My Favorites


Please to see your favorites.

Troubleshooting LDAP Connections

This document (7010961) is provided subject to the disclaimer at the end of this document.




  • A server or application that communicates with an LDAP server is not functioning correctly; e.g.
    • Slow
    • Dropped communications
    • Exceptions and errors
  • What tools or commands can be used to troubleshoot the connection?
  • ldapsearch gives errors using an SSL connection over port 636
    • ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    • TLS certificate verification: Error, self signed certificate in certificate chain
    • TLS trace: SSL3 alert write:fatal:unknown CA
    • TLS trace: SSL_connect:error in SSLv3 read server certificate B
    • TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
    • TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)


  • Use an LDAP Browser such as Apache Directory Studio http://directory.apache.org/studio - for example
  • Use the Linux ldapsearch command
    • See examples in the Additional Information section, below
    • For full details refer to the man pages

Additional Information

Example 1

The following will list all the users under o=novell using an unencrypted connection to an LDAP server named blue using a user name of cn=admin,o=novell with a password of novell :
   time ldapsearch -H ldap://blue.nts.ukb.novell.com:389 -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClass
Example 2

To test an SSL connection, the client running the search needs to know how to deal with the LDAP Server's CA Certificate.  On most Linux distributions, edit /etc/openldap/ldap.conf to include the following line:
      TLS_REQCERT     allow
Then run the ldapsearch command using parameters similar to the following:
   time ldapsearch -H ldaps://blue.nts.ukb.novell.com:636 -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClass


This Support Knowledgebase provides a valuable tool for NetIQ/Novell/SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7010961
  • Creation Date:18-OCT-12
  • Modified Date:16-MAY-13
    • NovellChange Guardian
      NetIQ End of Life
      End of Life
      SUSE End of Life

Did this document solve your problem? Provide Feedback