Troubleshoot LDAP issues
This page documents the preview version (v2.21). Preview includes features under active development and is for development and testing only. For production, use the stable version (v2024.1). To learn more, see Versioning.
Troubleshooting LDAP
Laboratory machines sometimes lack an appropriate intermediate certificate in order to trust the LDAP server certificate. You can prepend the environment variable LDAPTLS_REQCERT=never to test connectivity with ldapsearch:
LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://ldapserver.example.org -b dc=example,dc=org 'uid=adam' -D "cn=admin,dc=example,dc=org" -w adminpassword
There are two cases where explicit intermediate CA configuration is needed:
- ldapsearch works correctly with
LDAPTLS_REQCERT=neverbut fails otherwise. - ldapsearch works correctly, but database authentication still fails with a PostgreSQL error message such as "LDAP diagnostics: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed".
In either case, you need to define the intermediate CA in $HOME/ldaprc or $HOME/.ldaprc for the yugabyte user. The following example file /home/yugabyte/ldaprc shows the TLS_CACERT option pointing to the CA certificate used by the LDAP server. You need to obtain this CA file and place it locally on each client machine.
TLS_CACERT /etc/ssl/certs/ca-bundle.trust.crt
If the TLS_CACERT option is not set in $HOME/ldaprc, it will not work in the system-wide OpenLDAP configuration file /etc/openldap/ldap.conf.