stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
c58a236d70742082c8dda5a967972d08424732f2
git.stella-ops.org/docs/doctor/articles/integration/ldap-connectivity.md
master c58a236d70 Doctor plugin checks: implement health check classes and documentation 
Implement remediation-aware health checks across all Doctor plugin modules
(Agent, Attestor, Auth, BinaryAnalysis, Compliance, Crypto, Environment,
EvidenceLocker, Notify, Observability, Operations, Policy, Postgres, Release,
Scanner, Storage, Vex) and their backing library counterparts (AI, Attestation,
Authority, Core, Cryptography, Database, Docker, Integration, Notify,
Observability, Security, ServiceGraph, Sources, Verification).

Each check now emits structured remediation metadata (severity, category,
runbook links, and fix suggestions) consumed by the Doctor dashboard
remediation panel.

Also adds:
- docs/doctor/articles/ knowledge base for check explanations
- Advisory AI search seed and allowlist updates for doctor content
- Sprint plan for doctor checks documentation

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 12:28:00 +02:00

2.2 KiB
Raw Blame History

checkId, plugin, severity, tags
checkId plugin severity tags
check.integration.ldap stellaops.doctor.integration warn
connectivity
ldap
directory
auth

LDAP/AD Connectivity

What It Checks

Reads the LDAP host from Ldap:Host, ActiveDirectory:Host, or Authority:Ldap:Host and the port from the corresponding :Port key (defaulting to 389, or 636 when UseSsl is true). Opens a raw TCP connection to the host and port with a 5-second timeout. The check passes if the TCP connection succeeds, fails on timeout, socket error, or connection refusal.

Why It Matters

LDAP or Active Directory integration is used for user authentication, group synchronization, and role mapping. If the LDAP server is unreachable, users cannot log in via directory credentials, group-based access policies cannot be evaluated, and new user provisioning stops. This directly impacts operator access to the control plane.

Common Causes

  • LDAP/AD server is not running or is being restarted
  • Firewall blocking LDAP port (389) or LDAPS port (636)
  • DNS resolution failure for the LDAP hostname
  • Network unreachable between Stella Ops and the directory server
  • Incorrect host or port in configuration

How to Fix

Docker Compose

# Check LDAP configuration
grep 'LDAP__\|ACTIVEDIRECTORY__' .env

# Test TCP connectivity from the gateway container
docker compose exec gateway bash -c "echo > /dev/tcp/ldap.example.com/389 && echo OK || echo FAIL"

# Update LDAP host/port
echo 'Ldap__Host=ldap.example.com' >> .env
echo 'Ldap__Port=636' >> .env
echo 'Ldap__UseSsl=true' >> .env
docker compose restart gateway

Bare Metal / systemd

# Verify configuration
cat /etc/stellaops/appsettings.Production.json | jq '.Ldap'

# Test connectivity
telnet ldap.example.com 389
# or
nslookup ldap.example.com

# Update configuration
sudo nano /etc/stellaops/appsettings.Production.json
sudo systemctl restart stellaops-platform

Kubernetes / Helm

# values.yaml
ldap:
  host: ldap.example.com
  port: 636
  useSsl: true

helm upgrade stellaops ./chart -f values.yaml

Verification

stella doctor run --check check.integration.ldap

Related Checks

  • check.integration.oidc -- OIDC provider connectivity (alternative auth mechanism)