could not perform initial LDAP bind for ldapbinddn

LDAP authentication failed for user XXXX

OpenLDAP reads certification details from the TLS_CACERTDIR parameter, which is setup in /etc/openldap/ldap.conf.

If the referenced directory does not have the permissions to a gpadmin user or to the user where the GPDB master is running, communication between GPDB and LDAP will fail and result in the ldapbinddn issue.

To identify this issue, the following options can be used:

Option 1:

Check the permission of the directory containing the Certificate Authority (CA) certificates per the TLS_CACERTDIR parameter in /etc/openldap/ldap.conf.

The gpadmin or the user where GPDB master is running should have access to this folder to read the certification.

Option 2:

Step 1

TCPDUMP the PSQL connection with the LDAP user using the following command:

tcpdump -vvv -n -i bond0 -w ldapGPDB_port.cap "port 389 or port 636"

Note: 389 and 636 are the default ports used by TLS/SSL connections.

TCPDUMP will help in validating the handshake between GPDB and LDAP.
 

Step 2

Trace the GPDB Master process using:

strace -ff -yy -ttt -p 12345  (if you have older version of strace remove -yy)

Note: The 12345 is pid for GPDB Master silent process

From strace output, verify whether there is a permission issue for the cert directory:

(TLS_CACERTDIR in /etc/openldap/ldap.conf)

Once the required permissions are available to the GPDB user, log in with PSQL to verify the LDAP setup.

For more information on GPDB-LDAP, refer to Using LDAP Authentication with TLS/SSL in the Greenplum documentation.