LDAP User Troubleshooting

LDAP user access comes down to:
 

1. Our servers are unable to communicate with the LDAP cluster.

Ensure our IP block is able to communicate with your LDAP servers: 192.40.145.0/24  
Ensure the read-only user account provided to us is still authenticating correctly. 
Ensure the IP / host that we were provided is still correct. 
 
Note: if any LDAP user works, then the communication between servers is working.
 

2. The user is not actually in the Search Base.

The search base limits the LDAP objects the Edlio system is able to see to everything directly within or within a child of the provided search base.
 

3. The user is not a member of the Authentication Filter groups, or is a chained/nested group where we were unaware (different filter syntax).

The authentication filters are one or more LDAP Security or Distribution Groups that we can restrict each site to. The result would limit access to only the users you want to have access, vs the entire Search Base. As an example, districts will often have an LDAP group defined per location / school and a Website Administrators group, we will then add a filter for each school site to only allow the group defined plus the administrators. 
 
The syntax for using chained / nested LDAP groups versus a direct membership alters slightly and needs to be communicated to ensure the proper syntax is used.
 
Note: Using chained / nested groups is a more intense query against your LDAP cluster and may cause a performance issue.
 
If the user does not fit the criteria of the authentication filters, they will be denied access.
 

4. The read-only lookup user that we use does not have the correct access to see the user, their properties, and / or group memberships.

This completely depends on the security setup of the LDAP cluster. The read-only lookup user we use to find the account needs to have enough permissions within the LDAP cluster to see the memberships and properties that are used for user information or filter criteria. If we cannot see the user correctly, we are unable to verify they can authenticate.
 

5. The user is disabled in either our system or your LDAP cluster.

By design, we deny access to users that are disabled. 
 

6. The user has an apostrophe in their username.

If a username has an apostrophe it will not sync with LDAP. Instead, apostrophes are removed from the username in our system and the LDAP sync prevents usernames with apostrophes from syncing.