Article Number
000036645
Applies To
Product(s): Archer
Version(s): All Versions
Primary Deployment: On Premises
Description
The purpose of this article is to explain how to troubleshoot LDAP Users/Groups in Archer.
This article covers:
This article covers:
1. Troubleshooting LDAP Users using the Microsoft DebugView tool.
2. Troubleshooting LDAP Users/Groups using the TestLDAPSchema page.
2. Troubleshooting LDAP Users/Groups using the TestLDAPSchema page.
Resolution
Troubleshoot LDAP Users using the Microsoft DebugView tool
This tool is free and can be downloaded from the following link: DebugView v4.90.
Below are the steps on how to use the tool:
1. Extract the zip file and install the Microsoft DebugView tool.
2. Before running the Microsoft DebugView tool, you will need to find out the Process ID of the process performing the LDAP Sync:
a. Open Windows Task Manager and click on the Details tab.
b. The name of the LDAP Sync Process is called Archer.Services.DataFeedService.exe.
c. Note down the Process ID from the PID column (in this case, it is 4760).
3. Open the Microsoft DebugView tool.
4. Go to Filter (the funnel icon within DebugView) and open the filter. By default, the filter uses the '*' (wild card) symbol under the Include section to capture information on all running processes in Windows.
5. Since it is intended to capture the LDAP Sync process only, filter the DebugView tool to capture only the LDAP Sync process. In the Include section, configure the filter by inserting the LDAP Sync process ID then click OK.
6. Then click Capture and enable Capture Global Win32.
7. Following this, the output will appear (as shown below) showing the LDAP service capturing normal traffic. If there were errors within the LDAP traffic, these may appear as well. Also, once a new LDAP username is added to the Active Directory and the LDAP Sync runs in Archer, the new LDAP username will show.
Troubleshoot LDAP Users/Groups using the TestLDAPSchema page
Archer comes with the TestLDAPSchema.aspx tool which can be found at ..\Program Files\Archer\Tools\Utilities\LdapTestPage.
The tool can be used to test the LDAP configuration before actually running it in Archer. In addition, when configuring LDAP in Archer, you may use a filter to pull out LDAP Users/Groups which the tool can also be used to check.
For instance, if you are unable to pull LDAP Users/Groups into Archer then this tool can be used to test and verify your filter.
Below are the steps on how to use the tool:
1. Navigate to C:(root directory may vary)\Program Files\Archer\Tools\Utilities\LdapTestPage.
2. Copy the TestLDAPSchema.aspx file to the Web Server.
3. Navigate to the Web Server and go to C:(root directory may vary)\inetpub\wwwroot\Archer.
4. Paste the TestLDAPSchema.aspx file to this directory.
5. Login to Archer since you must have an established session for this to work (login to Archer first before proceeding).
6. Go to the Archer Control Panel and find out the Base URL of the Archer instance.
7. Copy it to the text file then add/append TestLDAPSchema.aspx to the Base URL. For instance, if your Archer Base URL is https://Servername/Archer then append TestLDAPSchema.aspx and it will be https://Servername/Archer/TestLDAPSchema.aspx.
8. Then paste it into the browser, and this will bring up the TestLDAPSchema page (as shown below).
9. Obtain the LDAP configuration ID by following the below steps:
a. Login to Archer.
b. Navigate to Administration menu > Access Control > Manage LDAP Configurations.
c. From the eye icon at the top right corner, choose ID. This will show you the LDAP Configuration ID.
10. Then input that ID (from the step above) in the TestLDAPSchema page and click Load LDAP Config which will populate all the settings of your LDAP configuration to the test page (as shown below).
0EMVM00000675ty.png
11. Next, populate the Filter by copying the existing Filter from the Archer LDAP Configuration and paste it into the Filter field in the TestLDAPSchema page.
12. Then hit Query for Users or other options as well. The output of Query for Users returns the username and their group membership plus other attributes. By using the TestLDAPSchema page, it helps to find out whether you are able to pull the username and their group membership. For instance, if you are unable to pull usernames and their group memberships in the LDAP Configuration in Archer, you can use the TestLDAPSchema page to see if you are getting the same behavior; and if that is the case, you would need to go back to your Windows Administrator to check and review the LDAP server settings.
This is an example of an LDAP filter to get active users only: (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
0EMVM00000675ty.png11. Next, populate the Filter by copying the existing Filter from the Archer LDAP Configuration and paste it into the Filter field in the TestLDAPSchema page.
12. Then hit Query for Users or other options as well. The output of Query for Users returns the username and their group membership plus other attributes. By using the TestLDAPSchema page, it helps to find out whether you are able to pull the username and their group membership. For instance, if you are unable to pull usernames and their group memberships in the LDAP Configuration in Archer, you can use the TestLDAPSchema page to see if you are getting the same behavior; and if that is the case, you would need to go back to your Windows Administrator to check and review the LDAP server settings.
This is an example of an LDAP filter to get active users only: (&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))
0EMVM00000676i1.png
0EMVM00000676i2.png