Connection cannot be established with the AD or the LDAP server

If NetBackup could not establish a connection with the AD or the LDAP server, the nbatd logs contain the following error:

Example of error message:

(authldap.cpp) CAuthLDAP::validatePrpl - ldap_simple_bind_s() 
failed for user CN=Test User,OU=VTRSUsers,DC=VRTS,DC=com', 
error = -1, errmsg = Can't contact LDAP server,9:debugmsgs,1

LDAP server URL validation fails

The LDAP server URL (-s option) that is entered using the vssat addldapdomain command does not pass the validation test.

Validate the URL:

ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> 
-d <debug_level> -o nettimeout=<seconds>

Example of validation error message:

ldapsearch -H ldaps://example.veritas.com:389 -D 
"CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** 
-d 5 -o nettimeout=60 

TLS: can't connect: TLS error -8179:Peer's Certificate issuer 
is not recognized. ldap_sasl_bind(SIMPLE): 
Can't contact LDAP server (-1)

The server certificate issuer is not a trusted certificate authority (CA)

If you use the ldaps option you can validate the certificate issuer using the ldapsearch command.

Validate the certificate issuer:

set env var LDAPTLS_CACERT to cacert.pem

ldapsearch -H <LDAPS_URI> -D "<admin_user_DN>" -w <passwd> 
-d <debug_level> -o nettimeout=<seconds>

Example of validation message:

ldapsearch -H ldaps://example.veritas.com:389 -D 
"CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** 
-d 5 -o nettimeout=60

TLS: can't connect: TLS error -8179:
Peer's Certificate issuer is not recognized..ldap_sasl_bind(SIMPLE): 
Can't contact LDAP server (-1)

The file path for cacert.pem is:

Windows:

install_path\NetBackup\var\global\vxss\eab\data
\systemprofile\certstore\trusted\pluggins\ldap\cacert.pem

UNIX:

/usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile
/certstore/trusted/pluggins/ldap/cacert.pem

The certificate authority (CA) that signed the LDAP server's security certificate is not in the nbatd trust store

Use the -f option of the vssat addldapdomain command to add the certificate to the nbatd command's truststore.

This option is necessary if the CA that signed the certificate is other than the following:

Certification Services Division	GeoTrust	Symantec Corporation
CyberTrust	GlobalSign	VeriSign Trust Network
DigiCert	RSA Security Inc.

Connection cannot be established with the AD or the LDAP server

Feedback

Feedback