DELL EMC Unity: How to Check LDAP and LDAPS Connection State

• Ldapsearch to test LDAP/LDAPs connection

 LDAP has no Transport Layer Security(TLS) connection, you don't need to upload LDAPS certificates.
 For LDAPS, A ldaps certificate has to be uploaded to Unity while setup LDAPS.
In order to run the command, you must have root access.

 The example for LDAP test command:
   ldapsearch  -x  -d 1  -v  -H  ldap://ldapserver_name_or_IP:389  -b "CN=Users,dc=peeps,dc=lab" -D "CN=Administrator,CN=Users,DC=peeps,DC=lab"  -w Password

The example for  LDAPS test command:
 env LDAPTLS_CACERT=/EMC/backend/CEM/LDAPCer/serverCertificate.cer ldapsearch  -x  -d 1  -v  -H  ldaps://ldapserver_name_or_IP:636   -b "CN=Users,dc=peeps,dc=lab" -D "CN=Administrator,CN=Users,DC=peeps,DC=lab"  -w Password

 Note: "LDAPTLS_CACERT" indicates where Unity to find server certificate. LDAP can use port 389,3268; LDAPS can use 636,3269; if you need customer to input password, please use -W instead of "-w Password".
 

• Connection process

STEP 1# Resolve ldapserver name to IP address by querying DNS sever or local file /etc/hosts; You could specify IP address to bypass this step.
STEP 2# Establish TCP connection between Unity and LDAP servers.
STEP 3# TLS Check Unity side for uploaded certificate in /EMC/backend/CEM/LDAPCer/serverCertificate.cer
STEP 4# TLS handshake,the client sends a Client hello message to the server
STEP 5# TLS handshake,the server responds by sending a server hello message to the client
STEP 6# TLS The server sends its certificate to the client for authentication,the client checks it with /EMC/backend/CEM/LDAPCer/serverCertificate.cer
STEP 7# LDAP server checks Bind user and password provided by client

Note: LDAP connection has no TLS connection.
 

• Successful connection sample

 ldap_url_parse_ext(ldaps://123.abc.cde.com:3269)
ldap_create
ldap_url_parse_ext(ldaps://123.abc.cde.com::3269/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 123.abc.cde.com::3269
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 123.123.123.123:3269                           <<<<<< hostname is resovled to IP address
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success                                                                                  <<<<<<<<TCP session is established. 
TLS trace: SSL_connect:before/connect initialization                         <<<<< uploaded certificate is checked here,no error if a certificate exists.
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 2, err: 0, subject: /xxxxxxxxxxxxxxxxxxxxxx
TLS certificate verification: depth: 1, err: 0, subject: /C=xx/O=xxx /CN=xxxxx, issuer: /C=xx/O=xxx./CN=xxxx
TLS certificate verification: depth: 0, err: 0, subject: /CN=xxxxxx issuer: /C=US/O=xxx./CN=xxxxxx
TLS trace: SSL_connect:SSLv3 read server certificate A                     <<<<<<verify server certificates
TLS trace: SSL_connect:SSLv3 read server key exchange A
TLS trace: SSL_connect:SSLv3 read server certificate request A
TLS trace: SSL_connect:SSLv3 read server done A
TLS trace: SSL_connect:SSLv3 write client certificate A
TLS trace: SSL_connect:SSLv3 write client key exchange A
TLS trace: SSL_connect:SSLv3 write change cipher spec A
TLS trace: SSL_connect:SSLv3 write finished A
TLS trace: SSL_connect:SSLv3 flush data
TLS trace: SSL_connect:SSLv3 read finished A
ldap_open_defconn: successful                 <<<<< a connection is established to LDAPS server.
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 90 bytes to sd 3
ldap_result ld 0x7fd64f5a5750 msgid 1
.....................

# filter: (objectclass=*)
# requesting: ALL
#
res_errno: 0, res_error: <>, res_matched: <>                   <<<<< a Bind search or user search is successful. 
ldap_free_request (origid 2, msgid 2)

• Error message and solution

1 connection error "name is not found":
"dap_connect_to_host: getaddrinfo failed: Name or service not known"
Please check DNS server, firewall, DNS load balancer

2 connection error  "TCP session error":
"connect errno"
Please check LDAP server port and IP connectivity; firewall

3 connection TLS error "cannot find certificate":
"TLS: could not load verify locations...."
Please check LDAPS server certificate is uploaded or not

4 connection TLS error " client hello error":
"TLS trace: SSL_connect:error in SSLv2/v3 write client hello" 
Please check server support TLS or not; check firewall

5 connection TLS error "server hello error"
"TLS trace: SSL_connect:error in SSLv2/v3 read server hello"
Please check if server supports TLS or not; check firewall

6 connection TLS error "certificate verify error":
"TLS certificate verification: Error"
Please check LDAPS server certificate and upload to Unityagain. 

7 connection error "Bind user/password error":
"ldap_bind: Invalid credentials"
Please check username and password, try the same account to login  a customer desktop client.
 

• Troubleshooting by capturing tcpdump

  For  step 1~6 failure, if you cannot find obvious problem,  please capture a tcpdump while running ldapsearch command, involve GNS team to investigate the connection issue.