# Troubleshooting LDAP When LDAP authentication fails, the cause is almost always network connectivity, encryption settings, or bind credentials. Working through these in order isolates whether the problem is a firewall, a certificate mismatch, an incorrect Distinguished Name (DN), or an incorrect ExaVault User configuration. ## Verify Network Connectivity Your ExaVault server must be able to reach the [LDAP server address](/using-exavault/users/active-directory-and-ldap.md#ldap-configuration-screen) on the port used for connecting to LDAP. ## Test LDAP Binding From the ExaVault Server, run a search against your LDAP server using the `ldapsearch` command-line tool. Compose the bind DN using the same [*Username prefix and Username suffix*](/using-exavault/users/active-directory-and-ldap.md#username-prefix-and-username-suffix) from your [LDAP configuration](/using-exavault/users/active-directory-and-ldap.md#ldap-configuration-screen). ## Common LDAP Error Codes
CodeNameCommon Causes
49Invalid CredentialsThe most common. Either the password is wrong, or the "Bind DN" (the user path) is formatted incorrectly.
32No Such ObjectThe server is reached, but the user or the "Base DN" you provided doesn't exist in the directory.
81Server DownThe client can't reach the server. This is usually a firewall issue, a wrong port (389 vs 636), or the LDAP service isn't running.
34Invalid DN SyntaxYour prefix or suffix string has a formatting error, such as a missing comma or a stray space.
53Unwilling to PerformThe server understood you but refused. This often happens if you try to bind over port 389 (insecure) but the server policy requires SSL or TLS.
## Troubleshooting User Authentication Before investigating a user's failed logins, confirm the LDAP server is correctly defined and [can be reached](#verify-network-connectivity) from the ExaVault host machine on the required port. ### User Cannot Login The user must already exist in ExaVault to authenticate. If you are using Active Directory sync, wait for the sync process to complete. If the user exists, verify the Authentication method is *Active Directory & LDAP* in their user settings. To confirm the credentials are valid, use the `ldapwhoami` command-line tool. It is the quickest way to troubleshoot login errors. If the user exists locally and the password is correct, LDAP bind failures come from bind username formatting or connection security mismatches. Check the [*Username prefix and Username suffix*](/using-exavault/users/active-directory-and-ldap.md#username-prefix-and-username-suffix) from your [LDAP configuration](/using-exavault/users/active-directory-and-ldap.md#ldap-configuration-screen). ### Users Do Not Appear In ExaVault After Sync Verify that the configured AD [security group](/using-exavault/users/active-directory-and-ldap.md#configuring-active-directory-sync) exists and that its Name (CN) matches the configured group name. Verify that the user is a direct or nested member of that group. ### Users Get Disabled Unexpectedly ExaVault disables any previously synced user that does not appear in a sync run. Verify that the user remains a member of the configured AD security group. Verify that the user account is enabled in Active Directory. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.exavault.com/using-exavault/users/active-directory-and-ldap/troubleshooting-ldap.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.