Troubleshooting LDAP Connections

This document (7010961) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server
LDAP
NetIQ

Situation

  • A server or application that communicates with an LDAP server is not functioning correctly; e.g.
    • Slow
    • Dropped communications
    • Exceptions and errors
  • What tools or commands can be used to troubleshoot the connection?
  • ldapsearch gives errors using an SSL connection over port 636
    • ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    • TLS certificate verification: Error, self signed certificate in certificate chain
    • TLS trace: SSL3 alert write:fatal:unknown CA
    • TLS trace: SSL_connect:error in SSLv3 read server certificate B
    • TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
    • TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)
       

Resolution

  • Use an LDAP Browser such as Apache Directory Studio http://directory.apache.org/studio - for example
  • Use the Linux ldapsearch command
    • See examples in the Additional Information section, below
    • For full details refer to the man pages

Additional Information

To test an SSL connection, the client running the search needs to know how to deal with the LDAP Server's CA Certificate.  On most Linux distributions, edit /etc/openldap/ldap.conf to include the following line:
 
TLS_REQCERT     allow
 
Examples
  • Unencrypted eDirectory 
    • ldapsearch -H ldap://red.lab.services.microfocus.com:389 -x -D "cn=admin,o=Lab" -w password -b "ou=Users,o=Lab" -s sub -a always "(objectClass=User)" cn
  • Encrypted eDirectory
    • ldapsearch -H ldaps://red.lab.services.microfocus.com:636 -x -D "cn=admin,o=Lab" -w password -b "ou=Users,o=Lab" -s sub -a always "(objectClass=User)" cn
  • Unencrypted Active Directory
    • ldapsearch -H ldap://blue.windom.lab.services.microfocus.com:389 -x -D "cn=Administrator,cn=users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -w password -b "CN=Users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -s sub -a always "(objectClass=User)" cn
  • Encrypted Active Directory
    • ldapsearch -H ldaps://blue.windom.lab.services.microfocus.com:636 -x -D "cn=Administrator,cn=users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -w password -b "CN=Users,DC=windom,DC=lab,DC=services,DC=microfocus,DC=com" -s sub -a always "(objectClass=User)" cn
Where
-H host
-D bind DN
-w bind password (use -W to be prompted)
-b base DN for search

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7010961
  • Creation Date: 18-Oct-2012
  • Modified Date:30-Dec-2021
    • SUSE End of Life

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center