LDAP authentication failing with time-out error | AEM Oak

Troubleshoot and resolve issues preventing the LDAP users from logging in, ensuring smooth user access and security. To fix the error, debug the connection from AEM to the LDAP server.

Description description

Environment

Adobe Experience Manager

Issue/Symptoms

After configuring LDAP authentication via AEM, it is failing to allow LDAP users to log in. The following log message is shown:

Caused by: org.apache.directory.api.ldap.model.exception.LdapException: TimeOut occurred

at org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4106)

at org.apache.directory.ldap.client.api.LdapNetworkConnection.bindAsync(LdapNetworkConnection.java:1290)

at org.apache.directory.ldap.client.api.LdapNetworkConnection.bind(LdapNetworkConnection.java:1188)

at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:127)

at org.apache.directory.ldap.client.api.AbstractLdapConnection.bind(AbstractLdapConnection.java:112)

at org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory.bindConnection(DefaultLdapConnectionFactory.java:64)

at org.apache.directory.ldap.client.api.DefaultLdapConnectionFactory.newLdapConnection(DefaultLdapConnectionFactory.java:107)

at org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:133)

at org.apache.directory.ldap.client.api.ValidatingPoolableLdapConnectionFactory.makeObject(ValidatingPoolableLdapConnectionFactory.java:59)

at org.apache.commons.pool.impl.GenericObjectPool.borrowObject(GenericObjectPool.java:1188)

at org.apache.directory.ldap.client.api.LdapConnectionPool.getConnection(LdapConnectionPool.java:123)

at org.apache.jackrabbit.oak.security.authentication.ldap.impl.LdapIdentityProvider.connect(LdapIdentityProvider.java:771)

... 57 common frames omitted

Resolution resolution

To fix the issue, you need to debug the connection from AEM to the LDAP server. Here are some things to check:

  1. Check that the LDAP server is accessible from other machines than the AEM server using an LDAP browser such as JXplorer. If it is not accessible, then it might be down or there could be a network or firewall issue. Contact your network operations team and the team that manages your LDAP servers to investigate.

  2. If the LDAP server is accessible from other machines then test from the AEM server OS. Install an LDAP client on the AEM server OS and try to access the LDAP server from there. On Linux, you can use the ldapsearch command. On Windows, use JXplorer.

  3. If the server can reach the LDAP server but AEM LDAP-based login is failing, then we need to check the LDAP Identity Provider  configuration. Log in to the  OSGi Web Console (https://aem-host:port/system/console/configMgr) and search for Apache Jackrabbit Oak LDAP Identity Provider. Some things you can try that might solve the issue:

    • Fine tune the User base DN, User extra filter, Group base DN, and  Group extra filter  to make the search filter only return relevant users and groups to AEM.
    • Make sure the Bind DN  and Bind password  are correct.
    • Uncheck Admin pool lookup on validate  and User pool lookup on validate.
    • Increase the Search Timeout.

    Screenshot of the LDAP Identity Provider configuration:

    rtaimage_3_

  4. In case of most enterprise customers, LDAP is often load-balanced. You may also face this problem if the load balancer sitting in front of the LDAP servers have blacklisted your AEM Server IP for some reason. If this problem arises, engage the LDAP team to resolve this problem. As a quick test, you may want to hit the LDAP server IP directly bypassing the LDAP load balancer to see if the LDAP authentication in AEM is successful.

Cause

The timeout error usually indicates that the LDAP server is either unreachable by AEM due to a firewall, network issue, or it is down or unresponsive.

recommendation-more-help
3d58f420-19b5-47a0-a122-5c9dab55ec7f