SSL/TLS is always tricky. What I would recommend is to break down the problem into smaller chunks. Specifically, I would try to use some known client tool (e.g curl, lapsearch, openssl s_client, etc.) to point to the webseal keystore where you have the lua-ldap-ca-cert-label entry stored and try to connect to your external LDAP server. Using one of these client tools, hopefully you can get some more useful error messages to help you resolve the problem. If my suggestion isn't clear, please let me know and I'll provide some more detail.
------------------------------
Frank Tate
Gulfsoft Consulting
https://www.gulfsoft.comAIOps Experts. Contact us for implementation help.
------------------------------
Original Message:
Sent: Thu June 05, 2025 11:20 AM
From: Rudy Santos
Subject: IVIA - LUALDAP
Hello,
I'm trying to configure LUALDAP to use LDAPS instead of LDAP.
However, the error message "Can't contact LDAP server" is returned.
If I use LDAP, LUALDAP works as expected.
I have configured the lua-ldap-ca-cert-label entry and I'm basically following the steps described here for this configuration.
The key difference is that I'm using an external LDAP (ISVD) with TLS 1.3 enabled, instead of the internal LDAP.
I also tried using the lualdap.open function instead of initialize.
Using Packet Tracing I could identify that the problem may be related to the CA, as the during the handshake, RP sends a TCP response Alert with the message "Unknown CA".
The ISVD certificate is self signed and the certificate is stored in the RP keystore.
As the all TCP payload are encrypted, it's not possible to identify the certificate sent by ISVD.
The certificate is the same used by RP to authenticate the users when using username/password.
By the way, if I use this entry LDAPTLS_REQCERT = never, the LUA script can connect to LDAP server.
Any suggestion?
------------------------------
Rudy Santos
------------------------------