UIM hub LDAP SSL and tls 1.2 connection to LDAP Server: Q&As
search cancel

UIM hub LDAP SSL and tls 1.2 connection to LDAP Server: Q&As

book

Article ID: 182977

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

This KB includes some clarifications and answers to common questions around how UIM Hub LDAP SSL connection to LDAP Server works.

  • How can I enable LDAP with SSL in UIM?
  • I need to enable UIM uim ldap SSL connection to LDAP server, how and where do I load the certificates? 
  • How do I test hub to LDAP server connection? 
  • Is TLS 1.2 connection between Hub and LDAP server supported? If so, how to enable it? Or is it enabled by default?
  • When enabling SSL in the hub advanced tab for LDAP communication can I configure the protocol, or the cyphers used?
  • What SSL version is used between the hub and LDAP server? 
  • When connecting to from the HUB to the LDAP server you are receiving the following error:
    hub: ldap_server_login - failed for <ldap_remote_server:636: auth (ldap_simple_bind_s) failed: '    Server Down' (81) (2)
    What is the issue? 

Environment

  • Release: DX UIM 23.4.*
  • Component: Any supported hub version

Cause

Guidance 

Resolution

  • How can I enable LDAP with SSL in UIM?

    Under General ->Settings->LDAP Tab, checking the "Use SSL" checkbox enables the hub using the default LDAP SSL port and SSL communication when talking to the LDAP server.



  • I need to enable UIM uim ldap SSL connection to LDAP server, how and where do I load the certificates? 


    There is no need to add a client certificate. The communication between the hub and the LDAP server will be encrypted, provided that the LDAP server has a valid certificate and is configured to talk SSL.

    It creates an LDAP session handle that is SSL enabled.

    Of course, you will have a certificate on the LDAP server to implement SSL in the first place, but as far as the hub is concerned, it simply makes an ldaps:// connection instead of an ldap:// connection.

    It uses port 636 (secure ldap port) instead of port 389 (normal ldap) so make sure you can connect FROM the hub TO the LDAP server using that port.

    So, the requests will be SSL-encrypted but we don't support client-side authentication (where you would put a certificate on the hub itself to 'match' the certificate on the ldap server).




  • How do I test hub to LDAP server connection? 


    To test the connection FROM the primary hub you can do a telnet query for port 389 (LDAP) or port 636 (LDAP SSL)

    For example,

    telnet <hostname_or_ipaddress> 389

    You should see something like this:


    telnet <ldap_server_ip> 389
    Trying ##.##.#.##
    Connected to <ldap_server/domain.example.com>


    You could also use nmap,

    nmap hostip 389

    There is also a Microsoft tool called PortQry that will give you a lot of info about a port(s):

    PortQry.exe -n hostip -p tcp -e 389

    just replace 389 with 636 for LDAP SSL

    In any case, if you don’t find any problems when testing the connection, you can enable the LDAP SSL and then test the connection while you have the hub.log open, after setting the loglevel to 5 and logsize to 40000, to observe what the hub complains about regarding the connection.

    General LDAP Failure codes can be found here:  LDAP Result Code Reference – LDAP.com
    NOTE: that anonymous simple bind must be enabled if you’re not running hub v7.80 HF7 or higher.



  • Is TLS 1.2 connection between Hub and LDAP server supported? If so, how to enable it? Or is it enabled by default?

    The SSL settings in the hub (normal / compatibility mode / SSL only) and the Secure hub is related to UIM network communication between components inside a UIM domain (probe to probe, hub to hub, etc.) but has nothing to do with the LDAP SSL.

    Starting from hub 7.96 (Hub Release Notes) Support is provided for communicating with an OpenLDAP server that is configured with TLS v1.2.
    This implies that if TLS v1.2 is enabled on an OpenLDAP server, hub 7.96 (or later) can now communicate with it.  While providing information in the LDAP Authentication section (available under Hub Advanced Settings, LDAP, LDAP Settings), ensure that you also select the Use SSL option.


  • When enabling SSL in the hub advanced tab for LDAP communication can I configure the protocol, or the cyphers used? 

    It is not possible to configure any cyphers and the protocol used by default is LDAP Protocol


  • What SSL version is used between the hub and LDAP server? 

    When "SSL" is selected the SSL v3

    When SSL is not selected it uses LDAP Protocol and communication therefore not encrypted.

    It is not possible to configure the cyphers for the LDAPS so we cannot use any TLS version for this with the current version.


  • When connecting to from the HUB to the LDAP server you are receiving the following error: 
        hub: ldap_server_login - failed for <ldap_remote_server:636: auth (ldap_simple_bind_s) failed: 'Server Down' (81) (2)
        What is the issue? 

    This is the error shown in the LOG when communication is blocked from the hub to the LDAP Server. Even though the Telnet may work properly from hub to port 636 on LDAP Server, tools like ldp.exe may still fail and they will fail with possibly a similar error as the one generated by the hub. After the communication is enabled and proven to be successful with an external tool such as ldp.exe or PortQry.exe then the hub will also succeed.

Additional Information

Related Documentation:

Powered by Wolken Software