Unable to Bind to LDAP or AD

Website Documentation for your KeePass client and Pleasant Password Server

(Version 7+)

Problems Binding to the Directory Server or Logging in with a Directory user.

Summary

Most often the problem is with the credential's username/password or the account used to connect to the LDAP/AD directory. However, other aspects involved in creating a connection are:

• Username/Password, account problems
• Network/Port problems
• Domain Controller connection problems
• Restarting Service / Server
• Certificate problems

Troubleshooting steps

1. Increase Logging details

   • Follow instructions for viewing logs (Server & Web) here: increase logging details

     • What is showing in your logs after increasing the logging detail and trying again?

     • Don't forget to change the logging levels back again once you are done Troubleshooting

2. Directory Credentials are Not Valid

   • Check the accounts used to A) Connect to the Directory Server, or, B) Run the Password Server service.
     • It may be helpful to reset the password and unlock the account.
     • Other checks:
       
       • Was the account/password modified?
       • Has the account locked, expired? Is it active?

       • Were privileges of the account changed?

   • Use an administrative account that has sufficient privileges needed for importing users and has access to all the groups Password Server uses

   • Also try another tool to test your Directory Credentials (step 7)
      
3. Reboot Domain Controllers

4. Username Format

   • Double-check the possible formats available on the import / login pages. Some formats may not be available to your directory type. Attempt to connect with different username format.

5. Restart Pleasant Password Server Service

   • Sometimes just restarting the Pleasant Password Server Service may be all that’s needed:

6. (LDAP) Unique Directory Id

   • This attribute should match what is found on the LDAP Directory Server

      

7. Change the Directory Host

   • There may be problems connecting to a domain controller
   • Try changing the Directory Host, for example, to: "YourDomain.com" (preferred method)
     • This allows the Domain Controllers to failover, and direct traffic to a controller that is not busy.
   • You can also try to use:
     • address of the primary controller / global catalog
     • IP Address
     • Hostname

   • (see also step 7 - DCdiag tool)

8. Certificate Problems

   • There may be a problem with the certificate, certificate chain, or the trust of the certificate(s).

     • Test by unchecking "Use SSL" on settings for your directory. If you are able to connect, there is likely a problem with the certificate.
     • Make sure the Host name set in Password Server exactly matches the corresponding string in the Certificate
     • If you are using a self-signed Certificate for AD/LDAP, add this certificate into the Password Server's "Trusted Root Authorities" on the Local Computer certificate store.
     • Install the Intermediate and/or Root certificate for the Password Server machine onto AD/LDAP machine(s). This allows AD/LDAP to trust the connection.
     • Check for other Certificate Problems
     • (Azure AD | Microsoft Entra ID) Hosting AD on Azure: only supports LDAPS on port 636
     • (LDAP) Try binding with the LDAP Admin tool on your Password Server machine, which returns comprehensive certificate warnings and errors.

9. Test LDAP/AD Connection with another Tool

   • Can you see your AD/LDAP server from the Password Server?

     • A) Test connections to each Domain Controller with a ping

     • B) Ensure Directory services are started

     • C) Test connection with a tool such as: LDP, Softerra LDAP Browser, LDAP Admin, PortQry, or Active Directory (AD) Explorer 

       • https://petri.com/test-connectivity-to-an-active-directory-domain-controller-from-pc

       • This can let you know if it is a problem with A) your network, B) with AD/LDAP, C) with your username/pwd, or D) with your Password Server configuration, or E) with a Domain Controller
         

     • D) Diagnose DNS Health with the DCdiag tool:

       •  For all DNS Servers (verbose)

         • DCdiag /Test:DNS /e /v > DNShealth.txt

       • On only a selected Domain (verbose)

         •  DCdiag /Test:DNS /e /v /S:yourdomain> DNShealth.txt

       • Read the output file from the bottom up, checking for failures

       • Also see: more advanced diagnostics

10. Administrative checks
    • Restart services and server
    • Reboot Domain Controller

    • Check correct server date/time

Otherwise, if you are still experiencing problems, please forward your detailed logs to us at Support.