Troubleshooting Active Directory

Common FileCloud Active Directory problems and solutions

Trouble establishing a connection with Active Directory:

  1. In Settings > Authentication on the Active Directory tab, make sure you have followed the instructions for entering the settings shown in Active Directory Authentication under AD Configuration Parameters.
  2. Check that the port you have specified (either 389 or 636) is open in the AD server for the FileCloud server.
    You can use the telnet command to confirm that it is open.
    telnet [ip address] [port]
    For example, if your IP address were 192.168.1.191 and your port were 389, you would enter:

    telnet 192.168.1.191 389
  3. Confirm that you have entered an account in AD Account Name. This account is used to query the AD server and must be present.
    If you have entered a value in Limit Login to AD Group (see below) the account you enter into AD Account Name must be a member of the AD group.
  4. Confirm that you have entered an AD Account Password and that it is correct.

Verify your AD settings using the following steps:

Once all data is entered and saved, test the AD settings by clicking the AD Test button.

At the top of the Active Directory settings, click the AD Test button.


A Test AD Configuration dialog box opens:


 

The following tests can be done.

  1. Validate AD settings.
    1. Click the Validate AD Settings button to perform basic connectivity tests with the AD server.
      You should receive the response:

      If the tests fail, then check your AD settings to ensure all the data is present and is accurate.
  2. List Groups
    1. Once AD settings are validated, click List Groups to view the list of groups read from the server.  
      You should see a list similar to:

       
  3. Get Group Member
    1. Click List Groups, then select a group and click Select

      The Group name appears in the Test AD Configuration dialog box. 
      (You can also enter the group name directly into the text box without selecting from the AD Group List popup.)
    2. Click Get Group Members.

      The AD Members List should list the correct members of the group:

      Note: The group members are NOT automatically added to FileCloud.
  4. Verify User Access
    1. Enter a specific user name and password and click Test Login to make sure the user can log in to AD. 
      If not, check if the AD suffix or AD prefix matches the one entered in the AD Account Suffix or AD Logon Name Prefix in the FileCloud admin portal or the AD server.
    2. Enter a specific user name and password and click Get Email ID. 
      This should return the correct email address for a user account from AD. If a valid email address is not returned, then FileCloud cannot import the user account. Check if the email address is included for the user on the AD Server.

Here are some common AD connectivity error messages and their meanings:

Either the Hostname or IP address is wrong or the FileCloud server is not able to contact the AD server on the port specified.


Either the AD account name or password is incorrect or the Logon prefix or suffix is incorrect.


Either the value in AD BASE DN is wrong or the limit group is set and the AD account name is not part of that group.


Some users have trouble logging in 

If you check Users have the same Account Suffix, you are prompted to enter the AD Account Suffix. If you uncheck it, you are prompted to enter AD Logon Name Prefix. Make sure that whichever you use applies to all of your AD users who access FileCloud. If it doesn't, users it does not apply to will not be able to log in to FileCloud.


All users cannot log in or you cannot import them into FileCloud:

Check if Mail Attribute is filled in. If it is not, users cannot log in or be imported. This is normally set to mail.

Using the logs to find errors

Filecloud stores all errors associated with AD in the logs.
By default, the log level in FileCloud is set to PROD

  1. Change the log level to DEV to create more detailed entries:
    1. In the admin portal, go to Settings > Server and set Log Level to DEV.
  2. Repeat the steps that caused the error.
  3. Open the log file:
    In Windows: C:\xampp\htdocs\scratch\logs
    In Linux: /var/www/html/scratch/logs

If you see error messages similar to:

2022-05-18 23:03:12.265388 ERROR: [16529329921474] Unable to find provider by name: 0bf0d8c9a7544ce179a7fb1f802dde5f
2022-05-18 23:03:12.265559 ERROR: [16529329921474] Unable to connect to AD server with david username:
2022-05-18 23:03:12.265608 DEBUG: [16529329921474] User `david` has not been authenticated with provider CodeLathe\Core\Subsystem\Security\Auth\AD\Provider\ADProvider class
2022-05-18 23:03:12.357099 DEBUG: [16529329921474] FAILED LOGIN: Invalid Username or Password

Do the following:

    • Check if the AD login and password are correct.
    • Check if the user has an email address in the AD server.
    • If the user is already imported into the Filecloud server, check if the user's email in Filecloud and email in the AD server match.


If you were authenticating a user (for this example, authenticating user david on host 192.168.1.14), and see error messages similar to

2022-05-18 23:11:27.296483 NOTICE: [16529334871841] Phone number is invalid for imported user - david
2022-05-18 23:11:27.297668 DEBUG: [16529334871841] User email `david@test.com` does not match AD user email `david@gmd.com`.
2022-05-18 23:11:27.297760 DEBUG: [16529334871841] User `david` has NOT been authenticated.

These messages indicate that the user's email address in the AD server doesn’t match the user's email address in Filecloud.

To restrict login to FileCloud to specific AD users only

  1. Create a group in AD and add only those users who should able to log in to FileCloud.
  2. In Limit Login to AD Group, enter the name of the AD group.