Unable to Bind to LDAP or AD
Website Documentation for your KeePass client and Pleasant Password Server
(Version 7+)
Problems Binding to the Directory Server or Logging in with a Directory user.
Summary
Most often the problem is with the credential's username/password or the account used to connect to the LDAP/AD directory. However, other aspects involved in creating a connection are:
- Username/Password, account problems
- Network/Port problems
- Domain Controller connection problems
- Restarting Service / Server
- Certificate problems
Troubleshooting steps
-
Increase Logging details
-
Follow instructions for viewing logs (Server & Web) here: increase logging details
- What is showing in your logs after increasing the logging detail and trying again?
-
Don't forget to change the logging levels back again once you are done Troubleshooting
-
-
Directory Credentials are Not Valid
- Check the accounts used to A) Connect to the Directory Server, or, B) Run the Password Server service.
- It may be helpful to reset the password and unlock the account.
- Other checks:
- Was the account/password modified?
- Has the account locked, expired? Is it active?
-
Were privileges of the account changed?
-
Use an administrative account that has sufficient privileges needed for importing users and has access to all the groups Password Server uses
- Also try another tool to test your Directory Credentials (step 7)
- Check the accounts used to A) Connect to the Directory Server, or, B) Run the Password Server service.
- Reboot Domain Controllers
-
Username Format
-
Double-check the possible formats available on the import / login pages. Some formats may not be available to your directory type. Attempt to connect with different username format.
-
-
Restart Pleasant Password Server Service
-
Sometimes just restarting the Pleasant Password Server Service may be all that’s needed:
-
-
(LDAP) Unique Directory Id
-
This attribute should match what is found on the LDAP Directory Server
-
-
Change the Directory Host
- There may be problems connecting to a domain controller
- Try changing the Directory Host, for example, to: "YourDomain.com" (preferred method)
- This allows the Domain Controllers to failover, and direct traffic to a controller that is not busy.
- You can also try to use:
- address of the primary controller / global catalog
- IP Address
- Hostname
-
(see also step 7 - DCdiag tool)
-
Certificate Problems
-
There may be a problem with the certificate, certificate chain, or the trust of the certificate(s).
- Test by unchecking "Use SSL" on settings for your directory. If you are able to connect, there is likely a problem with the certificate.
- Make sure the Host name set in Password Server exactly matches the corresponding string in the Certificate
- If you are using a self-signed Certificate for AD/LDAP, add this certificate into the Password Server's "Trusted Root Authorities" on the Local Computer certificate store.
- Install the Intermediate and/or Root certificate for the Password Server machine onto AD/LDAP machine(s). This allows AD/LDAP to trust the connection.
- Check for other Certificate Problems
- (Azure AD | Microsoft Entra ID) Hosting AD on Azure: only supports LDAPS on port 636
- (LDAP) Try binding with the LDAP Admin tool on your Password Server machine, which returns comprehensive certificate warnings and errors.
-
-
Test LDAP/AD Connection with another Tool
-
Can you see your AD/LDAP server from the Password Server?
-
A) Test connections to each Domain Controller with a ping
-
B) Ensure Directory services are started
-
C) Test connection with a tool such as: LDP, Softerra LDAP Browser, LDAP Admin, PortQry, or Active Directory (AD) Explorer
-
https://petri.com/test-connectivity-to-an-active-directory-domain-controller-from-pc
-
This can let you know if it is a problem with A) your network, B) with AD/LDAP, C) with your username/pwd, or D) with your Password Server configuration, or E) with a Domain Controller
-
-
D) Diagnose DNS Health with the DCdiag tool:
-
For all DNS Servers (verbose)
-
DCdiag /Test:DNS /e /v > DNShealth.txt
-
-
On only a selected Domain (verbose)
-
DCdiag /Test:DNS /e /v /S:yourdomain> DNShealth.txt
-
-
Read the output file from the bottom up, checking for failures
-
Also see: more advanced diagnostics
-
-
-
- Administrative checks
- Restart services and server
- Reboot Domain Controller
-
Check correct server date/time
Otherwise, if you are still experiencing problems, please forward your detailed logs to us at Support.