Splunk failed to connect to LDAP via port 636

daniel_splunk · ‎01-17-2019

I tried to configure Splunk to connect to Windows 2012R2 LDAP with SSL via port 636 but failed with below command.

01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Initializing with LDAPURL="ldaps://10.10.10.32:636"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Attempting bind as DN="cn=svc_splunk_to_ad,ou=tech,ou=users,ou=systems,dc=abd,dc=hk"
01-11-2018 15:44:18.528 +0800 ERROR ScopedLDAPConnection - strategy="LDAP Lab" Error binding to LDAP. reason="Can't contact LDAP server"
01-11-2018 15:44:18.528 +0800 DEBUG ScopedLDAPConnection - strategy="LDAP Lab" Successfully performed unbind

Using openssl to test LDAP is able to get response for TLS 1.1 and TLS 1.2.

    ./splunk cmd openssl s_client -tls1_1 -connect 10.10.10.32:636
    :
    skipping
    :
    CONNECTED(00000003)
    ---
    New, TLSv1/SSLv3, Cipher is AES128-SHA
    Server public key is 2048 bit


    ./splunk cmd openssl s_client -tls1_2 -connect 10.10.10.32:636
    :
    skipping
    :
    CONNECTED(00000003)
    ---
    New, TLSv1/SSLv3, Cipher is AES128-GCM-SHA256
    Server public key is 2048 bit

From above, the cipher for TLS1.2 is AES128-GCM-SHA256

daniel_splunk · ‎01-17-2019

Can you try concat the certs into a single pem file, and have TLS_CACERT pointing at it an also commented out TLS_CACERTDIR attribute, like below:

TLS_REQCERT never
TLS_CACERT /opt/splunk/etc/openldap/certs/Your_Cert_Chain.pem
#TLS_CACERTDIR /opt/splunk/etc/openldap/certs

Splunk failed to connect to LDAP via port 636

Extending Observability Content to Splunk Cloud

More Control Over Your Monitoring Costs with Archived Metrics!

New in Observability Cloud - Explicit Bucket Histograms