could not perform initial LDAP bind for ldapbinddn ...Can't contact LDAP server
Article ID: 433166
Updated On:
Products
Issue/Introduction
Connecting to Greenplum Database over LDAPS fail with the following error
could not perform initial LDAP bind for ldapbinddn "...": Can't contact LDAP server
The above is a generic error message, suggesting additional log review and/or troubleshooting is required to address the failure root cause.
Example pg_log entry:
| log_time | 2026-01-01 11:00:00.123456 EST |
|---|---|
| username | test_user |
| databasename | test_db |
| pid | p1234567 |
| thid | th987654321 |
| session_start_time | 2026-01-01 11:00:00 EST |
| subtrans_id | ... |
| severity | LOG |
| sql_state | 00000 |
| message | could not perform initial LDAP bind for ldapbinddn "..." on server "...": Can't contact LDAP server |
| detail | LDAP diagnostics: error:1416F086:SSL routines:tls_process_server_certificate:certificate verify failed (unable to get local issuer certificate) |
| filename | auth.c |
| fileline | 3049 |
| file | log/gpdb-2026-01-01_123456.csv |
| datadir | /data/master/gpseg-1/ |
| hostname | mdw |
Cause
The above highlighted "detail" field sheds additional light to the original (generic) error message:
Diagnostic error: 1416F086 suggests a TLS/SSL handshake failure, indicating the LDAP server's SSL certificate does not exist or is not trusted by the client.
Resolution
Upload the LDAP root CA certificate to the Greenplum coordinator and standby hosts.
The following document outlines the recommended steps to setup LDAPS for Greenplum connection:
"ldapsearch" command can be used for testing and troubleshooting the LDAP connection in isolation from the Greenplum (Database) configuration.
Example (ldapsearch)
LDAPCONF=/etc/openldap/ldap.conf ldapsearch -x -H ldaps://<THE_HOSTNAME_IN_PG_HBA> -d 1Ensure the hostname that is specified in pg_hba.conf and that is used in the above commands matches the host / DNS name found in the uploaded CA certificate.
The CA certificate can be interrogated using "openssl" command.
Example: (openssl)
openssl x509 -in /etc/pki/tls/certs/your_cert.crt -text -noout | grep -E "Subject:|DNS:"Ensure the CN (Common Name) associated with the Subject line of the output is matched by the hostname in the "ldapsearch" command.
Ensure /etc/hosts or resolv.conf is configured to resolve the server's CN to the target IP address.
After confirming no errors are logged in "ldapsearch" command output, proceed to update pg_hba.conf using the above document
Ensure the hostname specified in pg_hba.conf matches the CN from the CA certificate.
After modifying pg_hba.conf (updating ldapurl to the certificate server CN, prefixed with ldaps://...), reload Greenplum using:
gpstop -u
Feedback
