Security

Having trouble connecting to LDAP server with SSL (LDAPS)

Path Finder

Hi everyone,

I'm trying to setup LDAPS authentication with Windows LDAP server. However, I have been getting the below error message:
Error binding to LDAP. reason="Can't contact LDAP server"

To narrow down to the cause, I have replaced all Splunk servers with certificates signed by the trusted CA. I have also configured the following in ldap.conf:
TLS_REQCERT demand
TLS_CACERT $SPLUNK/path/to/CAcert
TLS_CACERTDIR $SPLUNK/path/to/CAcertdir

There is no connection issue between Splunk and LDAP server, and I can contact the LDAP server without SSL on port 389. SSL has been enabled on the WIndows LDAP server (other applications have been authenticating through LDAPS)

I am running Splunk Enterprise 7.0.1 on Red Hat 7. Is there anything else I can check to find out the cause?

Any helps would be much appreciated!
Thanks!

0 Karma
1 Solution

Communicator

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

View solution in original post

Communicator

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

View solution in original post

Motivator

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma

Path Finder

I concat all the cert files into a single PEM file and reverted TLS_REQCERT back to never and it worked! Previously my attribute for TLS_CACERT was directed to the CA file alone, I guess that was the issue. Thanks so much!!

0 Karma

Champion

Hi ,

This link might help you. Please try to troubleshoot with steps specified.

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html

0 Karma

Path Finder

Hi Gurav,

Thanks for the the response. I received Connection reset by peer by using the command

On a side note, I found out I was able to connect using the -H flag, but not with the -h hostname -p 636 -Z

Can connect with below command:
ldapsearch -d -1 -x –H ldaps://ad-server.com –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

I would log a case with Splunk for further support
Thanks

0 Karma
State of Splunk Careers

Access the Splunk Careers Report to see real data that shows how Splunk mastery increases your value and job satisfaction.

Find out what your skills are worth!