LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

ewienholt — Wed, 07 Dec 2016 20:30:45 GMT

Trying to use LDAP with SSL and running into issue 'Can't contact LDAP server'. Looked on Splunk Answers and saw similar issue at URL https://answers.splunk.com/answers/431970/ssl-ldap-breaks-from-633-to-635.html Tried the solution mentioned in this Answers post without success. Has anyone else run into this issue? Could this be a cipher suite issue between the LDAP server and Splunk?

Splunk version 6.3.3
OpenSSL version 1.0.2d
Running Windows 2012R2 Standard edition
Can connect over port 636 to the Active Directory server using Softerra
LDAP over port 389 works fine with the same AD server

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

rdimri_splunk — Thu, 08 Dec 2016 00:46:53 GMT

Can you paste the relevant error logs you are seeing with confidential information redacted.

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

ewienholt — Tue, 29 Sep 2020 13:57:30 GMT

We believe the problem is matching the TLS_CIPHER_SUITE line in the ldap.conf file with the cipher suite on the AD server. The pertinent output of the 'openssl s_client -showcerts -host hostname -port 636' command is.....
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384

The error log follows.....
12-02-2016 13:34:34.407 DEBUG ExecProcessor - PipelineSet 0: Created new ExecedCommandPipe for ""D:\Program Files\Splunk\bin\splunk-powershell.exe" --ps2", uniqueId=32
12-02-2016 13:34:34.537 WARN ScopedLDAPConnection - strategy="NAME" Bind took longer than seems reasonable (20005 milliseconds). Might indicate slow ldap server.
12-02-2016 13:34:34.537 ERROR ScopedLDAPConnection - strategy="NAME" Error binding to LDAP. reason="Can't contact LDAP server"
12-02-2016 13:34:34.537 DEBUG ScopedLDAPConnection - strategy="NAME" Successfully performed unbind
12-02-2016 13:34:34.537 ERROR AdminHandler:AuthenticationHandler - strategy="EPA" Error binding to LDAP. reason="Can't contact LDAP server"
12-02-2016 13:34:34.537 DEBUG HTTPServer - GET PARAMS: { }, POST PARAMS: { groupNameAttribute:cn, timelimit:15, bindDNpassword:********, sizelimit:30000, groupBaseDN:OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted;OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, network_timeout:20, userBaseFilter:, nestedGroups:0, realNameAttribute:cn, userNameAttribute:samaccountname, groupMappingAttribute:dn, emailAttribute:mail, port:636, groupBaseFilter:, bindDN:CN=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, order:1, userBaseDN:OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, dynamicGroupFilter:, dynamicMemberAttribute:, SSLEnabled:1, host:HOSTNAME, groupMemberAttribute:member, anonymous_referrals:1}
12-02-2016 13:34:34.537 INFO UserManager - Unwound user context: edward.wienholt -> NULL
12-02-2016 13:34:34.537 DEBUG InThreadActor - this=0000009117559BC0 waitForActorToComplete start actor=0000009123AAF720
12-02-2016 13:34:34.537 DEBUG InThreadActor - this=0000009117559BC0 waitForActorToComplete end actor=0000009123AAF720
12-02-2016 13:34:34.577 DEBUG ExecProcessor - PipelineSet 0: Got EOF from ""D:\Program Files\Splunk\bin\splunk-admon.exe"", uniqueId=29
12-02-2016 13:34:34.577 DEBUG Queue - insertAndClear: [success] loop count 0
12-02-2016 13:34:34.591 DEBUG Queue - insertAndClear: [success] loop count 1
12-02-2016 13:34:34.592 DEBUG EventLoop - Inside EventLoop::run() for thread=TcpChannelThread
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=00000091193D1018 waitForActorToComplete start actor=0000009125F0F730
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=00000091193D1018 waitForActorToComplete end actor=0000009125F0F730
12-02-2016 13:34:34.593 DEBUG UiPythonFallback - Decremented in-flight request count to 0 for appserver process at http://127.0.0.1:8065
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=000000911DC43AF8 waitForActorToComplete start actor=0000009125F0FB30
12-02-2016 13:34:34.593 INFO WebUiAccess - 134.67.234.22 - edward.wienholt [02/Dec/2016:13:34:14.035 -0500] "POST /en-US/manager/hp_cde_monitoring/authentication/providers/LDAP/EPA HTTP/1.1" 200 174 "https://v18h1n-splunk.aa.ad.epa.gov:8000/en-US/manager/hp_cde_monitoring/authentication/providers/LDAP/EPA?action=edit&ns=system&uri=%2FservicesNS%2Fnobody%2Fsystem%2Fauthentication%2Fproviders%2FLDAP%2FNAME" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" - 8b17eb96e566643402e6edd741fa86ea 20558ms
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=000000911DC43AF8 waitForActorToComplete end actor=0000009125F0FB30

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

tsfraley — Thu, 04 May 2017 19:09:58 GMT

Same issue here, any solution?,

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

ewienholt — Thu, 04 May 2017 19:43:21 GMT

No. I actually surrendered and closed the support case with Splunk. We had the customer domain admins helping and we still could not solve the problem. Very frustrating.

topic Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server in Getting Data In

LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

Re: LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server