When setting up LDAP authentication or a user is not able to login with an invalid password, follow the steps below to check the credentials being used:

1. Connect as root to the CLI of the FortiSIEM node (super or collector) doing the LDAP query.
2. Run the next commands to activate debug logs:

cp /opt/phoenix/config/log4j2.xml /opt/phoenix/config/log4j2.xml.bak

sed -i 's/<Logger name=\"com.ph.phoenix\" level=\"info\" additivity=\"false\">/<Logger name=\"com.ph.phoenix\" level=\"debug\" additivity=\"false\">/' /opt/phoenix/config/log4j2.xml

tail -f /opt/glassfish/domains/domain1/logs/phoenix.log | egrep -i 'ldap|auth'

3. In another CLI window, run the next command to take tcp packets (replace <ad_server_ip> by the IP of the LDAP server):

tcpdump host <ad_server_ip> -vvv -w /tmp/ldap_auth_test.pcap

4. Run the test from the FortiSIEM from:

• A portal for a user configured with external authentication
• Admin -> Settings -> External Authentication -> Select profile -> Test.
• Admin ->Credentials -> Step 2 -> Test credentials.

5. Stop the tail and tcpdump command with Ctrl + C.
6. Check for explicit errors written in the logs.
7. Retrieve the /tmp/ldap_auth_test.pcap file with WinSCP and open it with WireShark.
8. Check the credential details from the Bind request: