LDAP interface troubleshooting

Before you contact Support, use this troubleshooting information to identify the cause of the error you experienced.

Time limit exceeded

If an LDAP request takes more than two minutes to evaluate, the LDAP Interface stops evaluating and returns error code 3 (time limit exceeded).

SSL connection errors for Java-based clients

If you receive an error similar to the following, all it tells you is that there was a handshake failure.

Connection failed, reason: An error occurred while attempting to send the LDAP message to server example.com:636: SSLHandshakeException(message='Received fatal alert: handshake_failure', trace='getSSLException(Alerts.java:192) /

If you use the -Djavax.net.debug=ssl option and rerun your code, you'll see:

** ClientHello, TLSv1.1 RandomCookie: GMT: 1533235844 bytes = { 170, 242, 15, 98, 234, 169, 49, 26, 115, 187, 61, 59, 207, 79, 238, 178, 101, 91, 146, 111, 234, 35, 3, 227, 163, 195, 75, 47 } Session ID: {} Cipher Suites: [TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_RSA_WITH_AES_128_CBC_SHA, TLS_DHE_DSS_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA, SSL_DHE_DSS_WITH_3DES_EDE_CBC_SHA, TLS_EMPTY_RENEGOTIATION_INFO_SCSV] Compression Methods: { 0 } Extension elliptic_curves, curve names: {secp256r1, secp384r1, secp521r1, sect283k1, sect283r1, sect409k1, sect409r1, sect571k1, sect571r1, secp256k1} Extension ec_point_formats, formats: [uncompressed] Extension server_name, server_name: [type=host_name (0), value=<org>.ldap.okta.com] Connection reader for connection 0 to <org>.ldap.okta.com:636, WRITE: TLSv1.1 Handshake, length = 145 Connection reader for connection 0 to <org>.ldap.okta.com:636, READ: TLSv1.2 Alert, length = 2 Connection reader for connection 0 to <org>.ldap.okta.com:636, RECV TLSv1.2 ALERT: fatal, handshake_failure Connection reader for connection 0 to <org>.example.okta.com:636, called closeSocket() Connection reader for connection 0 to <org>.example.okta.com:636, handling exception: javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure

The above message shows that the client sent a TLSv1.1 packet and the server responded with TLSv1.2 and it rejected the request.

SSL troubleshooting for C-based clients

For C-based clients, you can use SSLTap or openSSL. For example, the following failure shows SSL handshake failure due to SSLv3.

[ldap-tools]$ openssl s_client -connect <org>.ldap.okta.com:636 -ssl3 CONNECTED(00000003) 140736084694024:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:365: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 5 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported No ALPN negotiated SSL-Session: Protocol : SSLv3 Cipher : 0000 Session-ID: Session-ID-ctx: Source-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1533239615 Timeout : 7200 (sec) Verify return code: 0 (ok)

Handshake failure due to unsupported cipher

The following is an example that shows that SSL handshake is rejected due to unsupported cipher.

[ldap-tools]$ openssl s_client -connect <org>.ldap.okta.com:636 -tls1_2 -cipher DES-CBC3-SHA CONNECTED(00000003) 140736084694024:error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:s3_pkt.c:1498:SSL alert number 40 140736084694024:error:1409E0E5:SSL routines:ssl3_write_bytes:ssl handshake failure:s3_pkt.c:659: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 7 bytes and written 0 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : 0000 Session-ID: Session-ID-ctx: Source-Key: Key-Arg : None PSK identity: None PSK identity hint: None SRP username: None Start Time: 1533239822 Timeout : 7200 (sec) Verify return code: 0 (ok)