External LDAP authentication fails with error '([Net::LDAP::Error]: hostname "ad.example.com" does not match the server certificate)'.
Environment
- Red Hat Satellite 6
Issue
-
External LDAP authentication fails with error '([Net::LDAP::Error]: hostname "ad.example.com" does not match the server certificate)':
Oops, we're sorry but something went wrong ERF77-7089 [Foreman::LdapException]: Error while connecting to 'LDAP source' LDAP server at 'ad.example.com' during authentication ([Net::LDAP::Error]: hostname "ad.example.com" does not match the server certificate)
Resolution
-
Change the LDAP Server name on LDAP Authentication on the satellite to match the LDAP CN on the SSL certificate provided to the satellite from the LDAP server.
# openssl s_client -connect ad.example.com:636 -showcerts -state | grep CN -
For more KB articles/solutions related to Red Hat Satellite 6.x Authentication Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Authentication Issues
Diagnostic Steps
-
Test connection to the LDAP from satellite :
Satellite webUI -> Administer -> LDAP Authentication -> [Authentication Source Name] -> LDAP server -> Test Connection ERF50-1006 [Foreman::WrappedException]: Unable to connect to LDAP server ([Net::LDAP::Error]: hostname "ldap.satellite.com" does not match the server certificate) -
Get the CN name on the LDAP SSL certificate from the LDAP server :
# openssl s_client -connect <FQDN_AD>:636 -showcerts -state | grep CN -
Check the LDAP server on the satellite LDAP Authentication.
# hammer auth-source ldap info --name " Authentication Source Name" | grep Server:
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.