--- checkId: check.integration.ldap plugin: stellaops.doctor.integration severity: warn tags: [connectivity, ldap, directory, auth] --- # LDAP/AD Connectivity ## What It Checks Reads the LDAP host from `Ldap:Host`, `ActiveDirectory:Host`, or `Authority:Ldap:Host` and the port from the corresponding `:Port` key (defaulting to 389, or 636 when `UseSsl` is true). Opens a raw TCP connection to the host and port with a 5-second timeout. The check **passes** if the TCP connection succeeds, **fails** on timeout, socket error, or connection refusal. ## Why It Matters LDAP or Active Directory integration is used for user authentication, group synchronization, and role mapping. If the LDAP server is unreachable, users cannot log in via directory credentials, group-based access policies cannot be evaluated, and new user provisioning stops. This directly impacts operator access to the control plane. ## Common Causes - LDAP/AD server is not running or is being restarted - Firewall blocking LDAP port (389) or LDAPS port (636) - DNS resolution failure for the LDAP hostname - Network unreachable between Stella Ops and the directory server - Incorrect host or port in configuration ## How to Fix ### Docker Compose ```bash # Check LDAP configuration grep 'LDAP__\|ACTIVEDIRECTORY__' .env # Test TCP connectivity from the gateway container docker compose exec gateway bash -c "echo > /dev/tcp/ldap.example.com/389 && echo OK || echo FAIL" # Update LDAP host/port echo 'Ldap__Host=ldap.example.com' >> .env echo 'Ldap__Port=636' >> .env echo 'Ldap__UseSsl=true' >> .env docker compose restart gateway ``` ### Bare Metal / systemd ```bash # Verify configuration cat /etc/stellaops/appsettings.Production.json | jq '.Ldap' # Test connectivity telnet ldap.example.com 389 # or nslookup ldap.example.com # Update configuration sudo nano /etc/stellaops/appsettings.Production.json sudo systemctl restart stellaops-platform ``` ### Kubernetes / Helm ```yaml # values.yaml ldap: host: ldap.example.com port: 636 useSsl: true ``` ```bash helm upgrade stellaops ./chart -f values.yaml ``` ## Verification ``` stella doctor run --check check.integration.ldap ``` ## Related Checks - `check.integration.oidc` -- OIDC provider connectivity (alternative auth mechanism)