LDAP Troubleshooting

If you are experiencing issues with LDAP, you can review common issues setting up this event source to aid in diagnosing the problem. By default, the LDAP event source will only poll once per 24 hours, even if the source is stopped and restarted after editing configurations.

As such, it is easiest to troubleshoot LDAP by creating a new source for each connection attempt, which will poll LDAP immediately, resulting in success or an error message within about a minute.

LDAP issues fall into two categories:

Connection Errors

The following are common codes for LDAP connection errors:

Result Code from LDAP Server 8 Strong Auth Required

If you see this this error, please check that you are not using an expired certification.

Result Code from LDAP server 12 Unavailable Critical Extension

If you see “unavailable critical extension error,” or if you are seeing fewer users than expected under the “Users” metric on the InsightIDR homepage, your default Base DN may not be pointing to the right root node in the LDAP tree.

To find the appropriate root node for your Base DN, follow instructions here.

Result Code from LDAP server 32 No Such Object

If you see an error that states "no such object,” or if you are seeing fewer users than expected in the LDAP data, then your user profiles may be stored in organizational units (OUs) rather than containers. To fix this, see How to Find the Base DN of a Windows Domain.

Result Code from LDAP server 49 Invalid Credentials

If you receive an “Invalid Credentials error,” then the username and password provided in the event source configuration cannot properly authenticate to the LDAP server.

To resolve this error, try the following actions:

  • Confirm the account you attempted to authenticate with has the proper rights to perform an LDAP query.
  • Ensure the “User Domain” field contains the proper name in the short or “pre-2000” format. For example, if your login domain and name is ACME\JohnSmith, then ACME would be the User domain.
  • Verify that LDAP credential you used to configure the event source is in the down-level logon name format: DOMAIN\UserName. To verify or change this, go to Credential Settings and edit the specified credential.

Result Code from LDAP server 91 (connect error)

If you see an error that reads "Failed to create a connection on port 389 or 636," then the Collector host cannot reach the LDAP server specified in the event source configuration.

To resolve this issue, try the following actions:

  • When configuring the LDAP event source, ensure the Collector can resolve the server host using the local DNS. If the host cannot be resolved, enter the LDAP server's IP address in place of the host name.
  • If the Collector can resolve the host, but the error persists, there may be an issue with connectivity over LDAP (port 389) or secure LDAP (port 636). Adjust the firewall or routing rules to allow the Collector and the LDAP server to communicate over ports 389 or 636.

Low User Count

If you find InsightIDR is only showing a small user count on the main page, you are likely experiencing issues with your LDAP event source. When the Collector polls LDAP to pull in user account information, it may be unable to read all of the users in the domain.

To resolve this issue, try the following solutions:

  1. In your LDAP event source, verify that the value you specified as the domain is the correct Base DN. See How to find a Base DN for more information.
  2. If you verified that the Base DN is correct, but you are still seeing a low user account on the “User & Accounts” page, add one LDAP event source per each OU of your domain with the respective OU values in the Base DN field.
  3. Verify that the credential you used for the LDAP event source has permissions to access and read all of the field attributes on the user and group objects in the domain. If it does not have permission, InsightIDR cannot create corresponding user account records.
  4. Verify that the Collector can find the LDAP referral point for the Windows domain listed in the User Domain field. If it cannot, use the “short” or “pre-2000” name for the Windows domain in the User Domain field, instead of using the FQDN.
  5. Verify that the Collector can read all of the user objects from the domain controller specified. If it cannot, specify a different domain controller than the one that you used in the Server field of the event source.

Low active user count

If you find InsightIDR is only showing a small active user count on the main page, you are likely experiencing issues with your LDAP event source. Please check for proper permissions on the domain user you are using:

  1. In Active Directory Users and Computers (ADUC), in the console tree, browse to the organizational unit or object for which you want to view effective permissions.
  2. Right-click the LDAP user you are using for your LDAP event source, and click Properties.
  3. In the Properties dialog box, on the Security tab, click Advanced.
  4. In the Advanced Security Settings dialog box, on the Effective Permissions tab, click Select.
  5. In the Select User, Computer, or Group dialog box, find the LDAP user you're using and select it.
  6. Ensure that "Read all properties" is checked off and enabled.

If you do not have the "Read all properties" permission (indicated by a green checkmark), you will need to delegate the permission. To do so, you must complete the following:

  1. In Active Directory Users and Computers (ADUC), click on View > Advanced Features.
  2. Right-click the Organizational units (OU) and select Properties.
  3. Select the Security tab, and click Advanced.
  4. Click Add, find the LDAP user you're using, and click OK.
  5. Check the Allow option for "Read all properties", click OK on each subsequent window to close all property windows.