Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Having trouble connecting to LDAP server with SSL (LDAPS)

JohannLiebert92
Path Finder
‎01-02-2018 06:23 PM

Hi everyone,

I'm trying to setup LDAPS authentication with Windows LDAP server. However, I have been getting the below error message:
Error binding to LDAP. reason="Can't contact LDAP server"

To narrow down to the cause, I have replaced all Splunk servers with certificates signed by the trusted CA. I have also configured the following in ldap.conf:
TLS_REQCERT demand
TLS_CACERT $SPLUNK/path/to/CAcert
TLS_CACERTDIR $SPLUNK/path/to/CAcertdir

There is no connection issue between Splunk and LDAP server, and I can contact the LDAP server without SSL on port 389. SSL has been enabled on the WIndows LDAP server (other applications have been authenticating through LDAPS)

I am running Splunk Enterprise 7.0.1 on Red Hat 7. Is there anything else I can check to find out the cause?

Any helps would be much appreciated!
Thanks!

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

rmsit
Communicator
‎01-20-2018 10:30 AM

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

View solution in original post

Reply
Solved! Jump to solution
Solution

rmsit
Communicator
‎01-20-2018 10:30 AM

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

Reply
Solved! Jump to solution

nick405060
Motivator
‎05-31-2019 01:29 PM

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma
Reply
Solved! Jump to solution

JohannLiebert92
Path Finder
‎01-22-2018 10:44 PM

I concat all the cert files into a single PEM file and reverted TLS_REQCERT back to never and it worked! Previously my attribute for TLS_CACERT was directed to the CA file alone, I guess that was the issue. Thanks so much!!

0 Karma
Reply
Solved! Jump to solution

p_gurav
Champion
‎01-02-2018 08:31 PM

Hi ,

This link might help you. Please try to troubleshoot with steps specified.

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html

0 Karma
Reply
Solved! Jump to solution

JohannLiebert92
Path Finder
‎01-07-2018 07:11 PM

Hi Gurav,

Thanks for the the response. I received Connection reset by peer by using the command

On a side note, I found out I was able to connect using the -H flag, but not with the -h hostname -p 636 -Z

Can connect with below command:
ldapsearch -d -1 -x –H ldaps://ad-server.com –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

I would log a case with Splunk for further support
Thanks

0 Karma
Reply
Get Updates on the Splunk Community!

Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...

The Transformative Power of AI and ML in Enhancing Observability   In the realm of IT operations, the ...

.conf24 | Registration Open!

Hello, hello! I come bearing good news: Registration for .conf24 is now open!   conf is Splunk’s rad annual ...

ICYMI - Check out the latest releases of Splunk Edge Processor

Splunk is pleased to announce the latest enhancements to Splunk Edge Processor.  HEC Receiver authorization ...