We have configured LDAP authentication for the TIBCO Artifact Management Server, but users are unable to login. The login attempt appears to hang, and no errors are seen in the AMS web UI.

Provides guidance on the case where AMS LDAP authentication hangs and does not allow the user to login successfully.

First, enable DEBUG level logging in the AMS server, as discussed in KB article 000045262. Then consider the following possible causes and related AMS log entries that identify each cause.

• The selected principalSearch attribute is incorrect or has a typo.

2021-10-01 09:40:03.596 DEBUG (qtp1630986748-52) com.tibco.ep.ams.auth.AMSAuthenticationFilter:480 - 
Request: Request(GET //localhost:2185/ws/api/login?force=true)@49ce48a8, Authentication header: 
'Basic am11bGNhaGVAdGliY28uY29tOkRAcmtvZnNwYWMz', Request host: '0:0:0:0:0:0:0:1'
2021-10-01 09:40:03.596 DEBUG (qtp1630986748-52) com.tibco.ep.ams.auth.AMSAuthenticationFilter:152 - 
HTTP Request - X-Forwarded-For: None
2021-10-01 09:40:03.596 DEBUG (qtp1630986748-52) com.tibco.ep.ams.auth.AMSAuthenticationFilter:164 - 
HTTP Request Host: 0:0:0:0:0:0:0:1

In this case, the log does not report any errors, but logging stops at the above "HTTP Request Host" message. Consult with your LDAP administrator in this case, to determine the correct LDAP attribute that identifies LDAP users. Some common attributes used are 'cn' (the user's common name), 'uid' (user id), and 'mail' (the user's email address).

• The selected roleRoot attribute is incorrect.

2021-10-01 09:51:41.148 DEBUG (qtp83721081-61) com.tibco.ep.ams.auth.AMSLdapContextFactory:77 - 
Getting LDAP context for user 'CN=User One,OU=Users,DC=example,DC=com'
2021-10-01 09:51:41.236 DEBUG (qtp83721081-61) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:100 - 
In queryForAuthenticationInfo, creating LDAP contents for username: 'user1@example.com'
2021-10-01 09:51:41.322 DEBUG (qtp83721081-61) com.tibco.ep.ams.auth.AMSActiveDirectoryRealm:175 - 
In getRoleNamesForUser, principalRoot: 'dc=example,dc=com', searchFilter: '(&(objectClass=*)(mail={0}))', 
searchArguments: [user1@example.com], searchScope: 'SUBTREE_SCOPE'

Again, the AMS log does not report any errors, but logging stops at the 'In getRoleNamesForUser' step. This indicates that you should review your LDAP setting for roleRoot. Often, it can help to shorten the roleRoot value to the base DN for this ldap system.  In the above example, the base DN is 'dc=example,dc=com'.

• The selected roleAttribute attribute is incorrect.

2021-10-01 09:24:41.539 DEBUG (qtp1558127130-52) com.tibco.ep.ams.auth.AMSAuthenticationFilter:480 - 
Request: Request(GET //localhost:2185/ws/api/login?force=true)@5da59665, Authentication header: 
'Basic am11bGNhaGVAdGliY28uY29tOkRAcmtvZnNwYWMz', Request host: '0:0:0:0:0:0:0:1'
2021-10-01 09:24:41.539 DEBUG (qtp1558127130-52) com.tibco.ep.ams.auth.AMSAuthenticationFilter:152 - 
HTTP Request - X-Forwarded-For: None
2021-10-01 09:24:41.540 DEBUG (qtp1558127130-52) com.tibco.ep.ams.auth.AMSAuthenticationFilter:164 - 
HTTP Request Host: 0:0:0:0:0:0:0:1

This case looks the same as above, where the selected principalSearch attribute is incorrect. Logging stops silently at the 'HTTP Request Host' line. Again, consult with your LDAP administrator as needed. Some common attributes used for roleAttribute are 'member', 'uniqueMember', and 'memberOf'.