Troubleshooting LDAP Connections

  • 7010961
  • 18-Oct-2012
  • 29-Oct-2018

Environment

NetIQ
Novell
SUSE
Linux
LDAP
Debugging
Troubleshooting

Situation

  • A server or application that communicates with an LDAP server is not functioning correctly; e.g.
    • Slow
    • Dropped communications
    • Exceptions and errors
  • What tools or commands can be used to troubleshoot the connection?
  • ldapsearch gives errors using an SSL connection over port 636
    • ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    • TLS certificate verification: Error, self signed certificate in certificate chain
    • TLS trace: SSL3 alert write:fatal:unknown CA
    • TLS trace: SSL_connect:error in SSLv3 read server certificate B
    • TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
    • TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

Resolution

  • Use an LDAP Browser such as Apache Directory Studio http://directory.apache.org/studio - for example
  • Use the Linux ldapsearch command
    • See examples in the Additional Information section, below
    • For full details refer to the man pages

Additional Information

To test an SSL connection, the client running the search needs to know how to deal with the LDAP Server's CA Certificate.  On most Linux distributions, edit /etc/openldap/ldap.conf to include the following line:

TLS_REQCERT     allow

Examples
  • Unencrypted eDirectory 
    • ldapsearch -H ldap://red.lab.services.microfocus.com:389 -x -D "cn=admin,o=Lab" -w password -b "ou=Users,o=Lab" -s sub -a always "(objectClass=User)" cn
  • Encrypted eDirectory
    • ldapsearch -H ldaps://red.lab.services.microfocus.com:636 -x -D "cn=admin,o=Lab" -w password -b "ou=Users,o=Lab" -s sub -a always "(objectClass=User)" cn
  • Unencrypted Active Directory
    • ldapsearch -H ldap://blue.windom.lab.services.microfocus.com:389 -x -D "cn=Administrator,cn=users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -w password -b "CN=Users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -s sub -a always "(objectClass=User)" cn
  • Encrypted Active Directory
    • ldapsearch -H ldaps://blue.windom.lab.services.microfocus.com:636 -x -D "cn=Administrator,cn=users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -w password -b "CN=Users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -s sub -a always "(objectClass=User)" cn
Where
-H host
-D bind DN
-w bind password (use -W to be prompted)
-b base DN for search