I tried to configure Splunk to connect to Windows 2012R2 LDAP with SSL via port 636 but failed with below command.
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Initializing with LDAPURL="ldaps://10.10.10.32:636"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Attempting bind as DN="cn=svc_splunk_to_ad,ou=tech,ou=users,ou=systems,dc=abd,dc=hk"
01-11-2018 15:44:18.528 +0800 ERROR ScopedLDAPConnection - strategy="LDAP Lab" Error binding to LDAP. reason="Can't contact LDAP server"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Successfully performed unbind
Using openssl to test LDAP is able to get response for TLS 1.1 and TLS 1.2.
./splunk cmd openssl s_client -tls1_1 -connect 10.10.10.32:636
:
skipping
:
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is AES128-SHA
Server public key is 2048 bit
./splunk cmd openssl s_client -tls1_2 -connect 10.10.10.32:636
:
skipping
:
CONNECTED(00000003)
---
New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
Server public key is 2048 bit
From above, the cipher for TLS1.2 is AES128-GCM-SHA256
Can you try concat the certs into a single pem file, and have TLS_CACERT pointing at it an also commented out TLS_CACERTDIR attribute, like below:
TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem
#TLS_CACERTDIR /opt/splunk/etc/openldap/certs