ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

  • 7022403
  • 30-Nov-2017
  • 23-Jan-2020




LDAP search fails
# ldapsearch -H ldaps://testsrv.lab.services.microfocus.com:636 -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
openssl fails
# openssl s_client -connect testsrv.lab.services.microfocus.com:636
depth=1 OU = Organizational CA, O = LABTREE
verify error:num=19:self signed certificate in certificate chain
140188827497728:error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac:s3_pkt.c:1494:SSL alert number 20
140188827497728:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
ndstrace returns errors
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : TLS accept failure 1 on connection 0x1507c260, setting err = -5875. Error stack:
    error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : TLS handshake failed on connection 0x1507c260, err = -5875
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : BIO ctrl called with unknown cmd 7
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : Server closing connection 0x1507c260, socket error = -5875
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : Connection 0x1507c260 closed


Recreate the certificate used by LDAP.
  1. Identify the certificate
    iManager -> Roles & Tasks -> LDAP -> LDAP Options -> View LDAP Servers -> [Failing Server] -> General/Connections -> Server Certificate
    Make a note of the Server Certificate
  2. Create a new certificate
    iManager -> Roles & Tasks -> NetIQ Certificate Access -> Server Certificates -> [Navigate to Failing Server] ->
    Create or delete and recreate the Server Certificate identified in Step 1
  3. Repeat Step 1 but change to the newly-created certificate
  4. Restart NLDAP/eDirectory


The server certificate was corrupt.
A -5875 error has also been seen when a firewall is blocking the SSL connection for some reason.

Additional Information

If recreating the certificate, be aware that other services could be using it and may need to be manually configured to use the recreated certificate.

It may be preferable to create a new, separate certificate specifically for LDAP.