LDAPS Connection Issue - Unable to open socket - Mailing list pgsql-admin

Hi everyone,

I am just starting out with pgAdmin and trying to configure an LDAPS connection to Active Directory, however, I am receiving the error message below.

This installation is on a CentOS 8 server with firewalld and SELinux currently disabled. Here are the relevant LDAP settings from /usr/lib/python3.6/site-packages/pgadmin4-web/config_local.py file -

AUTHENTICATION_SOURCES = ['ldap']

LDAP_AUTO_CREATE_USER = True

LDAP_CONNECTION_TIMEOUT = 10

LDAP_SERVER_URI = 'ldaps://ad:636'

LDAP_BASE_DN = '(&(objectClass=user)(memberof=CN=pgAdmin,OU=Security Groups,OU=Domain Groups,DC=[REDACTED],DC=[REDACTED]))'

LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName'

LDAP_SEARCH_BASE_DN = '<Search-Base-DN>'

LDAP_SEARCH_FILTER = '(objectclass=user)'

LDAP_SEARCH_SCOPE = 'SUBTREE'

LDAP_USE_STARTTLS = True

LDAP_CA_CERT_FILE = '/etc/pki/tls/certs/chain.cer'

LDAP_CERT_FILE = '/etc/pki/tls/certs/[REDACTED].crt'

LDAP_KEY_FILE = '/etc/pki/tls/private/[REDACTED].key'

I have verified the chain CA cert against my local server cert and it is showing as ok.

I also was able to connect to the server using openssl s_client as shown below –

openssl s_client -connect ad:636 -CAfile /etc/pki/tls/certs/chain.cer

CONNECTED(00000003)

Can't use SSL_get_servername

depth=2 CN = ROOT-CA

verify return:1

depth=1 DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

verify return:1

depth=0

verify return:1

---

Certificate chain

0 s:

   i:DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

1 s:DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

   i:CN = ROOT-CA

---

Server certificate

-----BEGIN CERTIFICATE-----

[REDACTED]

-----END CERTIFICATE-----

subject=

issuer=DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

---

No client certificate CA names sent

Client Certificate Types: RSA sign, DSA sign, ECDSA sign

Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512

Peer signing digest: SHA256

Peer signature type: RSA

Server Temp Key: ECDH, P-384, 384 bits

---

SSL handshake has read 3355 bytes and written 469 bytes

Verification: OK

---

New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384

Server public key is 2048 bit

Secure Renegotiation IS supported

Compression: NONE

Expansion: NONE

No ALPN negotiated

SSL-Session:

    Protocol  : TLSv1.2

    Cipher    : ECDHE-RSA-AES256-GCM-SHA384

    Session-ID: [REDACTED]

    Session-ID-ctx:

    Master-Key: [REDACTED]

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    Start Time: 1591252114

    Timeout   : 7200 (sec)

    Verify return code: 0 (ok)

    Extended master secret: yes

I am also able to connect and bind with the relevant account using ldp.exe from my Windows machine, so it looks like the server is able to connect to this port on the AD server fine. At this point I really don’t know what this issue is pointing to and can not find any documentation on the issue. What am I missing here?!

Kind regards

Mat Hanson
Network Security Engineer

This e-mail message is intended only for the addressee(s) and contains information which may be confidential. If you are not the intended recipient please advise the sender by return email at info@chrysos.com.au. Delete this message and any attachments from your system and do not use or disclose the contents.