LDAPs does not work: "Can't contact LDAP server", 'errno': 115

Owned by Former user (Deleted)
Last updated: Oct 20, 2023 by Matthew Hierholzer
1 min read

LDAPS does not work, but LDAP works, i.e., the same connection but unencrypted and with port 389 instead of 636.

LAST TESTED ON CHECKMK 2.0.0P1

Table of Contents


Before moving ahead: Verify that your LDAP server's certificate's common names or the subject alternative names (SAN) match the hostnames you provided in the LDAP server list!

Be especially careful if you use IP addresses to address your LDAP servers; those are seldom contained in certificates.

Problem

The connection test gives something like this: {'result': -1, 'desc': "Can't contact LDAP server", 'errno': 115, 'ctrls': [], 'info': '(unknown error code)'}

When using a self-signed certificate, please verify that you added it to the Linux certificate store and to checkmk's certificate store!


To verify, if this scenario applies to you, you can do the following:

  1. Run one of the following commands:

    gnutls-cli <adhostname>:636 -VV
openssl s_client -crl_check_all -connect <adhostname>:636

    .

  2. At the end of the (very long) output, you might find this:

    - Status: The certificate is NOT trusted. The received OCSP status response is invalid.

*** PKI verification of server certificate failed...

Reason

ldapsearch is linked to GnuTLS and not OpenSSL, and GnuTLS does a CRL/OCSP check by default, which OpenSSL does not.

Solution

It would be best to troubleshoot your CRL/OSCP setup because something prevents a successful CRL/OSCP lookup.