The following information applies to both the standalone and Docker deployment scenarios. You can use the gateway details page or Splunk to identify issues. For more information, see Verifying a gateway instance and Monitoring activity with Splunk.

My logs aren't showing enough information

Use the optional logger.console.level parameter to set the log level.

By default, the log level is set to INFO, which includes errors and general information for the container. For more verbose logs, set the log level to DEBUG, which includes all possible information for the container.
  • If you’re using the Docker image, add the following to the docker run command: -e JAVA_OPTS="-Dlogger.console.level=DEBUG".
  • If you’re running the LDAP Gateway Java program (the standalone approach), add the following Java option to the run.bat or file: -Dlogger.console.level=DEBUG.


You can also use Splunk to monitor a gateway connection. For more information, see Monitoring activity with Splunk.

My connection is taking too long to resolve

If your connection is taking a long time, check the following:
  • If the connection is configured with a string host name, try using an IP address instead.
  • On the server that you want to connect to, ensure that the desired port is open.
  • Ensure there aren’t any routing issues in your infrastructure that could affect the ability of the gateway server to reach the LDAP server or RADIUS client.
  • Sometimes it can take several seconds for the connection information to be updated in the console user interface. Try refreshing the page to get the most current information.

I want to increase scalability

For high-availability applications or scalability, you can configure multiple gateways. You can then run the Docker container or Java application on multiple servers.

When multiple gateways are configured, PingOne maintains a list of the active gateways and uses a round robin algorithm to route the request to the first available gateway instance. If a gateway is not available, it is excluded from the list of active gateways.

You can set up one PingOne logical gateway with one gateway credential, with multiple physical gateways that share the same credential. If needed, you can remove the credential from the logical gateway to stop all gateway traffic.

I'm getting an Active Directory password modify error

For LDAP Gateway connections using Active Directory, you might see a password modify error as a permissions error in Splunk logs. To use Splunk for monitoring, see Monitoring activity with Splunk.

This error can appear as a failure to change a password using a Service Account in AD. The error appears in Splunk as:
password modify result resultCode=50 (insufficient access rights), 
resultDetails=LDAPResult(resultCode=50 (insufficient access rights), 
diagnosticMessage='00000005: SecErr: DSID-031A11CF, problem 4003 (INSUFF_ACCESS_RIGHTS) 

To query in Splunk, search for the string password modify result. You can narrow down your results if you have the environment ID and a timestamp.

This error can occur if the AvME agent cannot change attributes for these test users or add additional proxy addresses. This is caused by a lack of required AD permission set on these accounts. Usually the failed account belongs to AD protected groups. When you delegate permissions using the Permission Granting Wizard, these permissions rely on the user object that inherits the permissions from the parent container. Members of protected groups do not inherit permissions from the parent container. As a result, if you set permissions using the Permission Granting Wizard, these permissions are not applied to members of protected groups. As a result, the AvME agent cannot modify some AD attributes during the switch process.

Membership in a protected group is defined as either direct membership or transitive membership using one or more security or distribution groups:
  • Administrators
  • Account Operators
  • Server Operators
  • Print Operators
  • Backup Operators
  • Domain Admins
  • Schema Admins
  • Enterprise Admins
  • Cert Publishers

Microsoft is aware of an issue that can cause this error when upgrading to Microsoft Windows Server 2003. See Delegated permissions are not available and inheritance is automatically disabled on the Microsoft support site.