Getting Data In

LDAP by SSL using WIndows 2012R2 cannot connect to Active Directory server

ewienholt
Explorer

Trying to use LDAP with SSL and running into issue 'Can't contact LDAP server'. Looked on Splunk Answers and saw similar issue at URL https://answers.splunk.com/answers/431970/ssl-ldap-breaks-from-633-to-635.html Tried the solution mentioned in this Answers post without success. Has anyone else run into this issue? Could this be a cipher suite issue between the LDAP server and Splunk?

Splunk version 6.3.3
OpenSSL version 1.0.2d
Running Windows 2012R2 Standard edition
Can connect over port 636 to the Active Directory server using Softerra
LDAP over port 389 works fine with the same AD server

ewienholt
Explorer

No. I actually surrendered and closed the support case with Splunk. We had the customer domain admins helping and we still could not solve the problem. Very frustrating.

0 Karma

tsfraley
New Member

Same issue here, any solution?,

0 Karma

ewienholt
Explorer

We believe the problem is matching the TLS_CIPHER_SUITE line in the ldap.conf file with the cipher suite on the AD server. The pertinent output of the 'openssl s_client -showcerts -host hostname -port 636' command is.....
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384

The error log follows.....
12-02-2016 13:34:34.407 DEBUG ExecProcessor - PipelineSet 0: Created new ExecedCommandPipe for ""D:\Program Files\Splunk\bin\splunk-powershell.exe" --ps2", uniqueId=32
12-02-2016 13:34:34.537 WARN ScopedLDAPConnection - strategy="NAME" Bind took longer than seems reasonable (20005 milliseconds). Might indicate slow ldap server.
12-02-2016 13:34:34.537 ERROR ScopedLDAPConnection - strategy="NAME" Error binding to LDAP. reason="Can't contact LDAP server"
12-02-2016 13:34:34.537 DEBUG ScopedLDAPConnection - strategy="NAME" Successfully performed unbind
12-02-2016 13:34:34.537 ERROR AdminHandler:AuthenticationHandler - strategy="EPA" Error binding to LDAP. reason="Can't contact LDAP server"
12-02-2016 13:34:34.537 DEBUG HTTPServer - GET PARAMS: { }, POST PARAMS: { groupNameAttribute:cn, timelimit:15, bindDNpassword:********, sizelimit:30000, groupBaseDN:OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted;OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, network_timeout:20, userBaseFilter:, nestedGroups:0, realNameAttribute:cn, userNameAttribute:samaccountname, groupMappingAttribute:dn, emailAttribute:mail, port:636, groupBaseFilter:, bindDN:CN=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, order:1, userBaseDN:OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, dynamicGroupFilter:, dynamicMemberAttribute:, SSLEnabled:1, host:HOSTNAME, groupMemberAttribute:member, anonymous_referrals:1}
12-02-2016 13:34:34.537 INFO UserManager - Unwound user context: edward.wienholt -> NULL
12-02-2016 13:34:34.537 DEBUG InThreadActor - this=0000009117559BC0 waitForActorToComplete start actor=0000009123AAF720
12-02-2016 13:34:34.537 DEBUG InThreadActor - this=0000009117559BC0 waitForActorToComplete end actor=0000009123AAF720
12-02-2016 13:34:34.577 DEBUG ExecProcessor - PipelineSet 0: Got EOF from ""D:\Program Files\Splunk\bin\splunk-admon.exe"", uniqueId=29
12-02-2016 13:34:34.577 DEBUG Queue - insertAndClear: [success] loop count 0
12-02-2016 13:34:34.591 DEBUG Queue - insertAndClear: [success] loop count 1
12-02-2016 13:34:34.592 DEBUG EventLoop - Inside EventLoop::run() for thread=TcpChannelThread
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=00000091193D1018 waitForActorToComplete start actor=0000009125F0F730
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=00000091193D1018 waitForActorToComplete end actor=0000009125F0F730
12-02-2016 13:34:34.593 DEBUG UiPythonFallback - Decremented in-flight request count to 0 for appserver process at http://127.0.0.1:8065
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=000000911DC43AF8 waitForActorToComplete start actor=0000009125F0FB30
12-02-2016 13:34:34.593 INFO WebUiAccess - 134.67.234.22 - edward.wienholt [02/Dec/2016:13:34:14.035 -0500] "POST /en-US/manager/hp_cde_monitoring/authentication/providers/LDAP/EPA HTTP/1.1" 200 174 "https://v18h1n-splunk.aa.ad.epa.gov:8000/en-US/manager/hp_cde_monitoring/authentication/providers/LD..." "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" - 8b17eb96e566643402e6edd741fa86ea 20558ms
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=000000911DC43AF8 waitForActorToComplete end actor=0000009125F0FB30

0 Karma

rdimri_splunk
Splunk Employee
Splunk Employee

Can you paste the relevant error logs you are seeing with confidential information redacted.

0 Karma
Get Updates on the Splunk Community!

Enterprise Security Content Update (ESCU) | New Releases

In December, the Splunk Threat Research Team had 1 release of new security content via the Enterprise Security ...

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

(This is the first of a series of 2 blogs). Splunk Enterprise Security is a fantastic tool that offers robust ...

Index This | What are the 12 Days of Splunk-mas?

December 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...