Error when configuring LDAP authentication over SS...

daniel_splunk · ‎01-24-2018

I tried to enable LDAP over SSL to Windows 2012R2 Active Directory via port 636, got the following error message.

01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Initializing with LDAPURL="ldaps://10.10.10.30:636"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Attempting bind as DN="cn=svc_splunk_to_ad,ou=my_company,ou=users,ou=systems,dc=com"
01-11-2018 15:44:18.528 +0800 ERROR ScopedLDAPConnection - strategy="LDAP Lab" Error binding to LDAP. reason="Can't contact LDAP server"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Successfully performed unbind

Run the following command and confirmed that LDAP are able to connect using TLS1.1 and TLS1.2

splunk cmd openssl s_client -tls1_1 -connect 10.10.10.30:636
splunk cmd openssl s_client -tls1_2 -connect 10.10.10.30:636

Below is the $SPLUNK_HOME/etc/openldap/ldap.conf

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-
AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256

TLS_CACERT /opt/splunk/etc/openldap/certs/certnew.cer
TLS_CACERTDIR /opt/splunk/etc/openldap/certs

Any idea about this?

daniel_splunk · ‎01-24-2018

Can you try to concat the cert into a single pem file, and then add the following.

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Concat_Cert.pem
#TLS_CACERTDIR /opt/splunk/etc/openldap/certs

Error when configuring LDAP authentication over SSL to Windows 2012R2 Active Directory

Enterprise Security Content Update (ESCU) | New Releases

Why am I not seeing the finding in Splunk Enterprise Security Analyst Queue?

Index This | What are the 12 Days of Splunk-mas?