cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9453
Views
1
Helpful
4
Replies

Unable to read rootDSE Error (LDAPs to Microsoft AD)

latenaite2011
Level 4
Level 4

Does anyone know how to fix this error below:


[-2147483518] Session Start
[-2147483518] New request Session, context 0x00007f8c52c4f7e8, reqType = Authentication
[-2147483518] Fiber started
[-2147483518] Creating LDAP context with uri=ldap://x.x.x.x:636
[-2147483518] Connect to LDAP server: ldap://x.x.x.x:636, status = Successful
[-2147483518] Unable to read rootDSE. Can't contact LDAP server.

 

I tried following this URL, https://paulgporter.net/2013/01/03/cisco-asa-ldap-ssl/, but it is not working and the URL is for OpenLDAP and not Microsoft LDAPs.

 

I followed this step when configuring LDAPs on the Microsoft Server:

 

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

 

Thanks!

4 Replies 4

lisa1800
Level 1
Level 1

I know this post is old, but I had a similar problem -- shows the 'Connect to LDAP Server... ' as successful, but fails with the 'Unable to read rootDSE.' error.

 

In my case I was missing the 'ldap-over-ssl enable' on my LDAPS aaa-server profile.

lisa1800
Level 1
Level 1

I know this post is old, but I had a similar problem -- shows the 'Connect to LDAP Server... ' as successful, but fails with the 'Unable to read rootDSE.' error.

 

In my case I was missing the 'ldap-over-ssl enable' on my LDAPS aaa-server profile.

j.a.m.e.s
Level 4
Level 4

I know this is an old post, but I've hit it a few times and every time "Unable to read rootDSE" combined with the use of LDAPs turned out to be the ASA unable to reach the CRL service associated with the certificate coming back from the LDAPs server.

These debugs helped me:

debug ldap 255 - not that useful. Just showed "Unable to read rootDSE"
debug crypto ca 14 - showed the SSL negotiation, including the CRL checks
capture CAP1 interface inside match tcp any any eq 636 THEN copy /pcap capture CAP1 ... - showed the Domain Controller issuing a ServerHello so presumably it was happy with the ASA ciphers

 I'm sure there are other reasons for "Unable to read rootDSE", but the above debugs will narrow it down.

tfs128
Level 1
Level 1

Error can be caused by cert verification failing due to weak algorithms: "crypto ca permit-weak-crypto" would override that check

Review Cisco Networking for a $25 gift card