Hub with LDAP SSL enabled is no longer connecting to the LDAP Server

Document ID : KB000009891
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

Customer’s primary hub to LDAP connection stopped working a few months ago. After turning off SSL it worked. They needed to get SSL and LDAP working. How can they enable LDAP with SSL in UIM?

Background:

The SSL settings in the hub (normal / compatibility mode / SSL only) is related to UIM network communication between components inside a UIM (Nimsoft) domain (probe to probe, hub to hub, etc.) and has nothing to do with the LDAP SSL.

Environment:
UIM 8.x or higherhub probe
Instructions:

Under General ->Settings->LDAP Tab, checking the "Use SSL" checkbox means that the hub will switch to using the LDAP SSL port and SSL communication when talking to the LDAP server.

There is no need to add a client certificate. The communication between the hub and the LDAP server will be encrypted, provided that the LDAP server has a valid certificate and is configured to talk SSL.

It creates an LDAP session handle that is SSL enabled.

Of course, you will have a certificate on the LDAP server to implement SSL in the first place, but as far as the hub is concerned, it simply makes an ldaps:// connection instead of an ldap:// connection.

It uses port 636 (secure ldap port) instead of port 389 (normal ldap) so make sure you can connect FROM the hub TO the LDAP server using that port.

So, the requests will be SSL-encrypted but we don't support client-side authentication (where you would put a certificate on the hub itself to 'match' the certificate on the ldap server).

To test the connection FROM the primary hub you can do a telnet query for port 389 (LDAP) or port 636 (LDAP SSL)

For example,

telnet <hostname_or_ipaddress> 389

You should see something like this:

telnet <ldapsrvip> 389
Trying 10.2.x.xxx...
Connected to mainldapsrv.example.com.
Escape character is '^]'.

You could also use nmap,

nmap hostip 389

There is also a Microsoft tool called PortQry that will give you a lot of info about a port(s):

PortQry.exe -n hostip -p tcp -e 389

just replace 389 with 636 for LDAP SSL

In any case, if you don’t find any problems when testing the connection, you can enable the LDAP SSL and then test the connection while you have the hub.log open, after setting the loglevel to 5 and logsize to 40000, to observe what the hub complains about regarding the connection. Please then attach the log showing the connection failure or success. General LDAP Failure codes can be found here: https://www.ldap.com/ldap-result-code-reference

Please note that anonymous simple bind must be enabled if you’re not running hub v7.80 HF7 or higher.

Additional Information: