v2.23 Preview Preview release - not for production v2024.1 STS Stable release with standard-term support v2.20 LTS Stable release with long-term support v2.18 STS Stable release with standard-term support v2.14 LTS Stable release with long-term support Unsupported versions

Troubleshoot LDAP issues

Troubleshooting LDAP

Laboratory machines sometimes lack an appropriate intermediate certificate in order to trust the LDAP server certificate. You can prepend the environment variable LDAPTLS_REQCERT=never to test connectivity with ldapsearch:

LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://ldapserver.example.org -b dc=example,dc=org 'uid=adam' -D "cn=admin,dc=example,dc=org" -w adminpassword

There are two cases where explicit intermediate CA configuration is needed:

  • ldapsearch works correctly with LDAPTLS_REQCERT=never but fails otherwise.
  • ldapsearch works correctly, but database authentication still fails with a PostgreSQL error message such as "LDAP diagnostics: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed".

In either case, you need to define the intermediate CA in $HOME/ldaprc or $HOME/.ldaprc for the yugabyte user. The following example file /home/yugabyte/ldaprc shows the TLS_CACERT option pointing to the CA certificate used by the LDAP server. You need to obtain this CA file and place it locally on each client machine.

TLS_CACERT /etc/ssl/certs/ca-bundle.trust.crt

If the TLS_CACERT option is not set in $HOME/ldaprc, it will not work in the system-wide OpenLDAP configuration file /etc/openldap/ldap.conf.