"Can't contact LDAP server (-1)" error for LDAPS to Server 2012

active-directory ssl windows-server-2012-r2 windows-server-2012 ldap
14,564

This problem can occur because the TLS 1.2 implementation in Windows 2012 is incompatible with some versions of Linux libraries like gnutls.

If this is your problem, disabling TLS 1.2 will restore functionality. The following options may be available to you:

In Linux CLI (may need to escape the exclamation point, found here):

export LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2

In PHP on Linux (found here and here):

putenv(‘LDAPTLS_CIPHER_SUITE=NORMAL:!VERS-TLS1.2’);

On Windows Server 2012, I can't find concise instructions, but these are the registry entries. Directly editing the registry can be dangerous so use with caution.

Share:
14,564

Related videos on Youtube

claytond
Author by

claytond

Updated on September 18, 2022

Comments

  • claytond
    claytond over 1 year

    When attempting to connect to Active Directory on Window Server 2012 (possibly R2) over LDAPS, ldapsearch produces one of the following errors (at the end of a longer output):

    $ ldapsearch -H ldaps://my.ad.com -v -b "dc=my,dc=ad,dc=com"
...
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
    additional info: A TLS packet with unexpected length was received.

    or

    $ ldapsearch -H ldaps://my.ad.com -v -b "dc=my,dc=ad,dc=com" -D "[email protected]"
...
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    or 

    $ ldapsearch -H ldaps://my.ad.com -d 1 -v -b "dc=my,dc=ad,dc=com" -D "[email protected]" -W
...
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    The SSL certificate has been installed and verified using s_client e.g.:

    openssl s_client -connect my.ad.com:636 -CApath /etc/ssl/certs/

    ... which generates valid output ending in something like:

    New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-SHA384
    Session-ID: 2938000006304A580F4FA7C47F3C0C64FCF43B83B666D24B247775E24DC6B5B1
    Session-ID-ctx:
    Master-Key: C835DACE990D164C2F97F594B1D6989179735CE38AD822165F7C20C99C826DEE7E91816693AA72B08ADD85EDB6493578
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    Start Time: 1490979674
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---
    • Cameron Kerr
      Cameron Kerr over 6 years
      When using ldapsearch, you generally need -v -d 2 to get useful SSL debugging.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How to query LDAP via port 636 from powershell?
LdapConnection vs. PrincipalContext
What's the upgrade path for ADFS 2.1 to 3.0 (Server 2012 to 2012 R2)
How Do I Connect to Active Directory Server Behind a Firewall
What version(s) of SSL/TLS does Active Directory support?
How to have your DNS servers forward queries for internet names
RDP presents Self-Signed certificate instead of Certificate Authority's one
No domain controller can be contacted when domain joining a server
Enabling LDAPS: Cannot get to open port 636
Must the root domain name be registered when creating a new forest in Active Directory?