ARTIFACTORY: Troubleshooting LDAP Failures After Upgrade

ARTIFACTORY: Troubleshooting LDAP Failures After Upgrade
Products
Frog_Artifactory
Content Type
Administration_Platform
AuthorFullName__c
Jeremy Leopold
articleNumber
000006400
ft:sourceType
Salesforce
FirstPublishedDate
2025-04-06T10:24:35Z
lastModifiedDate
2025-04-06
VersionNumber
1
Introduction

After upgrading Artifactory, LDAP authentication may fail due to configuration changes or certificate validation issues. This may be due to a change in Artifactory version 7.90.5 Self-Hosted running the Access service on a dedicated Java Virtual Machine (JVM). This guide outlines steps to troubleshoot and resolve LDAP failures by enabling debug logging and adjusting configuration settings.

Enabling LDAP Debug Loggers

To facilitate troubleshooting, enable LDAP debug logging (in each instance of an HA cluster) before reproducing the issue. This is done by modifying the Access service logback.xml file located at $JFROG_HOME/artifactory/var/etc/access/
Please note, this logger is applicable from Artifactory version 7.71.x and up.

Append the following configuration:

<!-- Access logback configuration -->
<appender name="ldap" class="ch.qos.logback.core.rolling.RollingFileAppender">
  <File>${log.dir}/access-ldap.log</File>
  <rollingPolicy class="org.jfrog.common.logging.logback.rolling.FixedWindowWithDateRollingPolicy">
    <FileNamePattern>${log.dir.archived}/access-ldap.%i.log.gz</FileNamePattern>
    <maxIndex>10</maxIndex>
  </rollingPolicy>
  <triggeringPolicy class="ch.qos.logback.core.rolling.SizeBasedTriggeringPolicy">
    <MaxFileSize>25MB</MaxFileSize>
  </triggeringPolicy>
  <encoder class="ch.qos.logback.core.encoder.LayoutWrappingEncoder">
    <layout class="org.jfrog.common.logging.logback.layout.BackTracePatternLayout">
      <pattern>%date{yyyy-MM-dd'T'HH:mm:ss.SSS, UTC}Z [jfrt ] [%-5p] [%-16X{uber-trace-id}] [%-30.30(%c{3}:%L)] [%-20.20thread] - %m%n</pattern>
    </layout>
  </encoder>
</appender>

<logger name="org.springframework.security.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.jfrog.access.server.service.auth.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.jfrog.automation.access.client.model.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.jfrog.access.server.rest.resource.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.jfrog.access.server.security.authentication.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>
<logger name="org.jfrog.access.server.rest.resource.ui.ldap" additivity="false">
  <level value="trace"/>
  <appender-ref ref="ldap"/>
</logger>

Note: 

Debug loggers are highly verbose and may impact system performance. It is recommended to remove them once troubleshooting is completed.


Resolving Certificate Path Issues

If the logs display an error similar to:
Error PKIX path building failed, unable to find valid certification path to requested target

The certificate path might only be defined for Artifactory but not for Access.

To resolve this, define the trust store path in system.yaml as in the example below:
Shared:
  extraJavaOpts: -Djavax.net.ssl.trustStore=/java_trust_store/cacert

Access:
  extraJavaOpts: -Djavax.net.ssl.trustStore=/java_trust_store/cacert

After applying this configuration, restart Artifactory for the changes to take effect.


Additional Resources

For further troubleshooting, refer to:
LDAP Debugging Guide
How to troubleshoot LDAP configuration
How does LDAP/AD group sync/mapping work?