If the gateway instance is not healthy, you can use the information in this section to troubleshoot any issues.
The following information applies to both the standalone and Docker deployment scenarios. You can use the gateway details page or Splunk to identify issues. For more information, see Verifying a gateway instance and Monitoring activity with Splunk.
My logs aren't showing enough information
Use the optional logger.console.level parameter to set the log level.
- If you’re using the Docker image, add the following to the docker
run command:
-e JAVA_OPTS="-Dlogger.console.level=DEBUG". -
If you’re running the LDAP Gateway Java program (the standalone approach), add the following Java option to the run.bat or run.sh file:
-Dlogger.console.level=DEBUG.
You can also use Splunk to monitor a gateway connection. For more information, see Monitoring activity with Splunk.
My connection is taking too long to resolve
- If the connection is configured with a string host name, try using an IP address instead.
- On the server that you want to connect to, ensure that the desired port is open.
- Ensure there aren’t any routing issues in your infrastructure that could affect the ability of the gateway server to reach the LDAP server or RADIUS client.
- Sometimes it can take several seconds for the connection information to be updated in the console user interface. Try refreshing the page to get the most current information.
I want to increase scalability
For high-availability applications or scalability, you can configure multiple gateways. You can then run the Docker container or Java application on multiple servers.
When multiple gateways are configured, PingOne maintains a list of the active gateways and uses a round robin algorithm to route the request to the first available gateway instance. If a gateway is not available, it is excluded from the list of active gateways.
You can set up one PingOne logical gateway with one gateway credential, with multiple physical gateways that share the same credential. If needed, you can remove the credential from the logical gateway to stop all gateway traffic.
I'm getting an Active Directory password modify error
For LDAP Gateway connections using Active Directory, you might see a password modify error as a permissions error in Splunk logs. To use Splunk for monitoring, see Monitoring activity with Splunk.
password modify result resultCode=50 (insufficient access rights),
resultDetails=LDAPResult(resultCode=50 (insufficient access rights),
diagnosticMessage='00000005: SecErr: DSID-031A11CF, problem 4003 (INSUFF_ACCESS_RIGHTS)
To query in Splunk, search for the string password modify result.
You can narrow down your results if you have the environment ID and a timestamp.
This error can occur if the AvME agent cannot change attributes for these test users or add additional proxy addresses. This is caused by a lack of required AD permission set on these accounts. Usually the failed account belongs to AD protected groups. When you delegate permissions using the Permission Granting Wizard, these permissions rely on the user object that inherits the permissions from the parent container. Members of protected groups do not inherit permissions from the parent container. As a result, if you set permissions using the Permission Granting Wizard, these permissions are not applied to members of protected groups. As a result, the AvME agent cannot modify some AD attributes during the switch process.
- Administrators
- Account Operators
- Server Operators
- Print Operators
- Backup Operators
- Domain Admins
- Schema Admins
- Enterprise Admins
- Cert Publishers
Microsoft is aware of an issue that can cause this error when upgrading to Microsoft Windows Server 2003. See Delegated permissions are not available and inheritance is automatically disabled on the Microsoft support site.