Skip to main content
User import fails with can't contact AD/LDAP server error
Updated over 2 weeks ago

This article applies to:

  • Product edition: inSync Cloud

Problem description

User import fails with the "Can't contact AD/LDAP server" error, when Secure LDAP is selected under AD/LDAP account.

LDAPErrorMsg.png

You can telnet the Secure LDAP TCP port 636 from the AD connector to the AD/LDAP server.

Cause

This error usually occurs when the Secure LDAP is not configured on the domain controller.

Traceback

Errors found in the AD connector logs:

+snip+ 
[2019-06-18 12:12:38,790] [DEBUG] Error <class 'ldap.SERVER_DOWN'>:{'desc': "Can't contact LDAP server"}. Traceback -Traceback (most recent call last): 
File "Srv\inSyncADConnectorRPC.pyc", line 117, in connect_ad 
File "ldap\ldapobject.pyc", line 214, in simple_bind_s 
File "ldap\ldapobject.pyc", line 208, in simple_bind 
File "ldap\ldapobject.pyc", line 106, in _ldap_call 
SERVER_DOWN: {'desc': "Can't contact LDAP server"} 
[2019-06-18 12:12:38,790] [ERROR] Error <class 'inSyncLib.inSyncError.SyncError'>:Can't contact AD/LDAP server. Please check AD/LDAP services are running properly (#10000008d). Traceback -Traceback (most recent call last): 
File "inSyncLib\inSyncRPCServer.pyc", line 100, in call_method 
File "inSyncLib\inSyncRPCBase.pyc", line 1152, in call_method 
File "Srv\inSyncADConnectorRPC.pyc", line 126, in connect_ad 
SyncError: Can't contact AD/LDAP server. Please check AD/LDAP services are running properly (#10000008d) 
+snip+ 

Resolution

  1. Verify the connectivity of LDAP using ldp.exe tool:

    1. If you do not ldp.exe available on your system, download the Windows Support tools from the Microsoft website before proceeding with the verification.

    2. Start ldp.exe application. Go to Run > enter ldp.exe and click OK.

      RunWindow.png
    3. Connect to the Domain Controller using the domain controller FQDN. To connect, go to Connection > Connect and enter the Domain Controller FQDN. Then select SSL, specify port 636 as shown below and click OK.

      ConctDomainController.png
    4. If you see the below error if you do not have secure LDAP configured on the Domain controller registered with inSync.

      DomainControlRegErrror.png
  2. Enable LDAP on a DC with one of the following methods:

    • LDAPS is automatically enabled when you install an Enterprise Root CA on a Domain Controller. If you install the AD-CS role and specify the type of setup as “Enterprise” on a DC, all DCs in the forest are automatically be configured to accept LDAPS.

    • Simply add a digital certificate on each DC. Remember that irrespective of the CA you use to obtain this digital certificate, it must be trusted by both the DCs and by computers running the LDAP client application.
      If you prepare a Windows Server 2008/R2/2012 DC to accept LDAPS connections, you should import the certificate into the AD DS personal store.

Verification

Once LDAPS has been enabled on the Domain controller, try to connect using ldp.exe as discussed above.

If the configuration is good, you will receive an output which is similar to the one given below:

EnableLDAPonDC.png

See also

Did this answer your question?