Search base problems: Frequently, when the Artifactory system is being set up for the first time, the search base field is used incorrectly. The search base limits the LDAP directories that Artifactory will use to look for users. If the search base is too broad, the search will take a long time and cause timeouts. If it is too narrow, users with LDAP coordinates outside of the search base will not be able to log in.
The LDAP debug loggers record users’ LDAP coordinates when they log in. You can use this information to fine tune the parameter, accordingly. If there are specific LDAP directories where users are located, you can try to use multiple LDAP settings in Artifactory. These settings can share the same LDAP URL and other information, but have completely different search bases.
Networking issues: If the LDAP connection test button fails and returns a networking error, this is usually being caused by the LDAP URL. And the ldaps protocol can be particularly tricky. As it uses SSL encryption, the URL in use needs to match the certificate's common name. The LDAP debug loggers will register any additional networking issues or information to the ldap.log file.
Another common issue occurs when networking failures cause a login to time out. This can trigger an intermittent build failure problem. One solution to this problem is to increase login cache times so Artifactory does not check the LDAP server as often.
The cache settings can be updated in the $JFROG_HOME/etc/access/access.config.import.yml file in Artifactory 7.71 and up:
# To change the configuration in an Access service, follow these instructions:
# 1. Find the value you want to update
# 2. Set the value in the access.config.latest.yml file under [$JFROG_HOME]/artifactory/var/etc/access
# 3. Change access.config.latest.yml to access.config.import.yml
# 4. Restart Access
---
security:
authentication:
users:
cache:
# Number of seconds Access waits before deleting an entry from the cache
# Suggestion: Set to 3000 to see if the issue is resolved
expire-after-write-seconds: 300
maximum-size: 10000 # maximum number of entries allows in the cache
groups:
cache:
expire-after-write-seconds: 300 # number of seconds Access waits before deleting an entry from the cache
jfrog-client-login:
cache:
expire-after-write-seconds: 300 # number of seconds Access waits before deleting an entry from the cache
maximum-size: 10000 # maximum number of entries allows in the cache There are other LDAP settings you can adjust in this file, they are documented on our wiki here.
## Old (7.70 and below) artifactory.system.property value
## Number of seconds for authentications to idle in the cache
artifactory.security.authentication.cache.idleTimeSecs=300
Locked user issues: When an account is locked, there can be two possible states. The first is triggered when a user is attempting to log in and fails to do so, which then causes their LDAP account to be locked. The second occurs when the LDAP manager's account becomes locked.
To run an LDAP search, Artifactory uses the credentials of an LDAP manager. These can sometimes be misconfigured or change, and thereby cause the manager’s account to become locked from the LDAP side. If this happens, the "DEBUG" error will be printed fully when the LDAP debug logger is used, rather than a truncated "ERROR" line. If a manager account lockout has occurred, an LDAP administrator will typically need to be called upon to unlock either the user account or the manager account.