IBM Support

IJ27713: UNABLE TO LOGIN TO QRADAR USING ENCRYPTED LDAP WITH MICROSOFT AD SERVICES OVER STANDARD LDAP PORTS

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as Permanent restriction.

Error description

  • Users are unable to log in when using encrypted LDAP with
    Microsoft Active Directory Services over standard LDAP ports
    TCP/389 and TCP/636 as LDAP referrals break communications over
    TLS encryption.
    When attempting to login, the LDAP authentication fails even
    while using the "Test Connection" button on the LDAP
    configuration page.
    Messages similar to the following might be visible in
    /var/log/qradar.log when this issue occurs:
    [tomcat.tomcat] [admin@127.0.0.1(3540)
    /console/JSON-RPC/QRadar.isLDAPConnectionAvailable
    QRadar.isLDAPConnectionAvailable]
    com.q1labs.core.shared.ldap.SimpleLdapClient: [ERROR]
    [NOT:0000003000][ipaddress/- -] [-/- -]Exception occurred when
    checking if ldap connection is available
    [tomcat.tomcat] [admin@127.0.0.1(3540)
    /console/JSON-RPC/QRadar.isLDAPConnectionAvailable
    QRadar.isLDAPConnectionAvailable] javax.naming.NamingException:
    [LDAP: error code 1 - 00000000: LdapErr: DSID-0C09127A,
    comment: TLS or SSL already in effect, data 0, v3839
    

Local fix

  • Use SSL instead of TLS or configure LDAP and the LDAP settings
    (base OU etc.) to prevent referrals.
    or
    Attempt to use one of the AD Global Catalog ports at TCP/3268 &
    TCP/3269.
    

Problem summary

  • We're unlikely to have the resources to tackle this issue.
    Closing as won't fix.
    

Problem conclusion

  • We're unlikely to have the resources to tackle this issue.
    Closing as won't fix.
    

Temporary fix

Comments

APAR Information

  • APAR number

    IJ27713

  • Reported component name

    QRADAR SOFTWARE

  • Reported component ID

    5725QRDSW

  • Reported release

    732

  • Status

    CLOSED PRS

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt / Xsystem

  • Submitted date

    2020-09-04

  • Closed date

    2021-02-03

  • Last modified date

    2021-02-03

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

Applicable component levels

[{"Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"732"}]

Document Information

Modified date:
04 February 2021