Issue
Troubleshooting of LDAP integration issues can be difficult, as PingFederate does not natively log all that is going on under the covers. We recently ran into a case in which, after a product upgrade, PingFederate Admin Console authentication stopped working when using LDAP authentication. This resulted in a ton of head-scratching and frustration, as double and triple-checks confirmed that nothing else changed.
PingFederate solution
Since the days that PingFederate began using the UnboundID libraries for LDAP integration, a neat little trick is available to turn on the logging of the LDAP classes to see what is going on. By enabling this logging, we were able to see what PingFederate was getting back from LDAP binds/searches, in voluminous detail in the server.log file. The trick is to add the following lines at the end of the PingFederate
run.properties
file:
#---------------------------------
# Enable LDAP Logging
#---------------------------------
#
# These properties will enable LDAP logging in the server.log
# Additional settings for debug level include: "ALL", "SEVERE",
#"WARNING", "INFO", "CONFIG", "FINE", "FINER", "FINEST", "OFF"
com.unboundid.ldap.sdk.debug.enabled=true
com.unboundid.ldap.sdk.debug.level=ALL
By making this change and restarting the PingFederate server, we were able to troubleshoot the issue and determine what was going on by scrubbing the server log. Interestingly we identified that starting in PingFederate version 8, the syntax for administrator roles became case sensitive, which in PingFederate version 7 was not the case.
Use this tip for troubleshooting PingFederate LDAP isses to your advantage. We have found it particularly helpful for issues with HTML Form, attribute queries, and Admin Console login issues. If you have any comments or questions, please contact us!