Security

Having trouble connecting to LDAP server with SSL (LDAPS)

JohannLiebert92
Path Finder

Hi everyone,

I'm trying to setup LDAPS authentication with Windows LDAP server. However, I have been getting the below error message:
Error binding to LDAP. reason="Can't contact LDAP server"

To narrow down to the cause, I have replaced all Splunk servers with certificates signed by the trusted CA. I have also configured the following in ldap.conf:
TLS_REQCERT demand
TLS_CACERT $SPLUNK/path/to/CAcert
TLS_CACERTDIR $SPLUNK/path/to/CAcertdir

There is no connection issue between Splunk and LDAP server, and I can contact the LDAP server without SSL on port 389. SSL has been enabled on the WIndows LDAP server (other applications have been authenticating through LDAPS)

I am running Splunk Enterprise 7.0.1 on Red Hat 7. Is there anything else I can check to find out the cause?

Any helps would be much appreciated!
Thanks!

0 Karma
1 Solution

rmsit
Communicator

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

View solution in original post

rmsit
Communicator

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

nick405060
Motivator

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma

JohannLiebert92
Path Finder

I concat all the cert files into a single PEM file and reverted TLS_REQCERT back to never and it worked! Previously my attribute for TLS_CACERT was directed to the CA file alone, I guess that was the issue. Thanks so much!!

0 Karma

p_gurav
Champion

Hi ,

This link might help you. Please try to troubleshoot with steps specified.

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html

0 Karma

JohannLiebert92
Path Finder

Hi Gurav,

Thanks for the the response. I received Connection reset by peer by using the command

On a side note, I found out I was able to connect using the -H flag, but not with the -h hostname -p 636 -Z

Can connect with below command:
ldapsearch -d -1 -x –H ldaps://ad-server.com –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

I would log a case with Splunk for further support
Thanks

0 Karma
Get Updates on the Splunk Community!

Index This | I am a number, but when you add ‘G’ to me, I go away. What number am I?

March 2024 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with another ...

What’s New in Splunk App for PCI Compliance 5.3.1?

The Splunk App for PCI Compliance allows customers to extend the power of their existing Splunk solution with ...

Extending Observability Content to Splunk Cloud

Register to join us !   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to ...