"Can't contact LDAP server (-1)" error for LDAPS to Server 2012
This problem can occur because the TLS 1.2 implementation in Windows 2012 is incompatible with some versions of Linux libraries like gnutls
.
If this is your problem, disabling TLS 1.2 will restore functionality. The following options may be available to you:
In Linux CLI (may need to escape the exclamation point, found here):
export LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2
In PHP on Linux (found here and here):
putenv(‘LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2’);
On Windows Server 2012, I can't find concise instructions, but these are the registry entries. Directly editing the registry can be dangerous so use with caution.
Related videos on Youtube
claytond
Updated on September 18, 2022Comments
-
claytond over 1 year
When attempting to connect to Active Directory on Window Server 2012 (possibly R2) over LDAPS, ldapsearch produces one of the following errors (at the end of a longer output):
$ ldapsearch -H ldaps://my.ad.com -v -b "dc=my,dc=ad,dc=com" ... ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: A TLS packet with unexpected length was received.
or
$ ldapsearch -H ldaps://my.ad.com -v -b "dc=my,dc=ad,dc=com" -D "[email protected]" ... ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
or
$ ldapsearch -H ldaps://my.ad.com -d 1 -v -b "dc=my,dc=ad,dc=com" -D "[email protected]" -W ... TLS: can't connect: A TLS packet with unexpected length was received.. ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The SSL certificate has been installed and verified using s_client e.g.:
openssl s_client -connect my.ad.com:636 -CApath /etc/ssl/certs/
... which generates valid output ending in something like:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384 Server public key is 2048 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-SHA384 Session-ID: 2938000006304A580F4FA7C47F3C0C64FCF43B83B666D24B247775E24DC6B5B1 Session-ID-ctx: Master-Key: C835DACE990D164C2F97F594B1D6989179735CE38AD822165F7C20C99C826DEE7E91816693AA72B08ADD85EDB6493578 Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1490979674 Timeout : 300 (sec) Verify return code: 0 (ok) ---
-
Cameron Kerr over 6 yearsWhen using ldapsearch, you generally need -v -d 2 to get useful SSL debugging.
-