Novell Home

My Favorites

Close

Please to see your favorites.

Troubleshooting LDAP Connections

This document (7010961) is provided subject to the disclaimer at the end of this document.

Environment

NetIQ
Novell
SUSE
Linux
LDAP
Debugging
Troubleshooting

Situation

  • A server or application that communicates with an LDAP server is not functioning correctly; e.g.
    • Slow
    • Dropped communications
    • Exceptions and errors
  • What tools or commands can be used to troubleshoot the connection?
  • ldapsearch gives errors using an SSL connection over port 636
    • ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    • TLS certificate verification: Error, self signed certificate in certificate chain
    • TLS trace: SSL3 alert write:fatal:unknown CA
    • TLS trace: SSL_connect:error in SSLv3 read server certificate B
    • TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
    • TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)

Resolution

  • Use an LDAP Browser such as Apache Directory Studio http://directory.apache.org/studio - for example
  • Use the Linux ldapsearch command
    • See examples in the Additional Information section, below
    • For full details refer to the man pages

Additional Information

Example 1

The following will list all the users under o=novell using an unencrypted connection to an LDAP server named blue using a user name of cn=admin,o=novell with a password of novell :
   time ldapsearch -H ldap://blue.nts.ukb.novell.com:389 -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClass
Example 2

To test an SSL connection, the client running the search needs to know how to deal with the LDAP Server's CA Certificate.  On most Linux distributions, edit /etc/openldap/ldap.conf to include the following line:
      TLS_REQCERT     allow
Then run the ldapsearch command using parameters similar to the following:
   time ldapsearch -H ldaps://blue.nts.ukb.novell.com:636 -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClass

Disclaimer

This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7010961
  • Creation Date:18-OCT-12
  • Modified Date:16-MAY-13
    • NovellChange Guardian
      NetIQ End of Life
      End of Life
      SUSE End of Life

Did this document solve your problem? Provide Feedback