Pivotal Knowledge Base


Configuring LDAP Requires a Group Search Base


Pivotal Cloud Foundry (PCF) Version 1.4.x


Upgrading from Pivotal Cloud Foundry® 1.3.x, where LDAP configured and working properly, results in users no longer being able to log in.

When trying to install and configure Pivotal Cloud Foundry (PCF) to use LDAP for authentication, LDAP users are able to be looked up but users still cannot log in.


When trying to install and configure PCF to use LDAP for authentication you currently need to configure the LDAP Group Search Base field, even if you are not mapping LDAP groups to groups in PCF.

This also applies for users who have upgraded from PCF 1.3.x to 1.4.x because the PCF 1.3.x configuration did not have the group configuration fields.  Thus when upgrading you need to populate this field.

The reason this field is required has to do with the underlying UAA configuration that is generated by Ops Manager.  The UAA component has a property which enables a given UAA scope to map to an LDAP group. The property is called uaa.ldap.groups.profile_type and Ops Manager 1.4 sets this to groups-map-to-scopes.This value signals to the UAA that the LDAP Group Search Base is required and it is treated that way - therefore an empty value causes an error.


To workaround this issue, you simply need to populate the search base with a legitimate value.  This can be any arbitrary DN so long as it exists in your LDAP structure.  When in doubt, you should be able to use the same value that is set in the LDAP Search Base field.

A fix for this issue is planned for PCF Version 1.5.


If you do not populate the LDAP Group Search Base field prior to installing, users will not be able to login to the system.  This is especially important when upgrading a system as users would be unable to login until the configuration is fixed and applied through Ops Manager.


Powered by Zendesk