Troubleshooting LDAP Connections
This document (7010961) is provided subject to the disclaimer at the end of this document.
- A server or application that communicates with an LDAP server is not functioning correctly; e.g.
- Dropped communications
- Exceptions and errors
- What tools or commands can be used to troubleshoot the connection?
- ldapsearch gives errors using an SSL connection over port 636
- ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
- TLS certificate verification: Error, self signed certificate in certificate chain
- TLS trace: SSL3 alert write:fatal:unknown CA
- TLS trace: SSL_connect:error in SSLv3 read server certificate B
- TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
- TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)
- Use an LDAP Browser such as Apache Directory Studio - http://directory.apache.org/studio - for example
- Use the Linux ldapsearch command
- See examples in the Additional Information section, below
- For full details refer to the man pages
The following will list all the users under o=novell using an unencrypted connection to an LDAP server named blue using a user name of cn=admin,o=novell with a password of novell :
time ldapsearch -H ldap://blue.nts.ukb.novell.com:389 -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClassExample 2
To test an SSL connection, the client running the search needs to know how to deal with the LDAP Server's CA Certificate. On most Linux distributions, edit /etc/openldap/ldap.conf to include the following line:
TLS_REQCERT allowThen run the ldapsearch command using parameters similar to the following:
time ldapsearch -H ldaps://blue.nts.ukb.novell.com:636 -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClass
This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7010961
- Creation Date:18-OCT-12
- Modified Date:16-MAY-13
- NovellChange GuardianNetIQ End of LifeEnd of LifeSUSE End of Life
Did this document solve your problem? Provide Feedback