How To Troubleshoot LDAP
Users Cannot Log In
The ldapsearch
is the best tool to troubleshoot LDAP issues. Sometimes, groups
or users are not found, and LDAP needs to be troubleshot.
Please follow instructions on Using ldapsearch
to Verify LDAP Configuration page to continue with troubleshooting.
LDAPS Troubleshooting
If you want to use LDAPS, these criteria need to be met:
-
The domain name/CN/SAN/hostname of the LDAP server needs to be specified as
ldaps://address
; an IP address cannot be present. -
The root/intermediate certificates by which the LDAPS certificate is signed needs to be uploaded/selected.
To verify the name/CN/SAN of the LDAP server and the root/intermediate certificates by which is the LDAPS certificate signed, use the following command:
openssl s_client -connect <ldaps server>:<ldaps port>
Issues With LDAPS After Upgrade to 5.0
OpenSSL in Debian 11 has significantly improved security, not trusting certificates signed with a 2048-bit (or lower) RSA key.
If you are getting an Unexpected Failure
error for LDAP login attempts after
upgrading to 5.0
, there is most likely an issue with the certificate’s public
key length.
Check the public key length with:
openssl s_client -connect <ldaps server>:<ldaps port>
If it was signed with a low RSA key size:
-
Change the OpenSSL settings in
/etc/ssl/openssl.cnf
to:[system_default_sect] MinProtocol = TLSv1.2 CipherString = DEFAULT@SECLEVEL=1
(located at the end of the configuration file)
-
Restart the machine.