- Pivotal Greenplum (GPDB) 4.3.x
- Lightweight Directory Access Protocol OpenLDAP-2.4.39
Considering ldapsearch on customer system is working as expected. This article helps to resolve some connectivity issues between OpenLDAP and a Greenplum Cluster.
The following error is received in the GPDB Master log while trying to connect via PSQL:
"could not perform initial LDAP bind for ldapbinddn"
When users try to access GPDB, the following error message is displayed:
"LDAP authentication failed for user XXXX"
OpenLDAP reads certification details from the parameter TLS_CACERTDIR setup in
/etc/openldap/ldap.conf. If the directory referred does not have permission to gpadmin user (or the user where GPDB master is running), communication between GPDB & LDAP will fail and result in ldapbinddn issue
To identify this issue following options can be used
Check the permission of the directory containing Certificate Authority certificates as per parameter TLS_CACERTDIR in
gpadmin (or user where GPDB master is running) should have access to this folder to read the certification.
Following steps need to be performed:
TCPDUMP of PSQL connection with LDAP user using below
tcpdump -vvv -n -i bond0 -w ldapGPDB_port.cap "port 389 or port 636"
(389 & 636 are default port used by TLS/SSL connections)
TCPDUMP will help in validating handshake between GPDB and LDAP.
Trace GPDB Master process using:
strace -ff -yy -ttt -p 5432 (if you have older version of strace remove -yy)
(5432 is port for GPDB Master)
From strace output, verify if there is PERMISSION issue for cert directory
Once the required permissions are available to GPDB user, try logging in with PSQL to verify the LDAP setup