Debugging LDAP Project Issues
Last updated on
9 March 2017
Drupal 7 will no longer be supported after January 5, 2025. Learn more and find resources for Drupal 7 sites
Tools Within Drupal and LDAP for Debugging
- Enable LDAP Help Module: admin/modules/list
- Enable detailed logging in ldap help: admin/config/people/ldap
- Enable Database Logging module: admin/modules/list
- Use the test link on the server settings page: admin/config/people/ldap/servers
- Use ldap help status page: admin/config/people/ldap/help/status
Picking Through the Database
Picking through the database can be helpful. Here are some queries. The serialized data can be better viewed at http://unserialize.net/serialize.
- table:
authmap
. Will contain a record for every user who is ldap authenticated.<br/>select * from authmap where module like 'ldap%';
- table:
user
. ldap data specific to a user will be stored in thedata
field of this table.select cast(data as char(1000)) from users where data like '%ldap%';
- table:
ldap_servers
- table:
ldap_authorization
- table:
variable
.
select name, cast(value as char(1000)) from variable where name like 'ldap%'
LDAP Logs
Isolating LDAP problems from Drupal LDAP Module Problems
When things get tricky, sometimes its best to go to the php scripts or command line queries of ldap to make sure a problem is in Drupal or Drupal LDAP modules and not in the LDAP server, PHP ldap extension, or particular ldap user or group entries.
- For authentication issues, make sure the user is able to use other software with their ldap credentials.
- Try a PHP script that is not tied to Drupal such as the one in the ldap_help module within ldap_help/ldap_test_script
This will help isolate drupal issues from php ldap extension and ldap server problems. This script could be integrated into ldap_help module also for generic testing. - Use another tool such as apache directory or command line ldap queries
Getting Good Results from LDAP Support/Issue Queue
- see: admin/config/people/ldap/help/issues
Debugging LDAP Authorization
- Go to the test form: admin/config/people/ldap/authorization/test/drupal_role
- submit with a username.
- In the response page to the form, examine the "Prefiltered and Final Mappings" section. It lists all the "raw authorizations" or the authorizations before filtering and mapping. If you do not see the raw authorizations you expect, your ldap Strategy II.A, II.B, or II.C. is off. Otherwise your problem is likely in part III of the authorization configuration which triggers when authorization happens.
- There is some ability to see intermediary data in the authorization code. This can be helpful for debugging. Enable "detailed logging" as above. Then log on as the user in question. There will be detailed logs in watchdog of the ldap authorization steps
- In the 7.1 branch, authorizations are stored in the $user->data array. To see this array, do the "Picking Through the Database" step for the user table. You should see authorization records in there.
Checking your LDAP server from the command line
This is a good method to just ensure the server is communicating correctly in the first place
$ ldapsearch -H ldap://192.168.50.2 -x -b dc=drupal,dc=local -D joe@drupal.local -w 'Thepassword123$'
Help improve this page
Page status: No known problems
You can:
You can:
- Log in, click Edit, and edit this page
- Log in, click Discuss, update the Page status value, and suggest an improvement
- Log in and create a Documentation issue with your suggestion