I need help with getting my XtremIO to authenticate against Active Directory either using LDAPS or LDAPTLS.
I have gotten regular, old LDAP to work, so I know my configuration is correct. When I make the switch to encrypted connections, the process fails. I either get "LDAP server could not be found" or "User authentication failed".
My URL looks like this: ldaps://xxxx.domain.local
I've tried swapping in/out combinations of "ldaps" and "ldaptls". I've also tried various port numbers such as 389, 636, 3268 and 3269.
I'm confirmed DNS is working and resolving correctly. I tried the IP address for the domain controller, as well.
I even did a packet sniff to see what is going on. At first, we got certificate errors and so I messed with the CA cert chain. We have intermediate CAs involved, so I'm not sure if that could be the issue. I ordered the chain intermediate and then root. I even used the CLI to add the cert. I wasn't sure if the GUI was importing the chain correctly.
Coworkers suggested messing around with the order of the certs in the chain. Tried just the root, and then only the intermediate. Another suggested, the server cert, intermediate, then root. None of those combinations worked.
I noticed other blog entries about this didn't put in an SSL certificate at all. We removed the cert and still nothing. This time on the packet sniff, there was no certificate error. Whatever handshake was going on was terminated. I have no idea why.
If anyone can provide any advice, I would greatly appreciate it. I've gone through basically every blog entry and forum posting on this topic and nothing has really helped me so far.
We are running XtremIO 4.0.1-41. Our domain controller is Windows 2012R2.
Solved! Go to Solution.
For future reference, this problem was caused by a bug in 4.0.1-41 which causes certain ciphers not to work correctly with Windows Active Directory. This has been fixed in 4.0.10.