LDAPS not working

[JBird]

I have a Windows 2000 SP4 domain. I am trying to get LDAPS working for
Windows services for UNIX. I have already extended the schema for UNIX
and I have installed Certificate Services on my domain controller.

However, when I attempt to use ldp.exe to connect to my domain
controller on port 636, I receive message:

ld = ldap_open("dc01.domiain.com", 636);
Error <0x0>: Fail to connect to dc01.domain.com.'

I am able to connect successfully using port 389 however.

I have LDAPS working successfully in a test domain but I can't find
what is causing the difference between test and production.

Any words of wisdom would be greatly appreciated.

 

[JBird]

More info: Also checked...listening on port 636 and port is open.
Nothing in event logs connecting to this.

 

[Paul Bergson]

Have you provided a certificate to your unix app, from the certificate
server and placed it in the store that is attempting to do the ldap
operation?

This would be done with something like keytool. I haven't had to do this in
a couple of years but you have to make sure the foreign server has a cert.
keytool -import -file certnew.cer -keystore certnew

http://www.pramati.com/docstore/1230006/help/ops/importcertificate_jdk.htm


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[JBird]

Yes, I have provided a cert to the Linux clients. But that shouldn't
affect connecting with the ldp tool to my understanding.

But I do have an update to my issue,

I CAN use LDP to connect to all of my other domain controllers except
the one I am testing on.

I have 4 DCs in 2 sites.

The DC I cannot connect on port 636 to, (only on 389) is also my schema
master, and is the operations master for all 5 FISMO roles. I can
connect to all other DCs using LDP on port 636 both locally and
remotely. The DC I cannot connect to I cannot connect to locally or
remotely on 636.

 

[Paul Bergson]

Now I'm all confused, are you having a problem attaching to port 636 from
any client on port 636?

Do a netstat -a on the offending server and see if it is listening on port
636.


Run diagnostics against your Active Directory domain.

If you don't have the tools installed, install them from your server install
disk.
d:\support\tools\setup.exe

Run dcdiag and netdiag in verbose mode.

If you download a gui script I wrote it should be simple to set and run. It
also has the option to run individual tests without having to learn all the
switch options.

The script is at http://pbbergs.dynu.com/windows/windows.htm, download it
and save it to c:\program files\support tools\

Just select both dcdiag and netdiag make sure verbose is set. (Leave the
default settings for dcdiag as set when selected)

When complete search for fail, error and warning messages.


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[JBird]

Sorry for the confusion. Let me clarify...

I am not able to use LDAPS on port 636 to reach one particular domain
controller, neither from the network nor locally using the ldp.exe tool
on the domain controller to connect to itself on port 636. I can
however receive LDAP communication on port 389 on the server in
question without problem. I have run netstat and the DC is listening
on port 636, and I can telnet to port 636. I just cannot connect using
LDAPS.

Each of my other 3 DCs are all able to receive LDAPS communication.

I am unable to use the link you listed, but I will run dcdiag and
netdiag as you suggested in verbose mode.

Thanks for your help, I do appreciate it.

 

[Ace Fekay [MVP]]

In

The script is at http://pbbergs.dynu.com/windows/windows.htm,
download it and save it to c:\program files\support tools\

I have to say Paul, that is a nice GUI you created.

Ace

 

[Paul Bergson]

I'm out of thoughts on this.

It can't be a firewall issue since it can't connect locally. Since it is a
dc it should be in the same ou as the others so all gpo settings should be
similar for such settings as:
"Domain Controller: LDAP server signing requirements"

I'm stumped and don't have any other ideas at this time.


--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Paul Bergson]

Thanks. If Paul W likes it I'm going to see if he will link it up on his
web site. He has a lot of hits mine are few and gfar between.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

Thanks. If Paul W likes it I'm going to see if he will link it up
on his web site. He has a lot of hits mine are few and gfar between.

I don't see why not. Drop him a line!

 

[Paul Bergson]

He said he would, but I want him to look at it before he agrees.

--


Paul Bergson MCT, MCSE, MCSA, CNE, CNA, CCA

This posting is provided "AS IS" with no warranties, and confers no rights.


"Ace Fekay [MVP]"

 

[Ace Fekay [MVP]]

In

He said he would, but I want him to look at it before he agrees.

Sounds good. Let me know when it's posted.