IDPA Search: Failure reported while testing connection to the external identity provider

Within the PowerProtect DPSearch administration console, under the LDAP Options section, failure is reported when the Test connection button is used. The error message does not display if the Secure Socket Layer (SSL) field is set to false.

Error messages similar to the following can be found within the cis.log file, located under the /usr/local/search/log/cis folder:

P7FF0|2021/03/09 13:34:46:765|DEBUG|cislockbox.rb(62)|Parsed body A-OK 
P7FF0|2021/03/09 13:34:46:765|DEBUG|cislockbox.rb(79)|Binding to ldap using: [Server=ldaphost, Port:636, User=ldapuser, Pwd: ********************] 
P7FF0|2021/03/09 13:34:46:768|DEBUG|cisconfigldap.rb(128)|Binding to [ldaphost:636 as ldapuser] 
P7FF0|2021/03/09 13:34:46:780|DEBUG|ldap_internal.rb(645)|Ldap Internal; bind_as: "Connection to ldap server ldaphost failed, ex: SSL_connect returned=1 errno=0 state=error: certificate verify failed." 
P7FF0|2021/03/09 13:34:46:780|DEBUG|ldap_internal.rb(645)|Ldap Internal; bind_as: "bind as result: " 
P7FF0|2021/03/09 13:34:46:780|DEBUG|ldap_provider.rb(317)|Ldap Provider; validate_user: "bind_as user ldapuser failed on LDAP Host ldaphost with #\u003cOpenStruct code=0, message=\"Success\"\u003e" 
P7FF0|2021/03/09 13:34:46:780|DEBUG|ldap_provider.rb(317)|Ldap Provider; validate_user: "validate_user failed. User entry: null" 
P7FF0|2021/03/09 13:34:46:781|ERROR|cisconfigldap.rb(141)|LDAP binding failed. 
P7FF0|2021/03/09 13:34:46:781|ERROR|cislockbox.rb(99)|PUT /cis/lockbox/ldap/_test : LDAP binding failed.  Invalid LDAP parameters.  

On the DPSearch host if the ldapsearch command is run with "-v" and "-d1" switches, information similar to the following is found:  

TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:unknown state
TLS certificate verification: depth: 1, err: 20, subject <subject of certificate>, issuer: <issuer details>
TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in error
TLS trace: SSL_connect:error in error
TLS: cann't connect: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server(-1)

Root Certification Authority (rootCA) and intermediate CA (if used) certificates are not in the trusted certificate store, causing certificate validation failure.

Steps to resolve the issue:

1. Get a copy of the rootCA and intermediate CA (if used) in Privacy-Enhanced Mail (PEM) format.
2. Copy PEM files from step 1 to the /etc/pki/trust/anchors/ folder.
3. While logged in as root account, run the following command:

update-ca-certificates

Steps to follow to export the rootCA cert from a Microsoft Windows-based certificate authority:
 

1. Log in to the Root Certification Authority server with an administrator account.
2. Go to Start, select Run, type cmd, and select OK.
3. To export the Root Certification Authority server into a new file name, run the following command:

certutil -ca.cert ca_name.cer

4. Copy the certificate to the DPSearch server.
5. Go to the folder where the certificate file was copied in step 4 above and run the openSSL command to convert the certificate into PEM format: 

   # openssl x509 -in ca_ name.cer -inform der -out ca_name.pem -outform pem

6. The ca_name.pem file is ready to be used for steps mentioned in the Resolution section above.

In the steps above, replace ca_name with a name that helps to identify the hostname.