topic Re: Error binding to LDAP. reason="Can't contact LDAP server". in Security

Error binding to LDAP. reason="Can't contact LDAP server".

chris — Thu, 01 Jun 2017 08:44:04 GMT

Hi,

on a fresh 6.6 install I received the following error when trying to set up ldap authentication:
An error occurred completing this request: In handler 'LDAP-groups': strategy="default" Error binding to LDAP. reason="Can't contact LDAP server".

I copied the config from a existing/working instance.

Any Ideas?

Regards Chris

Re: Error binding to LDAP. reason="Can't contact LDAP server".

chris — Tue, 29 Sep 2020 14:17:47 GMT

Running:

ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

Adding -d -1 to get debug output:

ldapsearch -d -1 -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

yields:

TLS: error: connect - force handshake failure: errno 13 - moznss error -12286
TLS: can't connect: TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I am not the ldap-admin so I commented the TLS_PROTOCOL and TLS_CIPHER lines in:
$SPLUNK_HOME/etc/openldap/ldap.conf

#TLS_PROTOCOL_MIN 3.3
#TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

It works now ...

Re: Error binding to LDAP. reason="Can't contact LDAP server".

burwell — Sat, 02 Dec 2017 02:50:38 GMT

I installed a fresh version of Splunk and ran into this very issue today! Thanks for documenting this.

Re: Error binding to LDAP. reason="Can't contact LDAP server".

wanquan224 — Tue, 29 Sep 2020 20:06:51 GMT

Disable the TLS_PROTOCOL_MIN & TLS_CIPHER_SUITE worked at 7.1.1 too.

Re: Error binding to LDAP. reason="Can't contact LDAP server".

nick405060 — Wed, 30 Sep 2020 00:46:27 GMT

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

Re: Error binding to LDAP. reason="Can't contact LDAP server".

hettervik — Fri, 18 Sep 2020 11:10:12 GMT

Worked for me as well! Only had to comment out the `TLS_CIPHER_SUITE` setting in ldap.conf. However, I can't figure out exactly why this fixes the problem. I've looked through some documentation, and can se that `TLS_CIPHER_SUITE` defaults to a standard setting, so what happens when it's commented? Would it compromise security in any way to comment it?

Documentation on `TLS_CIPHER_SUITE` and ldap.conf: https://www.openldap.org/software//man.cgi?query=ldap.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-Release