Connection-Related Issues (SSL)

By far the most troublesome connection issues people have are with LDAP+SSL (ldaps) because it is so secure in how it operates.

Hostname Required

When connecting to LDAP with SSL, the hostname given for the server is also used to verify the server certificate. The server certificate’s common name must be its hostname, and that hostname must resolve to the LDAP server’s IP address, e.g. CN=ldap.example.com, and ldap.example.com is 192.168.1.5.

If an IP address has been entered for the hostname of the LDAP server, it will not work unless that IP happens to also be the CN or a SAN of the server certificate.

If this must be worked around, it is possible to create a DNS host override in the DNS forwarder for <common name of the cert>.<firewall domain name>. That assumes that the CN is in a format that could actually be a hostname.

Use the Correct Port

When using LDAP, AZTCO-FW software will use an ldaps URL which defaults to port 636. It will NOT do starttls on port 389. Ensure the LDAP server is listening properly on port 636.

Ensure CA Matches

The most important factor in making sure that it is possible to communicate with the LDAP server over SSL is that the correct CA certificate has been imported into AZTCO-FW, and chosen on the LDAP settings. The key is not required, only the CA certificate.

If the LDAP server certificate CA is part of a chain, or there is an intermediate CA, every CA certificate must be pasted into the form when importing the CA into AZTCO-FW. For example:

—–BEGIN CERTIFICATE—–

Subordinate/Intermediate CA certificate text

—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–

Root CA certificate text

—–END CERTIFICATE—–

Other Cert/CA Issues

Confirm that the certificates are otherwise valid, for example they are not expired or set to be valid in the future.

© Copyright 2025 . All Rights Reserved. AZTCO-FW| Developed By AZTCO-FW. Powered by AZTCO.