ldap2pg fails to connect to LDAP host
search cancel

ldap2pg fails to connect to LDAP host

book

Article ID: 397608

calendar_today

Updated On:

Products

VMware Tanzu SQL VMware Tanzu for Postgres

Issue/Introduction

Attempting to run ldap2pg against your LDAP instance results in dial error:

time=2025-04-24T15:06:14.143-04:00 level=DEBUG msg="LDAP dial." uri=ldaps://ldap.dev.test.com:636 try=1
time=2025-04-24T15:06:14.159-04:00 level=DEBUG msg=Retrying. err="LDAP Result Code 200 \"Network Error\": EOF" attempt=0
time=2025-04-24T15:06:14.269-04:00 level=DEBUG msg="LDAP dial." uri=ldaps://ldap.dev.test.com:636 try=2
time=2025-04-24T15:06:14.282-04:00 level=DEBUG msg=Retrying. err="LDAP Result Code 200 \"Network Error\": EOF" attempt=1
time=2025-04-24T15:06:14.535-04:00 level=DEBUG msg="LDAP dial." uri=ldaps://ldap.dev.test.com:636 try=3
time=2025-04-24T15:06:14.545-04:00 level=DEBUG msg=Retrying. err="LDAP Result Code 200 \"Network Error\": EOF" attempt=2
time=2025-04-24T15:06:14.996-04:00 level=DEBUG msg="LDAP dial." uri=ldaps://ldap.dev.test.com:636 try=4
time=2025-04-24T15:06:15.009-04:00 level=DEBUG msg=Retrying. err="LDAP Result Code 200 \"Network Error\": EOF" attempt=3
...
time=2025-04-24T15:07:05.895-04:00 level=DEBUG msg="Closing Postgres global connection." database=postgres
time=2025-04-24T15:07:05.895-04:00 level=ERROR msg="Fatal error." err="LDAP Result Code 200 \"Network Error\": EOF"

 

  • Certificate chain issue has been ruled out by verifying that errors do not exist
    • openssl s_client -connect ldap.dev.test.com:636
  • ldapsearch queries (from host running ldap2pg) work successfully against AD host
    • ldapsearch -x -H ldaps://ldap.dev.test.com:636 -D "cn=Manager,dc=example,dc=com" -w password -b "dc=example,dc=com" "(objectClass=*)"

Environment

Vmware for Postgres 15.12

ldap2pg 6.3

Active Directory

Cause

This may be caused by a kyber key exchange incompatibility issue involving Go build v1.23 used to build ldap2pg 6.3 and the Active Directory host. Go 1.23 introduced X25519Kyber768Draft00 as a default key exchange mechanism for TLS 1.3, and Active Directory may not support/recognize this mechanism. As a result, the TLS handshake will fail to negotiate a cipher suite.

Resolution

 

Option1 -- Export this setting in to your ldap2pg enviroment:

export GODEBUG=tlskyber=0

 

Option 2 -- Enable the X25519Kyber768Draft00 as a default key exchange mechanism for TLS 1.3 on the AD server.

Additional Information

ldap2pg 6.4 is built with Go 1.24 and is expected to use a X25519MLKEM768 key exchange

Powered by Wolken Software