When attempting to connect to Active Directory on Window Server 2012 (possibly R2) over LDAPS, ldapsearch produces one of the following errors (at the end of a longer output):
$ ldapsearch -H ldaps://my.ad.com -v -b "dc=my,dc=ad,dc=com"
...
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
additional info: A TLS packet with unexpected length was received.
or
$ ldapsearch -H ldaps://my.ad.com -v -b "dc=my,dc=ad,dc=com" -D "user@my.ad.com"
...
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
or
$ ldapsearch -H ldaps://my.ad.com -d 1 -v -b "dc=my,dc=ad,dc=com" -D "user@my.ad.com" -W
...
TLS: can't connect: A TLS packet with unexpected length was received..
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
The SSL certificate has been installed and verified using s_client e.g.:
openssl s_client -connect my.ad.com:636 -CApath /etc/ssl/certs/
… which generates valid output ending in something like:
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
Session-ID: 2938000006304A580F4FA7C47F3C0C64FCF43B83B666D24B247775E24DC6B5B1
Session-ID-ctx:
Master-Key: C835DACE990D164C2F97F594B1D6989179735CE38AD822165F7C20C99C826DEE7E91816693AA72B08ADD85EDB6493578
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1490979674
Timeout : 300 (sec)
Verify return code: 0 (ok)
---
Best Answer
This problem can occur because the TLS 1.2 implementation in Windows 2012 is incompatible with some versions of Linux libraries like
gnutls
.If this is your problem, disabling TLS 1.2 will restore functionality. The following options may be available to you:
In Linux CLI (may need to escape the exclamation point, found here):
In PHP on Linux (found here and here):
On Windows Server 2012, I can't find concise instructions, but these are the registry entries. Directly editing the registry can be dangerous so use with caution.