Security

Error binding to LDAP. reason="Can't contact LDAP server".

chris
Motivator

Hi,

on a fresh 6.6 install I received the following error when trying to set up ldap authentication:
An error occurred completing this request: In handler 'LDAP-groups': strategy="default" Error binding to LDAP. reason="Can't contact LDAP server".

I copied the config from a existing/working instance.

Any Ideas?

Regards Chris

1 Solution

chris
Motivator

Running:

ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

as suggested in: https://docs.splunk.com/Documentation/Splunk/6.6.1/Security/TestyourLDAPconfiguration helped.

Adding -d -1 to get debug output:

ldapsearch -d -1 -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

yields:

TLS: error: connect - force handshake failure: errno 13 - moznss error -12286
TLS: can't connect: TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I am not the ldap-admin so I commented the TLS_PROTOCOL and TLS_CIPHER lines in:
$SPLUNK_HOME/etc/openldap/ldap.conf

#TLS_PROTOCOL_MIN 3.3
#TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

It works now ...

View solution in original post

chris
Motivator

Running:

ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

as suggested in: https://docs.splunk.com/Documentation/Splunk/6.6.1/Security/TestyourLDAPconfiguration helped.

Adding -d -1 to get debug output:

ldapsearch -d -1 -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

yields:

TLS: error: connect - force handshake failure: errno 13 - moznss error -12286
TLS: can't connect: TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I am not the ldap-admin so I commented the TLS_PROTOCOL and TLS_CIPHER lines in:
$SPLUNK_HOME/etc/openldap/ldap.conf

#TLS_PROTOCOL_MIN 3.3
#TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

It works now ...

hettervik
Builder

Worked for me as well! Only had to comment out the `TLS_CIPHER_SUITE` setting in ldap.conf. However, I can't figure out exactly why this fixes the problem. I've looked through some documentation, and can se that `TLS_CIPHER_SUITE` defaults to a standard setting, so what happens when it's commented? Would it compromise security in any way to comment it?

Documentation on `TLS_CIPHER_SUITE` and ldap.conf: https://www.openldap.org/software//man.cgi?query=ldap.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-...

0 Karma

nick405060
Motivator

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma

burwell
SplunkTrust
SplunkTrust

I installed a fresh version of Splunk and ran into this very issue today! Thanks for documenting this.

0 Karma

wanquan224
Engager

Disable the TLS_PROTOCOL_MIN & TLS_CIPHER_SUITE worked at 7.1.1 too.

Get Updates on the Splunk Community!

Earn a $35 Gift Card for Answering our Splunk Admins & App Developer Survey

Survey for Splunk Admins and App Developers is open now! | Earn a $35 gift card!      Hello there,  Splunk ...

Continuing Innovation & New Integrations Unlock Full Stack Observability For Your ...

You’ve probably heard the latest about AppDynamics joining the Splunk Observability portfolio, deepening our ...

Monitoring Amazon Elastic Kubernetes Service (EKS)

As we’ve seen, integrating Kubernetes environments with Splunk Observability Cloud is a quick and easy way to ...