ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

  • 7022403
  • 30-Nov-2017
  • 30-Nov-2017

Environment

eDirectory
LDAP

Situation

LDAP search fails
# ldapsearch -H ldaps://testsrv.lab.services.microfocus.com:636 -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
openssl fails
# openssl s_client -connect testsrv.lab.services.microfocus.com:636
CONNECTED(00000003)
depth=1 OU = Organizational CA, O = LABTREE
verify error:num=19:self signed certificate in certificate chain
140188827497728:error:140943FC:SSL routines:ssl3_read_bytes:sslv3 alert bad record mac:s3_pkt.c:1494:SSL alert number 20
140188827497728:error:140790E5:SSL routines:ssl23_write:ssl handshake failure:s23_lib.c:177:
[Snip]
ndstrace returns errors
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : TLS accept failure 1 on connection 0x1507c260, setting err = -5875. Error stack:
    error:1408F119:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : TLS handshake failed on connection 0x1507c260, err = -5875
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : BIO ctrl called with unknown cmd 7
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : Server closing connection 0x1507c260, socket error = -5875
[29/11/2017 14:45:32.08][t: 8b0] LDAP    : INFO    : Connection 0x1507c260 closed

Resolution

Recreate the certificate used by LDAP.
  1. Identify the certificate
    iManager -> Roles & Tasks -> LDAP -> LDAP Options -> View LDAP Servers -> [Failing Server] -> General/Connections -> Server Certificate
    Make a note of the Server Certificate
  2. Create a new certificate
    iManager -> Roles & Tasks -> NetIQ Certificate Access -> Server Certificates -> [Navigate to Failing Server] ->
    Create or delete and recreate the Server Certificate identified in Step 1
  3. Repeat Step 1 but change to the newly-created certificate
  4. Restart NLDAP/eDirectory

Cause

The server certificate was corrupt.

Additional Information

If recreating the certificate, be aware that other services could be using it and may need to be manually configured to use the recreated certificate.

It may be preferable to create a new, separate certificate specifically for LDAP.