Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  3. NetBackup™ Web UI Administrator's Guide
  5. Section I. Managing security
  7. Troubleshooting the web UI
  9. Unable to add AD or LDAP domains with the vssat command
  11. Connection cannot be established with the AD or the LDAP server

Connection cannot be established with the AD or the LDAP server

If NetBackup could not establish a connection with the AD or the LDAP server, the nbatd logs contain the following error:

Example of error message:

  • (authldap.cpp) CAuthLDAP::validatePrpl - ldap_simple_bind_s() 
failed for user CN=Test User,OU=VTRSUsers,DC=VRTS,DC=com', 
error = -1, errmsg = Can't contact LDAP server,9:debugmsgs,1
LDAP server URL validation fails

The LDAP server URL (-s option) that is entered using the vssat addldapdomain command does not pass the validation test.

Validate the URL:

  • ldapsearch -H <LDAP_URI> -D "<admin_user_DN>" -w <passwd> 
-d <debug_level> -o nettimeout=<seconds>

Example of validation error message:

  • ldapsearch -H ldaps://example.veritas.com:389 -D 
"CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** 
-d 5 -o nettimeout=60 

TLS: can't connect: TLS error -8179:Peer's Certificate issuer 
is not recognized. ldap_sasl_bind(SIMPLE): 
Can't contact LDAP server (-1)
The server certificate issuer is not a trusted certificate authority (CA)

If you use the ldaps option you can validate the certificate issuer using the ldapsearch command.

Validate the certificate issuer:

  • set env var LDAPTLS_CACERT to cacert.pem

ldapsearch -H <LDAPS_URI> -D "<admin_user_DN>" -w <passwd> 
-d <debug_level> -o nettimeout=<seconds>

Example of validation message:

  • ldapsearch -H ldaps://example.veritas.com:389 -D 
"CN=Test User,OU=VRTSUsers,DC=VRTS,DC=com" -w ******** 
-d 5 -o nettimeout=60

TLS: can't connect: TLS error -8179:
Peer's Certificate issuer is not recognized..ldap_sasl_bind(SIMPLE): 
Can't contact LDAP server (-1)

The file path for cacert.pem is:

  • Windows:

    install_path\NetBackup\var\global\vxss\eab\data
\systemprofile\certstore\trusted\pluggins\ldap\cacert.pem

  • UNIX:

    /usr/openv/var/global/vxss/eab/data/root/.VRTSat/profile
/certstore/trusted/pluggins/ldap/cacert.pem
The certificate authority (CA) that signed the LDAP server's security certificate is not in the nbatd trust store

Use the -f option of the vssat addldapdomain command to add the certificate to the nbatd command's truststore.

This option is necessary if the CA that signed the certificate is other than the following:

Certification Services Division

GeoTrust

Symantec Corporation

CyberTrust

GlobalSign

VeriSign Trust Network

DigiCert

RSA Security Inc.

 

Feedback

Was this page helpful?
Previous

Unable to add AD or LDAP domains with the vssat command

Next

User credentials are not valid

Feedback

Was this page helpful?