Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

LDAP authentication issues on STRM



Article ID: KB19297 KB Last Updated: 21 Oct 2010Version: 1.0
Configuration and authentication issues with LDAP on STRM.

This article addresses the following issues regarding LDAP authentication on STRM.

- Error when trying to edit/save LDAP authentication configuration on STRM.
- LDAP authentication is not working.
1. Receiving the following error message when trying to edit/save LDAP authentication configuration on STRM. "Your changes could not be saved successfully. Please check error logs for more details."

If the above message is being dispalyed, check the qradar.log for any messages related to authentication plugin such as below:

Oct 18 10:23:33 [tomcat] [admin@ (4014) /console/do/qradar/authenticationPlugin] com.q1labs.qradar.ui.action.AuthenticationPlugin: [ERROR] [NOT:0000003000][ -] [-/- -]/store/configservices/staging/globalconfig/krb5.conf (Permission denied)
Oct 18 10:23:33 [tomcat] [admin@ (4014) /console/do/qradar/authenticationPlugin] /store/configservices/staging/globalconfig/krb5.conf (Permission denied)

The above message indicates that the admin user does not have proper permissions to edit the krb5.conf file at the specified location. This krb5.conf file will only exist on the STRM unit if LDAP is configured.

Edit the file system permissions on that file using chmod to grant appropriate permissions for that file. (chmod 775 on that file should typically help).

Once the permissions are changed, the admin user should be able to successfully make changes to LDAP authentication configuration via WebUI.

2. LDAP authentication is not working

LDAP implementation on STRM authenticates users by a Lightweight Directory Access Protocol (LDAP) server using Kerberos.
Hence, ensure that porper ports for Kerberos communication are open on the LDAP server apart from port 389 which is used by LDAP.

For example: Kerberos 5 uses port 88 which must be open on the LDAP server for the LDAP authentication to work on STRM.

Admin can perform telnet to ldap server on port 88  from STRM console to verify if the port is open or not. Without this port being open (Kerberos authentication port), LDAP authentication will not work.

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search