Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having trouble connecting to LDAP server with SSL (LDAPS)

JohannLiebert92
Path Finder
‎01-02-2018 06:23 PM

Hi everyone,

I'm trying to setup LDAPS authentication with Windows LDAP server. However, I have been getting the below error message:
Error binding to LDAP. reason="Can't contact LDAP server"

To narrow down to the cause, I have replaced all Splunk servers with certificates signed by the trusted CA. I have also configured the following in ldap.conf:
TLS_REQCERT demand
TLS_CACERT $SPLUNK/path/to/CAcert
TLS_CACERTDIR $SPLUNK/path/to/CAcertdir

There is no connection issue between Splunk and LDAP server, and I can contact the LDAP server without SSL on port 389. SSL has been enabled on the WIndows LDAP server (other applications have been authenticating through LDAPS)

I am running Splunk Enterprise 7.0.1 on Red Hat 7. Is there anything else I can check to find out the cause?

Any helps would be much appreciated!
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmsit
Communicator
‎01-20-2018 10:30 AM

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

View solution in original post

Reply
Solved! Jump to solution
Solution

rmsit
Communicator
‎01-20-2018 10:30 AM

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

Reply
Solved! Jump to solution

nick405060
Motivator
‎05-31-2019 01:29 PM

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma
Reply
Solved! Jump to solution

JohannLiebert92
Path Finder
‎01-22-2018 10:44 PM

I concat all the cert files into a single PEM file and reverted TLS_REQCERT back to never and it worked! Previously my attribute for TLS_CACERT was directed to the CA file alone, I guess that was the issue. Thanks so much!!

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-02-2018 08:31 PM

Hi ,

This link might help you. Please try to troubleshoot with steps specified.

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html

0 Karma
Reply
Solved! Jump to solution

JohannLiebert92
Path Finder
‎01-07-2018 07:11 PM

Hi Gurav,

Thanks for the the response. I received Connection reset by peer by using the command

On a side note, I found out I was able to connect using the -H flag, but not with the -h hostname -p 636 -Z

Can connect with below command:
ldapsearch -d -1 -x –H ldaps://ad-server.com –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

I would log a case with Splunk for further support
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

New Case Study Shows the Value of Partnering with Splunk Academic Alliance

The University of Nevada, Las Vegas (UNLV) is another premier research institution helping to shape the next ...

How to Monitor Google Kubernetes Engine (GKE)

We’ve looked at how to integrate Kubernetes environments with Splunk Observability Cloud, but what about ...

Index This | How can you make 45 using only 4?

October 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...