Troubleshooting LDAP Authentication in Silver Tail
Active Directory Datastore is Active Directory
Sun One identity source OpenLDAP is used as a platform for the ldapauth client function used by Silver Tail UIserver to complete LDAP Authentication in the UI openldap provides ldap.conf which can be used to provide the ldap configuration details when it is not provided within SilverCat. RHEL6 CentOS
Configuring and Troubleshooting LDAP Authentication in Silver Tail
The LDAPauth process makes use of openldap libraries installed on the os platform. ldap.conf exists and can be configured with the required ldap configuration however the preferred and overriding method is vi the LDAP Authentication section of Silver Cat which results in a section called ldapauth being written to the universal.conf as examples below.
bin/ldapauth [params] Optional params: -f --conf=<CONF FILE> The configuration file (required). -d --diagnostics Display diagnostic information. -u --user=<username> The user name to evaluate for authentication. -p --password=<password> The password to test authentication of user name. A password will be requested interactively if it is not included. -D --debug Use DEBUG priority for logging.
NOTE -D will display the entered parameter and will therefore show the user password in clear text
If a user is not provided then the configuration file is parsed. If diagnostics are enabled, then the configuration file settings will be shown. If a password is not provided then a password will be requested. If diagnostics are enabled, then more information about the authentication process is shown. Test Environment
NOTE: If you use your own conf file and not universal.conf, the file first line must be <silvertail> and the last line must be </silvertail>
LDAP Authentication in Silver Tail UI relies upon internal user database in that the user name must exist in the internal db, with an internal password for the user to be able to authenticate whether using LDAP or not.
When using LDAP, the user is essential presented to the UIserver and their password is evaluated against the internal DB and if the user/password matches, the user is authenticated and ldap is not used. If the user/password fails and LDAP authentication is configured, the same user/password is passed in an LDAP query to the configured LDAP server. If this fails, the user bad auth count increments, otherwise the user is authenticated.
Login behavior is dictated by SilverCat>Authentication>logins setting.
According to the help text, you can ?logins can also be a comma-separated list of values: 'st,ldap'?.
You should be able to switch ldap and st to change the order for where UIServer checks for
authentication and have a backup authentication method.