Tarantella Administration Guide > Users and authentication > LDAP users can't log in to Tarantella

LDAP users can't log in to Tarantella

If you are using the LDAP login authority to authenticate users and you find that LDAP users are not able to log in to Tarantella, use the following checklist to identify the source of the problem.

You may also find it helpful to turn on extra logging in Array Manager. Select the Array properties panel and add these filters to the Log Filter attribute:

server/login/*:login.log
server/login/*:login.jsl
Things to checkNotes
Is the LDAP login authority enabled?You cannot use an LDAP directory server with Tarantella unless the LDAP login authority is enabled.

Use the Tarantella Login properties in Array Manager (or use the tarantella config edit --login-ldap 1) to enable the LDAP login authority.

Is the URL of the LDAP directory server correct?To be able to use an LDAP directory server, a Tarantella server must be able to contact the LDAP directory server at the specified URL.

Use the Tarantella Login properties in Array Manager (or use the tarantella config view --login-ldap-url) to check the URL of the LDAP directory server. Check:

  • Does the URL refer to a valid LDAP directory server?
  • Does the URL use the fully qualified name of the LDAP directory server?
  • If the LDAP directory server listens on a non-standard port, is the port number the LDAP directory server listens on included in the URL?
  • Can all Tarantella servers in the array contact the LDAP directory server at this URL? Can you telnet from the Tarantella server to the LDAP directory server?
  • If you have used a search root to restrict the start point of the search of the LDAP database, check that the search root is correct.

For Sun™ ONE (formerly Netscape or iPlanet) Directory Server, you may also need to do some extra configuration to map ENS names to LDAP names correctly. For example, the LDAP directory server has a c=country,o=org,ou=office structure and is configured to only allow searches under o=org,c=country. If ENS has an o=org,ou=office structure, then Tarantella will attempt to search the LDAP database using o=org which will fail. To correct this:

  1. Use the tarantella stop command to stop the Tarantella server.
  2. Run the following command:
    tarantella config edit --com.sco.tta.server.login.ens.LdapProfileCandidateAuthority.properties-ensMapping search_root
    where, for example, search_root is c=country.
  3. Use the Tarantella Login properties in Array Manager (or use the tarantella config edit --login-ldap-url command) to change the search root for the LDAP server, for example ldap://server_URL/o=org,c=country.
  4. Use the tarantella start command to start the Tarantella server.
Is the LDAP directory server username and password correct?Some LDAP directory servers support anonymous logins, so you don't need to supply a username or password. Others, including Microsoft Active Directory, require the username and password of a user that has sufficient privileges to search the LDAP database.

Use the Tarantella Login properties in Array Manager (or use the tarantella passcache list --ldap username) to check the username and password.

If you are you using secure connections to the LDAP directory server, has this been configured correctly?

Check:

  • Does the URL of the LDAP directory server begin ldaps://?
  • Is the Tarantella Security Pack installed on every server in the array?
  • Is the Tarantella Security Pack licensed?
    Use the Licenses panel in Array Manager (or the tarantella license status command) to check.
  • Are Tarantella security services running?
    Use the tarantella status command to check.
Is Tarantella providing the right information for locating the user?When Tarantella searches an LDAP database for a user it uses the following attributes:
  • their full name (common name or cn);
  • their uid;
  • their e-mail address; or
  • their SAM account name.

If these attributes are not sufficient for identifying users, you can add extra attributes:

  1. Use the tarantella stop command to stop the Tarantella server.
  2. Run the following command:
    tarantella config edit --searchldapla.properties-searchAttributes attributes
    You can list more than one attribute. Each attribute must be separated by a space. The default attributes are cn uid mail sAMAccountName.
  3. Use the tarantella start command to start the Tarantella server.

Note These steps require caution as any mistakes can result in all users being unable to log in.

Related topics
  • Using Tarantella with an LDAP directory server
  • Which LDAP directory servers are supported?
  • Enabling the LDAP login authority
  • Defining webtops for LDAP users using login profiles
  • Defining webtops for LDAP users using LDAP webtop searches
  • Can I deny an LDAP user access to Tarantella?