:
Linux:
# Check DNS resolutionnslookup ldap.example.comdig ldap.example.com
# Check /etc/resolv.confcat /etc/resolv.conf
# Check /etc/hostsgrep ldap /etc/hostsWindows:
Resolve-DnsName ldap.example.comipconfig /all | Select-String "DNS"Solution:
-
Fix DNS resolution (DNS server configuration, /etc/resolv.conf)
-
Or add a static hosts entry as a workaround:
Linux: Add to
/etc/hosts:10.0.1.50 ldap.example.comWindows: Add to
C:\Windows\System32\drivers\etc\hosts:10.0.1.50 ldap.example.com
6. Stale Connections (Load Balancers / Multiple DCs)
Section titled “6. Stale Connections (Load Balancers / Multiple DCs)”Problem: LDAP connections become stale when a load balancer or DNS round-robin is used across multiple domain controllers.
Symptoms:
- Intermittent “connection reset” or “connection closed” errors
- Authentication works most of the time but fails periodically
- Errors correlate with idle periods (e.g., overnight, weekends)
Root Cause: Load balancers may silently close idle TCP connections. The pooled connections in Mideye Server become stale.
Solution:
- Navigate to LDAP Profiles
- Configure connection pooling settings:
- Reduce idle timeout to less than the load balancer’s idle timeout
- Enable connection validation if available
- If using DNS round-robin, configure multiple LDAP servers in the profile
7. Phone Number Attribute Not Retrieved
Section titled “7. Phone Number Attribute Not Retrieved”Problem: LDAP connection works and user is found, but phone number attribute is empty.
Symptoms:
- User authenticates but OTP delivery fails
- Phone number shows as empty in user details
- Other attributes (name, email) work correctly
Solution:
-
Navigate to LDAP Profiles
-
Verify the phone number attribute is set correctly:
- AD:
mobile,telephoneNumber, ormsDS-cloudExtensionAttribute1 - Custom: Whatever attribute stores the phone number in your directory
- AD:
-
Verify the attribute value exists:
Linux:
Terminal window ldapsearch -x -H ldap://ldap.example.com:389 \-D "CN=svc-mideye,OU=Service Accounts,DC=example,DC=com" \-W -b "DC=example,DC=com" "(sAMAccountName=username)" mobile telephoneNumberWindows:
Terminal window Get-ADUser -Identity username -Properties mobile, telephoneNumber |Select-Object mobile, telephoneNumber -
See Phone Number Issues for phone number format requirements.
LDAP Profile Checklist
Section titled “LDAP Profile Checklist”Use this checklist when setting up or troubleshooting an LDAP profile:
| Setting | Description | Example |
|---|---|---|
| Server | LDAP server hostname or IP | ldap.example.com |
| Port | 389 (LDAP) or 636 (LDAPS) | 636 |
| Use SSL | Enable for LDAPS | Yes |
| Bind DN | Service account DN | CN=svc-mideye,OU=... |
| Bind Password | Service account password | (configured) |
| Search Base | Where to search for users | DC=example,DC=com |
| Search Filter | How to match usernames | (sAMAccountName={0}) |
| Phone Attribute | Attribute containing phone number | mobile |
| Certificate Validation | Validate or Skip (for LDAPS) | Validate |
All settings are configured in LDAP Profiles.
Quick Connectivity Test
Section titled “Quick Connectivity Test”Run this quick test to verify LDAP connectivity end-to-end:
Linux:
# 1. DNSnslookup ldap.example.com
# 2. Portnc -zv ldap.example.com 636
# 3. Certificate (LDAPS)openssl s_client -connect ldap.example.com:636 </dev/null 2>/dev/null | head -5
# 4. Bind + Searchldapsearch -x -H ldaps://ldap.example.com:636 \ -D "CN=svc-mideye,OU=Service Accounts,DC=example,DC=com" \ -W -b "DC=example,DC=com" "(sAMAccountName=testuser)" dn mobileWindows:
# 1. DNSResolve-DnsName ldap.example.com
# 2. PortTest-NetConnection -ComputerName ldap.example.com -Port 636
# 3. AD SearchGet-ADUser -Identity testuser -Server ldap.example.com -Properties mobile | Select-Object DistinguishedName, mobileGetting Help
Section titled “Getting Help”If LDAP issues persist, contact Mideye Support with:
- LDAP server type (Active Directory, OpenLDAP, etc.)
- Connection type (LDAP/LDAPS) and port
- Search base and search filter
- Error messages from Log Files
- Whether the issue affects all users or specific users