Having set up a new Microsoft Active Directory 2012 domain controller, I was testing the LDAP connectivity using the ldapsearch command before adding WebSphere Application Server (WAS) into the mix.
I ran this command: -
ldapsearch -h windows2012.uk.ibm.com -p 636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind
which resulted in this helpful response: -
ldap_result: Can't contact LDAP server (-1)
In order to double-check the connectivity, I ran a few basic tests: -
...
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
...
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
...
Given that I'm using SSL/TLS, I tested ldapsearch using a non-SSL connection just to check ….
ldapsearch -h windows2012.uk.ibm.com -p 389 -b dc=uk,dc=ibm,dc=com -D CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com -w Ch1mn3y5! cn=wasbind
…
# wasbind, Users, uk.ibm.com
dn: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: wasbind
givenName: wasbind
…
dn: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: wasbind
givenName: wasbind
…
so the problem is SSL/TLS ….
I'd also noted that I was using the old syntax for ldapsearch in the way that I was specifying the hostname and port.
Both the -h and -p switches have been deprecated in favour of the -H switch: -
man ldapsearch
…
-H ldapuri
Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception,
if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty
sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
-h ldaphost
Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.
-p ldapport
Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
...
Specify URI(s) referring to the ldap server(s); a list of URI, separated by whitespace or commas is expected; only the protocol/host/port fields are allowed. As an exception,
if no host/port is specified, but a DN is, the DN is used to look up the corresponding host(s) using the DNS SRV records, according to RFC 2782. The DN must be a non-empty
sequence of AVAs whose attribute type is "dc" (domain component), and must be escaped according to RFC 2396.
-h ldaphost
Specify an alternate host on which the ldap server is running. Deprecated in favor of -H.
-p ldapport
Specify an alternate TCP port where the ldap server is listening. Deprecated in favor of -H.
...
So I tried the new syntax: -
ldapsearch -H ldaps://windows2012.uk.ibm.com:636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,cn=users,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind
which returned the same thing: -
…
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
…
…
so I added a bit of the old debug: -
ldapsearch -Z -H ldaps://windows2012.uk.ibm.com:636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,cn=users,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind
which was more insightful: -
…
ldap_start_tls: Can't contact LDAP server (-1)
additional info: SSLHandshake() failed: misc. bad certificate (-9825)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
…
additional info: SSLHandshake() failed: misc. bad certificate (-9825)
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
…
This led me here: -
I tried this: -
export LDAPTLS_REQCERT=never
and then: -
ldapsearch -Z -H ldaps://windows2012.uk.ibm.com:636 -b dc=uk,dc=ibm,dc=com -D cn=wasbind,cn=users,dc=uk,dc=ibm,dc=com -w Ch1mn3y5! cn=wasbind
…
# wasbind, Users, uk.ibm.com
dn: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: wasbind
givenName: wasbind
distinguishedName: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
…
dn: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: wasbind
givenName: wasbind
distinguishedName: CN=wasbind,CN=Users,DC=uk,DC=ibm,DC=com
…
Hurrah!
Great post! I've been struggling the same issue, and after reading & setting the environmental value, it's working fine! Just wanted to see - I believe the default of ldapsearch requires mTLS, correct?
ReplyDeleteHi Unknown
ReplyDeleteIf, by "mTLS", you mean mutual TLS ( aka client authentication or mutual authentication ), then no, there's no automatic requirement.
I'm not familiar with a scenario where this'd be required - perhaps one where the end-user presents a client certificate, instead of user/password, to access the LDAP server but #shrug
For reference, when one installs ldapsearch on, say, Ubuntu, there are a bunch of SSL/TLS packages that are also installed: -
apt-get update && apt-get install -y ldap-utils
Hit:1 http://ppa.launchpad.net/ansible/ansible/ubuntu bionic InRelease
Hit:2 http://security.ubuntu.com/ubuntu bionic-security InRelease
Hit:3 http://ppa.launchpad.net/git-core/ppa/ubuntu bionic InRelease
Hit:4 https://storage.googleapis.com/bazel-apt stable InRelease
Hit:5 https://download.docker.com/linux/ubuntu bionic InRelease
Hit:6 http://us.archive.ubuntu.com/ubuntu bionic InRelease
Get:7 http://us.archive.ubuntu.com/ubuntu bionic-updates InRelease [88.7 kB]
Get:8 http://us.archive.ubuntu.com/ubuntu bionic-backports InRelease [74.6 kB]
Fetched 163 kB in 2s (85.3 kB/s)
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
The following additional packages will be installed:
libldap-2.4-2 libldap-common
Suggested packages:
libsasl2-modules-gssapi-mit | libsasl2-modules-gssapi-heimdal
The following NEW packages will be installed:
ldap-utils
The following packages will be upgraded:
libldap-2.4-2 libldap-common
2 upgraded, 1 newly installed, 0 to remove and 20 not upgraded.
Need to get 294 kB of archives.
After this operation, 703 kB of additional disk space will be used.
Get:1 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-common all 2.4.45+dfsg-1ubuntu1.10 [15.8 kB]
Get:2 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 libldap-2.4-2 amd64 2.4.45+dfsg-1ubuntu1.10 [154 kB]
Get:3 http://us.archive.ubuntu.com/ubuntu bionic-updates/main amd64 ldap-utils amd64 2.4.45+dfsg-1ubuntu1.10 [124 kB]
Fetched 294 kB in 1s (426 kB/s)
(Reading database ... 175160 files and directories currently installed.)
Preparing to unpack .../libldap-common_2.4.45+dfsg-1ubuntu1.10_all.deb ...
Unpacking libldap-common (2.4.45+dfsg-1ubuntu1.10) over (2.4.45+dfsg-1ubuntu1.9) ...
Preparing to unpack .../libldap-2.4-2_2.4.45+dfsg-1ubuntu1.10_amd64.deb ...
Unpacking libldap-2.4-2:amd64 (2.4.45+dfsg-1ubuntu1.10) over (2.4.45+dfsg-1ubuntu1.9) ...
Selecting previously unselected package ldap-utils.
Preparing to unpack .../ldap-utils_2.4.45+dfsg-1ubuntu1.10_amd64.deb ...
Unpacking ldap-utils (2.4.45+dfsg-1ubuntu1.10) ...
Setting up libldap-common (2.4.45+dfsg-1ubuntu1.10) ...
Setting up libldap-2.4-2:amd64 (2.4.45+dfsg-1ubuntu1.10) ...
Setting up ldap-utils (2.4.45+dfsg-1ubuntu1.10) ...
Processing triggers for man-db (2.8.3-2ubuntu0.1) ...
Processing triggers for libc-bin (2.27-3ubuntu1.4) ...