LDAP Troubleshooting
If you are experiencing issues with Lightweight Directory Access Protocol (LDAP), you can review common issues setting up this event source to aid in diagnosing the problem. By default, the LDAP event source will only poll once per 24 hours, even if the source is stopped and restarted after editing configurations.
As such, it is easiest to troubleshoot LDAP by creating a new source for each connection attempt, which will poll LDAP immediately, resulting in success or an error message within about a minute.
LDAP issues fall into two categories:
Connection Errors
The following are common codes for LDAP connection errors:
- Result Code 8 Strong Auth Required
- Result Code 12 Unavailable Critical Extension
- Result Code 32 No Such Object
- Result Code 49 Invalid Credentials
- Result Code 91 Connect Error
Result Code from LDAP Server 8 Strong Auth Required
If your environment has more than one domain (for example, the Collector and event source are in different domains) or you need to use LDAPS (LDAP over SSL), you might receive this error because your certificate isn't trusted, although it's still valid, such as for self-signed certificates.
To resolve this error, try the following actions:
Task 1: Set up LDAPS on Windows Server, and generate a certificate
Follow Microsoft's documentation to set up LDAPS on Windows Server and generate a certificate: https://techcommunity.microsoft.com/t5/sql-server-blog/step-by-step-guide-to-setup-ldaps-on-windows-server/ba-p/385362
Before proceeding to task 2, ensure that you export the public certificate in Base-64 encoded X.509 (.cer)
format.
Task 2: Add the certificate to the Keystore
Add the certificate that you generated in Task 1 to the Keystore of the server where the Collector is installed.
Windows steps:
- On the Collector server, ensure that the
cer
file is in an easily accessible location (for example,Desktop\NewCertificate.cer
). - Open an administrator command prompt, and navigate to
C:\Program Files\Rapid7\Collector\jre\bin
. - Enter this keytool command, setting the alias name to something that you can remember in the future:
keytool.exe -importcert -alias NAME_HERE -Keystore "C:\Program Files\Rapid7\Collector\jre\lib\security\cacerts" -file C:\Users\Administrator\Desktop\NewCertificate.cer
. - Enter
changeit
as the password, when prompted. Your certificate is displayed.- We recommend changing the default password later.
- Enter
yes
to confirm the certificate is trusted. The certificate is added to the Keystore. - Restart the Collector service.
- In InsightIDR, stop and start the event source, and confirm whether the error persists.
Linux steps:
- On the Collector server, ensure that the
cer
file is in an easily accessible location (for example,/tmp/NewCertificate.cer
). - As root, navigate to
/opt/rapid7/collector/jre/bin/keytool
. - Enter this keytool command, setting the alias name to something that you can remember in the future:
./keytool -importcert -alias NAME_HERE -keystore /opt/rapid7/collector/jre/lib/security/cacerts -file /tmp/NewCertificate.cer
. - Enter
changeit
as the password, when prompted. Your certificate is displayed.- We recommend changing the default password later.
- Enter
yes
to trust the certificate. The certificate is added to the Keystore. - Restart the Collector service.
- In InsightIDR, stop and start the event source, and confirm whether the error persists.
Task 3: Ensure that the certificate is trusted
Follow Microsoft's documentation to confirm that the certificate meets the requirements for LDAPS: https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/enable-ldap-over-ssl-3rd-certification-authority#requirements-for-an-ldaps-certificate
Result Code from LDAP server 12 Unavailable Critical Extension
If you see “unavailable critical extension error,” or if you are seeing fewer users than expected under the “Users” metric on the InsightIDR homepage, your default Base DN may not be pointing to the right root node in the LDAP tree.
To find the appropriate root node for your Base DN, follow instructions here.
Result Code from LDAP server 32 No Such Object
If you see an error that states "no such object,” or if you are seeing fewer users than expected in the LDAP data, then your user profiles may be stored in organizational units (OUs) rather than containers. To fix this, see How to Find the Base DN of a Windows Domain.
Result Code from LDAP server 49 Invalid Credentials
If you receive an “Invalid Credentials error,” then the username and password provided in the event source configuration cannot properly authenticate to the LDAP server.
To resolve this error, try the following actions:
- Confirm the account you attempted to authenticate with has the proper rights to perform an LDAP query.
- Ensure the “User Domain” field contains the proper name in the short or “pre-2000” format. For example, if your login domain and name is
ACME\JohnSmith
, thenACME
would be the User domain. - Verify that LDAP credential you used to configure the event source is in the down-level logon name format:
DOMAIN\UserName
. To verify or change this, go to Credential Settings and edit the specified credential.
Result Code from LDAP server 91 (connect error)
If you see an error that reads "Failed to create a connection on port 389 or 636," then the Collector host cannot reach the LDAP server specified in the event source configuration.
To resolve this issue, try the following actions:
- When configuring the LDAP event source, ensure the Collector can resolve the server host using the local DNS. If the host cannot be resolved, enter the LDAP server's IP address in place of the host name.
- If the Collector can resolve the host, but the error persists, there may be an issue with connectivity over LDAP (port 389) or secure LDAP (port 636). Adjust the firewall or routing rules to allow the Collector and the LDAP server to communicate over ports 389 or 636.
Low User Count
If you find InsightIDR is only showing a small user count on the main page, you are likely experiencing issues with your LDAP event source. When the Collector polls LDAP to pull in user account information, it may be unable to read all of the users in the domain.
To resolve this issue, try the following solutions:
- In your LDAP event source, verify that the value you specified as the domain is the correct Base DN. See How to find a Base DN for more information.
- If you verified that the Base DN is correct, but you are still seeing a low user account on the “User & Accounts” page, add one LDAP event source per each OU of your domain with the respective OU values in the Base DN field.
- Verify that the credential you used for the LDAP event source has permissions to access and read all of the field attributes on the user and group objects in the domain. If it does not have permission, InsightIDR cannot create corresponding user account records.
- Verify that the Collector can find the LDAP referral point for the Windows domain listed in the User Domain field. If it cannot, use the “short” or “pre-2000” name for the Windows domain in the User Domain field, instead of using the FQDN.
- Verify that the Collector can read all of the user objects from the domain controller specified. If it cannot, specify a different domain controller than the one that you used in the Server field of the event source.
Low active user count
If you find InsightIDR is only showing a small active user count on the main page, you are likely experiencing issues with your LDAP event source. Please check for proper permissions on the domain user you are using:
- In Active Directory Users and Computers (ADUC), in the console tree, browse to the organizational unit or object for which you want to view effective permissions.
- Right-click the LDAP user you are using for your LDAP event source, and click Properties.
- In the Properties dialog box, on the Security tab, click Advanced.
- In the Advanced Security Settings dialog box, on the Effective Permissions tab, click Select.
- In the Select User, Computer, or Group dialog box, find the LDAP user you're using and select it.
- Ensure that "Read all properties" is checked off and enabled.
If you do not have the "Read all properties" permission (indicated by a green checkmark), you will need to delegate the permission. To do so, you must complete the following:
- In Active Directory Users and Computers (ADUC), click on View > Advanced Features.
- Right-click the Organizational units (OU) and select Properties.
- Select the Security tab, and click Advanced.
- Click Add, find the LDAP user you're using, and click OK.
- Check the Allow option for "Read all properties", click OK on each subsequent window to close all property windows.