IBM Support

z/OS 3.2 LDAP client defaults to 2-CHAR ciphers and receives RC=116 "ldap_sasl_bind: SSL handshake with the server failed"

Troubleshooting


Problem

As of z/OS 3.2, an LDAP client attempting to connect using a secure connection ( SSL/TLS ) can fail with RC=116 "ldap_sasl_bind: SSL handshake with the server failed".

Symptom

The connection between the client and server is terminated with RC=116 "ldap_sasl_bind: SSL handshake with the server failed".

Cause

z/OS System SSL now defaults the SSL cipher suites format to 4-character ciphers, however the LDAP client defaults to 2-character ciphers.

Environment

A z/OS 3.2 system running the z/OS LDAP client utilities that does not specify the LDAP_SSL_CIPHER_FORMAT environment variable to CHAR4.

Diagnosing The Problem

Collect a z/OS LDAP debug trace using the -d parameter in the ldapsearch utility. If the LDAP client is defaulting to 2-byte ciphers then the LDAP_SSL_CIPHER_FORMAT environment variable is not defined to CHAR4.

TRACE ldap_ssl_get_cipher_format()1946: LDAP_SSL_CIPHER_FORMAT envvar is not set. The default 2-byte ciphers format will be assumed.
TRACE ldap_ssl_get_cipher_format()1951: <= ciphers format retrieved = 2
TRACE ldap_ssl_socket_init()1729: <= rc=116 ldap_sasl_bind: SSL handshake with the server failed

Resolving The Problem

To resolve this issue , specify the LDAP_SSL_CIPHER_FORMAT environment variable to use the 4 character cipher format.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB56","label":"Z HW"},"Business Unit":{"code":"BU070","label":"IBM Infrastructure"},"Product":{"code":"SWG90","label":"z\/OS"},"ARM Category":[{"code":"a8m0z0000000AMmAAM","label":"z\/OS-\u003ELDAP-\u003EAuthentication Methods"}],"ARM Case Number":"TS021424443","Platform":[{"code":"PF035","label":"z\/OS"}],"Version":"3.2.0"}]

Document Information

Modified date:
24 February 2026

UID

ibm17260683

Page Feedback