Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
8802
Views
1
Helpful
4
Replies

Unable to read rootDSE Error (LDAPs to Microsoft AD)

latenaite2011
Level 4
Level 4

‎08-28-2018 05:10 PM - edited ‎02-21-2020 08:09 AM

Does anyone know how to fix this error below:


[-2147483518] Session Start
[-2147483518] New request Session, context 0x00007f8c52c4f7e8, reqType = Authentication
[-2147483518] Fiber started
[-2147483518] Creating LDAP context with uri=ldap://x.x.x.x:636
[-2147483518] Connect to LDAP server: ldap://x.x.x.x:636, status = Successful
[-2147483518] Unable to read rootDSE. Can't contact LDAP server.

 

I tried following this URL, https://paulgporter.net/2013/01/03/cisco-asa-ldap-ssl/, but it is not working and the URL is for OpenLDAP and not Microsoft LDAPs.

 

I followed this step when configuring LDAPs on the Microsoft Server:

 

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

 

Thanks!

2 people had this problem
0 Helpful
4 Replies 4

lisa1800
Level 1
Level 1

‎03-15-2019 02:12 PM

I know this post is old, but I had a similar problem -- shows the 'Connect to LDAP Server... ' as successful, but fails with the 'Unable to read rootDSE.' error.

 

In my case I was missing the 'ldap-over-ssl enable' on my LDAPS aaa-server profile.

0 Helpful

lisa1800
Level 1
Level 1

‎03-15-2019 02:13 PM

I know this post is old, but I had a similar problem -- shows the 'Connect to LDAP Server... ' as successful, but fails with the 'Unable to read rootDSE.' error.

 

In my case I was missing the 'ldap-over-ssl enable' on my LDAPS aaa-server profile.

0 Helpful

j.a.m.e.s
Level 3
Level 3

‎11-21-2022 11:05 AM

I know this is an old post, but I've hit it a few times and every time "Unable to read rootDSE" combined with the use of LDAPs turned out to be the ASA unable to reach the CRL service associated with the certificate coming back from the LDAPs server.

These debugs helped me:

debug ldap 255 - not that useful. Just showed "Unable to read rootDSE"
debug crypto ca 14 - showed the SSL negotiation, including the CRL checks
capture CAP1 interface inside match tcp any any eq 636 THEN copy /pcap capture CAP1 ... - showed the Domain Controller issuing a ServerHello so presumably it was happy with the ASA ciphers

 I'm sure there are other reasons for "Unable to read rootDSE", but the above debugs will narrow it down.

0 Helpful

tfs128
Level 1
Level 1

‎06-08-2023 11:17 AM

Error can be caused by cert verification failing due to weak algorithms: "crypto ca permit-weak-crypto" would override that check

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card