Security
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Error binding to LDAP. reason="Can't contact LDAP server".

chris
Motivator
‎06-01-2017 01:44 AM

Hi,

on a fresh 6.6 install I received the following error when trying to set up ldap authentication:
An error occurred completing this request: In handler 'LDAP-groups': strategy="default" Error binding to LDAP. reason="Can't contact LDAP server".

I copied the config from a existing/working instance.

Any Ideas?

Regards Chris

Reply
1 Solution
Solved! Jump to solution
Solution

chris
Motivator
‎06-01-2017 01:56 AM

Running:

ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

as suggested in: https://docs.splunk.com/Documentation/Splunk/6.6.1/Security/TestyourLDAPconfiguration helped.

Adding -d -1 to get debug output: 

ldapsearch -d -1 -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

yields:

TLS: error: connect - force handshake failure: errno 13 - moznss error -12286
TLS: can't connect: TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I am not the ldap-admin so I commented the TLS_PROTOCOL and TLS_CIPHER lines in:
$SPLUNK_HOME/etc/openldap/ldap.conf

#TLS_PROTOCOL_MIN 3.3
#TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

It works now ...

View solution in original post

Reply
Solved! Jump to solution
Solution

chris
Motivator
‎06-01-2017 01:56 AM

Running:

ldapsearch -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

as suggested in: https://docs.splunk.com/Documentation/Splunk/6.6.1/Security/TestyourLDAPconfiguration helped.

Adding -d -1 to get debug output: 

ldapsearch -d -1 -x –h <ldap_host> –p <ldap_port> –D "bind_dn" -w "bind_passwd" -b "user_basedn" "userNameAttribute=*"

yields:

TLS: error: connect - force handshake failure: errno 13 - moznss error -12286
TLS: can't connect: TLS error -12286:Cannot communicate securely with peer: no common encryption algorithm(s)..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I am not the ldap-admin so I commented the TLS_PROTOCOL and TLS_CIPHER lines in:
$SPLUNK_HOME/etc/openldap/ldap.conf

#TLS_PROTOCOL_MIN 3.3
#TLS_CIPHER_SUITE ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

It works now ...

Reply
Solved! Jump to solution

hettervik
Builder
‎09-18-2020 04:10 AM

Worked for me as well! Only had to comment out the `TLS_CIPHER_SUITE` setting in ldap.conf. However, I can't figure out exactly why this fixes the problem. I've looked through some documentation, and can se that `TLS_CIPHER_SUITE` defaults to a standard setting, so what happens when it's commented? Would it compromise security in any way to comment it?

Documentation on `TLS_CIPHER_SUITE` and ldap.conf: https://www.openldap.org/software//man.cgi?query=ldap.conf&sektion=5&apropos=0&manpath=OpenLDAP+2.4-...

0 Karma
Reply
Solved! Jump to solution

nick405060
Motivator
‎05-31-2019 01:29 PM

I had to both comment out not only #TLS_PROTOCOL_MIN and #TLS_CIPHER_SUITE, but #TLS_CACERTDIR as well. Kind of a combination of both of these answers:

https://answers.splunk.com/answers/543501/error-binding-to-ldap-reasoncant-contact-ldap-serv.html
https://answers.splunk.com/answers/607006/having-trouble-connecting-to-ldap-server-with-ssl.html

0 Karma
Reply
Solved! Jump to solution

burwell
SplunkTrust
SplunkTrust
‎12-01-2017 06:50 PM

I installed a fresh version of Splunk and ran into this very issue today! Thanks for documenting this.

0 Karma
Reply
Solved! Jump to solution

wanquan224
Engager
‎06-21-2018 12:56 AM

Disable the TLS_PROTOCOL_MIN & TLS_CIPHER_SUITE worked at 7.1.1 too.

Reply
Get Updates on the Splunk Community!

Stay Connected: Your Guide to May Tech Talks, Office Hours, and Webinars!

Take a look below to explore our upcoming Community Office Hours, Tech Talks, and Webinars this month. This ...

They're back! Join the SplunkTrust and MVP at .conf24

With our highly anticipated annual conference, .conf, comes the fez-wearers you can trust! The SplunkTrust, as ...

Enterprise Security Content Update (ESCU) | New Releases

Last month, the Splunk Threat Research Team had two releases of new security content via the Enterprise ...