LDAP not working anymore after upgrade from 3.2 to 3.3


After upgrading from Graylog 3.2.6 to Graylog 3.3.5, the LDAP connection does not work anymore.
I tried to change some parameters SSL, port, password and so on without any result.
When I test the connection, I have the error message: TimeOut occurred.

2020-09-11T17:53:05.449+02:00 ERROR [LdapNetworkConnection] Bind failed : timeout occurred
2020-09-11T17:53:05.451+02:00 ERROR [LdapNetworkConnection] The response queue has been emptied, no response was found.
org.apache.directory.api.ldap.model.exception.LdapException: TimeOut occurred

Thanks for any help.

Check graylog changelog. From version 3.3.3 graylog validates TLS certificates.

[BREAKING]: Enable hostname validation for SSL/TLS-backed LDAP connections. Graylog2/graylog2-server#8625 Prior to v3.3.3, the certificates of LDAP servers which are connected to using a secure connection (SSL or TLS) were not validated, even if the “Allow self-signed certificates” option was unchecked. Starting with v3.3.3, certificates are validated against the local default keystore. This might introduce a breaking change, depending on your local LDAP settings and the validity of the certificates used (if any). Please ensure that all certificates used are valid, their common name matches the host part of your configured LDAP server and your local keystore contains all CA/intermediate certs required for validation.

I am using a public wildcard certificate certified by DigiCert.
So I unchecked the Allow self-signed certificates option.
However it does not work and I don’t have any log to help me troubleshooting this issue.

Local default keystore is java keystore or linux keystore ?

It’s not about the cert, it’s about the SSL/TLS versions…
But if you worry about the cert, the graylog will validate your cert, so it should knows your CA as a trusted CA. (java keystore)
First I suggest start with tcpdump, to check the connection.
If you have connection between your graylog and the LDAP server, you can check the LDAP’s logs also.
And you can also check the LDAP function with linux cli’s ldapsearch command.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.