Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledgebase
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Image Artist Spectrus, Percepta, Katalyst, Luminata and more
Downloads
Downloads
Community
Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Image Artist: Troubleshooting authentication failures between ImA and LDAPS

Howell, Richard
  • Updated

Description:

Image Artist supports authentication against an external LDAP directory. Authentication issues can occur if the Image Artist host is unable to connect to the external LDAP provider, or if there are problems with the TLS certificate chain. Common scenarios that may lead to authentication problems include:
 

Network connectivity problems

Impact

  • Login page loads successfully

  • LDAP‑based users cannot authenticate

  • Non‑LDAP users (for example, the local admin user) can still log in

How to recognise it

  • LDAP user login fails with UI error: 504 Gateway Time‑out

  • Non‑LDAP users authenticate successfully

  • On the Image Artist User Federation page, clicking Test connection returns: Error when trying to connect to LDAP: ‘CommunicationError’

What to do

Investigate network connectivity between the Image Artist host and the external LDAP provider, including:

  • DNS resolution

  • Firewall rules

  • Routing / VPN connectivity

  • LDAP port accessibility

No Image Artist configuration changes are required unless instructed by the LDAP or network team.

 

Invalid LDAP TLS certificate

Image Artist can authenticate users against an external LDAP directory over TLS. Authentication fails when the LDAP server’s TLS certificate is missing, expired, invalid, or in an unsupported format in the Image Artist (more specifically, Keycloak) container trust store.

Impact

  • Login page loads successfully

  • LDAP‑based users cannot authenticate

  • Non‑LDAP users (for example, the local admin user) can still log in

How to recognise it

  • LDAP-based user login fails with UI error: Unexpected error when handling authentication request to identity provider

  • Non-LDAP users authenticate successfully

  • SImA_keycloak log contains:

Error when authenticating to LDAP: simple bind failed: <ldap_domain>:<ldap_port>: [Root exception is ... unable to find valid certification path to requested target]

To view the Keycloak log interactively use:

$ docker service logs -f SImA_keycloak

Alternatively you can obtain a full set of log files, as described here.

What to do

Import a suitable LDAP TLS certificate into the Image Artist container stack.

Refer to: Image Artist: How do I update the LDAP CA certificate?

Important Note

  • Image Artist does not support LDAP TLS certificate bundles

  • If a bundle is provided, only the first certificate is imported

  • Use a single individual certificate (typically the issuing CA certificate)

 

 

 

 

 

Related articles

Comments

0 comments

Article is closed for comments.