Troubleshooting LDAP Connections

  • 7010961
  • 18-Oct-2012
  • 16-May-2013




  • A server or application that communicates with an LDAP server is not functioning correctly; e.g.
    • Slow
    • Dropped communications
    • Exceptions and errors
  • What tools or commands can be used to troubleshoot the connection?
  • ldapsearch gives errors using an SSL connection over port 636
    • ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    • TLS certificate verification: Error, self signed certificate in certificate chain
    • TLS trace: SSL3 alert write:fatal:unknown CA
    • TLS trace: SSL_connect:error in SSLv3 read server certificate B
    • TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate in certificate chain)
    • TLSv1 Record Layer: Alert (Level: Fatal, Description: Unknown CA)


  • Use an LDAP Browser such as Apache Directory Studio - for example
  • Use the Linux ldapsearch command
    • See examples in the Additional Information section, below
    • For full details refer to the man pages

Additional Information

Example 1

The following will list all the users under o=novell using an unencrypted connection to an LDAP server named blue using a user name of cn=admin,o=novell with a password of novell :
   time ldapsearch -H ldap:// -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClass
Example 2

To test an SSL connection, the client running the search needs to know how to deal with the LDAP Server's CA Certificate.  On most Linux distributions, edit /etc/openldap/ldap.conf to include the following line:
      TLS_REQCERT     allow
Then run the ldapsearch command using parameters similar to the following:
   time ldapsearch -H ldaps:// -x -D cn=admin,o=novell -w novell -b o=Novell -s sub -a always "(objectClass=User)" objectClass