Security
×

Join the Conversation

Without signing in, you're just watching from the sidelines. Sign in or Register to connect, share, and be part of the Splunk Community.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error binding to LDAP. reason="Can't contact LDAP server".

chris
Motivator
‎06-01-2017 01:44 AM

Hi,

on a fresh 6.6 install I received the following error when trying to set up ldap authentication:
An error occurred completing this request: In handler 'LDAP-groups': strategy="default" Error binding to LDAP. reason="Can't contact LDAP server".

I copied the config from a existing/working instance.

Any Ideas?

Regards Chris

Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎06-01-2017 01:56 AM

Running:

ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

as suggested in: https://docs.splunk.com/Documentation/Splunk/6.6.1/Security/TestyourLDAPconfiguration helped.

Adding -d -1 to get debug output: 

ldapsearch -d -1 -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

yields:

TLS: error: connect - force handshake failure: errno 13 - moznss error -12286
TLS: can't connect: TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I am not the ldap-admin so I commented the TLS_PROTOCOL and TLS_CIPHER lines in:
$SPLUNK_HOME/etc/openldap/ldap.conf

#TLS_PROTOCOL_MIN 3.3
#TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

It works now ...

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎06-01-2017 01:56 AM

Running:

ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

as suggested in: https://docs.splunk.com/Documentation/Splunk/6.6.1/Security/TestyourLDAPconfiguration helped.

Adding -d -1 to get debug output: 

ldapsearch -d -1 -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

yields:

TLS: error: connect - force handshake failure: errno 13 - moznss error -12286
TLS: can't connect: TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I am not the ldap-admin so I commented the TLS_PROTOCOL and TLS_CIPHER lines in:
$SPLUNK_HOME/etc/openldap/ldap.conf

#TLS_PROTOCOL_MIN 3.3
#TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

It works now ...

Reply
Solved! Jump to solution

hettervik
Builder
‎09-18-2020 04:10 AM

Worked for me as well! Only had to comment out the `TLS_CIPHER_SUITE` setting in ldap.conf. However, I can't figure out exactly why this fixes the problem. I've looked through some documentation, and can se that `TLS_CIPHER_SUITE` defaults to a standard setting, so what happens when it's commented? Would it compromise security in any way to comment it?

Documentation on `TLS_CIPHER_SUITE` and ldap.conf: https://www.openldap.org/software//man.cgi?query=ldap.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-...

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎05-31-2019 01:29 PM

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎12-01-2017 06:50 PM

I installed a fresh version of Splunk and ran into this very issue today! Thanks for documenting this.

0 Karma
Reply
Solved! Jump to solution

wanquan224
Engager
‎06-21-2018 12:56 AM

Disable the TLS_PROTOCOL_MIN & TLS_CIPHER_SUITE worked at 7.1.1 too.

Reply
Get Updates on the Splunk Community!

A Season of Skills: New Splunk Courses to Light Up Your Learning Journey

There’s something special about this time of year—maybe it’s the glow of the holidays, maybe it’s the ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to ...

Announcing the Migration of the Splunk Add-on for Microsoft Azure Inputs to Officially Supported Splunk ...

Splunk Observability for AI

Don’t miss out on an exciting Tech Talk on Splunk Observability for AI! Discover how Splunk’s agentic AI ...