On the LDAP Authentication page, when using the Test Connection option for Active Directory, for connections done via LDAPS, an error message is observed regarding the SSL handshake:
Diagnosing The Problem
Resolving The Problem
NOTE: These steps are applicable to LDAPS based authentication for other directory servers as well.
- Request the Active Directory administrator for all the certificates that belong to the chain of trust for the actual certificate. Place all these certificates in /opt/qradar/conf/trusted_certificates/.
- If the Active Directory administrator has not provided or is not aware of the correct certificate chain, you can run the following command to extract the certificate chain from the Active Directory server:
openssl s_client -connect <AD server FQDN>:636 -showcerts </dev/null 2>/dev/null | openssl x509 -outform pem > ad_ldap_server.pem
Note: Replace port 636 with 3269 (Global Catalog port) if you are connecting to the root domain of the Active Directory. Run the following command from the QRadar Console to verify if port 3269 is open:
#telnet <AD server FQDN> 3269
- Run the following command to verify the certificate:
openssl x509 -in ad_ldap_server.pem -text -nooutNote: Typically, the fields Subject and Subject Alternative Name contain the Fully Qualified Domain Name (FQDN) of the Active Directory Server.
For the user(s) that got the error message, have them clear their browser caches and attempt to log in again.
22 February 2021