Security

Having trouble connecting to LDAP server with SSL (LDAPS)

JohannLiebert92
Path Finder

Hi everyone,

I'm trying to setup LDAPS authentication with Windows LDAP server. However, I have been getting the below error message:
Error binding to LDAP. reason="Can't contact LDAP server"

To narrow down to the cause, I have replaced all Splunk servers with certificates signed by the trusted CA. I have also configured the following in ldap.conf:
TLS_REQCERT demand
TLS_CACERT $SPLUNK/path/to/CAcert
TLS_CACERTDIR $SPLUNK/path/to/CAcertdir

There is no connection issue between Splunk and LDAP server, and I can contact the LDAP server without SSL on port 389. SSL has been enabled on the WIndows LDAP server (other applications have been authenticating through LDAPS)

I am running Splunk Enterprise 7.0.1 on Red Hat 7. Is there anything else I can check to find out the cause?

Any helps would be much appreciated!
Thanks!

0 Karma
1 Solution

rmsit
Communicator

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

View solution in original post

rmsit
Communicator

I was able to get my LDAPS connection to Active Directory working by doing the following:

  1. Combine all required certificates in chain to a single pem file.
  2. Comment out TLS_CACERTDIR. The output of ldapsearch should tell you that it loaded the file from #1 so no need to have addition certs.
  3. I have TLS_REQCERT set to "never" which I think is default.

ldap.conf

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem

TLS_CACERTDIR /opt/splunk/etc/openldap/certs

TLS_PROTOCOL_MIN 3.3
TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

I am running Splunk 7.0.1 on CentOS 7.

View solution in original post

nick405060
Motivator

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma

JohannLiebert92
Path Finder

I concat all the cert files into a single PEM file and reverted TLS_REQCERT back to never and it worked! Previously my attribute for TLS_CACERT was directed to the CA file alone, I guess that was the issue. Thanks so much!!

0 Karma

p_gurav
Champion

Hi ,

This link might help you. Please try to troubleshoot with steps specified.

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html

0 Karma

JohannLiebert92
Path Finder

Hi Gurav,

Thanks for the the response. I received Connection reset by peer by using the command

On a side note, I found out I was able to connect using the -H flag, but not with the -h hostname -p 636 -Z

Can connect with below command:
ldapsearch -d -1 -x –H ldaps://ad-server.com –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

I would log a case with Splunk for further support
Thanks

0 Karma
.conf21 Now Fully Virtual!
Register for FREE Today!

We've made .conf21 totally virtual and totally FREE! Our completely online experience will run from 10/19 through 10/20 with some additional events, too!