Security
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question

Splunk failed to connect to LDAP via port 636

daniel_splunk
Splunk Employee
Splunk Employee
‎01-17-2019 11:38 PM

I tried to configure Splunk to connect to Windows 2012R2 LDAP with SSL via port 636 but failed with below command.

01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Initializing with LDAPURL="ldaps://10.10.10.32:636"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Attempting bind as DN="cn=svc_splunk_to_ad,ou=tech,ou=users,ou=systems,dc=abd,dc=hk"
01-11-2018 15:44:18.528 +0800 ERROR ScopedLDAPConnection - strategy="LDAP Lab" Error binding to LDAP. reason="Can't contact LDAP server"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Successfully performed unbind

Using openssl to test LDAP is able to get response for TLS 1.1 and TLS 1.2.

    ./splunk cmd openssl s_client -tls1_1 -connect 10.10.10.32:636
    :
    skipping
    :
    CONNECTED(00000003)
    ---
    New, TLSv1/SSLv3, Cipher is AES128-SHA
    Server public key is 2048 bit


    ./splunk cmd openssl s_client -tls1_2 -connect 10.10.10.32:636
    :
    skipping
    :
    CONNECTED(00000003)
    ---
    New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
    Server public key is 2048 bit

From above, the cipher for TLS1.2 is AES128-GCM-SHA256

Tags (2)
0 Karma
Reply

daniel_splunk
Splunk Employee
Splunk Employee
‎01-17-2019 11:40 PM

Can you try concat the certs into a single pem file, and have TLS_CACERT pointing at it an also commented out TLS_CACERTDIR attribute, like below:

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem
#TLS_CACERTDIR /opt/splunk/etc/openldap/certs
0 Karma
Reply
Get Updates on the Splunk Community!

Splunk Mobile: Your Brand-New Home Screen

Meet Your New Mobile Hub  Hello Splunk Community!  Staying connected to your data—no matter where you are—is ...

Introducing Value Insights (Beta): Understand the Business Impact your organization ...

Real progress on your strategic priorities starts with knowing the business outcomes your teams are delivering ...

Enterprise Security (ES) Essentials 8.3 is Now GA — Smarter Detections, Faster ...

As of today, Enterprise Security (ES) Essentials 8.3 is now generally available, helping SOC teams simplify ...