Pivotal Knowledge Base

Follow

Secure LDAP Error- " could not perform initial LDAP bind for ldapbinddn"

Environment

  • Pivotal Greenplum (GPDB) 4.3.x
  • Lightweight Directory Access Protocol OpenLDAP-2.4.39

Purpose

Considering ldapsearch on customer system is working as expected. This article helps to resolve some connectivity issues between OpenLDAP and a Greenplum Cluster.

The following error is received in the GPDB Master log while trying to connect via PSQL:

"could not perform initial LDAP bind for ldapbinddn" 

When users try to access GPDB, the following error message is displayed:

"LDAP authentication failed for user XXXX"

Cause

OpenLDAP reads certification details from the parameter TLS_CACERTDIR setup in /etc/openldap/ldap.conf. If the directory referred does not have permission to gpadmin user (or the user where GPDB master is running), communication between GPDB & LDAP will fail and result in ldapbinddn issue

Procedure

To identify this issue following options can be used

Option 1:

Check the permission of the directory containing Certificate Authority certificates as per parameter TLS_CACERTDIR in /etc/openldap/ldap.conf.

gpadmin (or user where GPDB master is running) should have access to this folder to read the certification.

Option 2:

Following steps need to be performed:

Step 1

TCPDUMP of PSQL connection with LDAP user using below

tcpdump -vvv -n -i bond0 -w ldapGPDB_port.cap "port 389 or port 636"

(389 & 636 are default port used by TLS/SSL connections)

TCPDUMP will help in validating handshake between GPDB and LDAP.

Step 2

Trace GPDB Master process using:

strace -ff -yy -ttt -p 5432  (if you have older version of strace remove -yy)

(5432 is port for GPDB Master)

From strace output, verify if there is PERMISSION issue for cert directory

(TLS_CACERTDIR in /etc/openldap/ldap.conf)

Once the required permissions are available to GPDB user, try logging in with PSQL to verify the LDAP setup

Additional Information

More Information on GPDB-LDAP

 

Comments

Powered by Zendesk