LDAP Connector is Offline

travis.evers · September 19, 2024, 2:51pm

Overview

This article explains a potential cause of the following error after executing the LDAP "node troubleshoot.js" script.

“Local and server certificates don’t match”

Here is an example of the output from the command.

C:\Program Files (x86)\Auth0\AD LDAP Connector>node troubleshoot.js

 Troubleshooting AD LDAP connector

Reading CA certificates from Windows Store
Adding 40 certificates
16:36:29 - info: No proxy server configured.
16:36:29 - info: * Testing connectivity to Auth0...
16:36:29 - info:   > Test endpoint: https://example.eu.auth0.com/
test
16:36:29 - info: √ Connection to test endpoint succeeded.
16:36:29 - info: * Testing hub connectivity (WS).
16:36:29 - info: √ Connection to hub succeeded.
16:36:29 - info: * Testing clock skew...
16:36:30 - info: √ Everything OK. No clock skew detected.
16:36:30 - info: * Testing certificates...
16:36:30 - info:   > Local thumbprint: 17b601ccf1b262a3e7a11455ab313fe312c2d850
16:36:30 - info:   > Server thumbprint: fbe58997763540eaeb98eb7129acecda42f00f1f

16:36:30 - error: x Local and server certificates don't match.
1
16:36:30 - info:   > The command completed successfully
16:36:30 - info: * Testing SSL connectivity to LDAP.
16:36:30 - info: * Testing LDAP connectivity.
16:36:30 - info:   > LDAP BASE: DC=contoso,DC=com
16:36:30 - error: x Connection to LDAP failed.
16:36:30 - error:   > Error: error:06065064:digital envelope routines:EVP_Decryp
tFinal_ex:bad decrypt
16:36:30 - info: Done!

Press any key to continue . . .

Applies To

AD LDAP Connector
node troubleshoot.js script
Certificates

Cause

There is a mismatch between the local and the server certificates.

Solution

If the certificates from the previous installation are still available, replacing the certificates from the current installation with those from the old one will solve the issue.

Otherwise it’s necessary to regenerate them per the steps below:

Back up config.json located in the AD/LDAP connector directory.
Make a note of the provisioning ticket URL (PROVISIONING_TICKET ) from the config.json file.
Reset config.json by clearing the following configuration keys:

PROVISIONING_TICKET
LDAP_BIND_CREDENTIALS
SERVER_URL
LAST_SENT_THUMBPRINT
TENANT_SIGNING_KEY

Remove the certificates and thumbprint from the connection:
Retrieve the connection object using the management API.
Remove the certs and thumbprint attributes and patch the connection using the object as the payload:
Delete the certificates folder in the AD/LDAP connector directory.
Open the AD/LDAP Admin Console.
Enter provisioning ticket URL noted in step 2.
Enter the admin password and click Save.
Start the AD/LDAP connector.

Related References

Troubleshoot AD/LDAP Connector

Topic		Replies	Views
AD/LDAP COnnector: error: × Local and server certificates don't match. Help ad-ldap-connector	1	4600	March 2, 2018
AD LDAP Connector - error testing LDAP connectivity Help error , ldap , ad-ldap-connector	1	4011	April 28, 2020
LDAP linux connector: Error: unable to get local issuer certificate Help certificate , ldap , linux	2	5955	March 2, 2018
LDAP connection closed unexpectedly Help ad-connector	3	5772	March 2, 2018
LDAP connector is reporting "certificate has expired" Help organizations-directory-authorization , directory-authorization	1	1034	July 25, 2023