LDAP not working after deploying new DC

We just deployed new server 2019 domain controllers to replace our old server 2012 DC's, and LDAP authentication quit working.  We are seeing this error in the logs:.

validuser: do_ldap_check: Couldn't start tls: 52, Server is unavailable

 

We are using StartTLS as the LDAP protocol, and if I point the LDAP config back to the old DC, everything works.  It also works if I set the protocol to unencrypted.

Any thought/ideas/suggestions would be appreciated.

0

3 comments

Avatar

Andrew Spagnuolo

Hi Gerald,

It could be worth running a TCP Dump on the loadmaster and seeing what occurs in the communication between the loadmaster and your new DCs.

You an find instructions on how to perform a TCP Dump/capture in our article below:

https://support.kemptechnologies.com/hc/en-us/articles/360030802632-Performing-a-TCPDump

Please note that on later versions of firmware, you will find the TCP Dump tool under System Configuration > Troubleshooting.

Best Regards,

0

Avatar

Gerald Young

The results are attached.

Firewall is open for port 389.

0

Avatar

Andrew Spagnuolo

Hi Gerald,

Judging by the capture, initial three-way handshake is successful, but then looks to be an issue with SSL/TLS handshake, "Error initializing SSL/TLS" after the initial LDAP_START_TLS_OID request from the loadmaster.

Best Regards,

0

Please to leave a comment.

Didn't find what you were looking for?