LDAP using SSL Failing to BIND in Production

[JeanineJ]

I've got a possible weird situation. I'm running CMOD MP 10.5.0.5 on 3 RHEL7 servers. With Lab Services help I've managed to implement LDAP Authentication using SSL on the 2 non-prod servers. When I attempted to implement in Production, I've run into a problem where the LDAP ID won't perform the initial BIND. I was able to use the same ID production ID to BIND on one of the lower environment servers.
1. I've checked and rechecked my typing for the LDAP parms in ars.cfg along with having them peer reviewed. I've redone the LDAP BIND ID and password in the stash file.
2. The .pem certificate is the same across all 3 servers just has different labels in the keyring DB.
3. Initially I used 1 ID to BIND on the 2 non-prod servers and a second ID to BIND in PROD.
4. The Linux team assures me that the traffic outbound to the AD server is not blocked on either port 636 or 3269.

I've got a ticket open with IBM but I was wondering if anyone in the user group had any issues.
I'm out of ideas.
Now I also see that there is also an issue in our company with CM failing LDAP Authentication with SSL enabled.

[rjrussel]

Sounds like some certs may have expired/changed.

[JeanineJ]

The certificate I was given by the group responsible for AD expires next year and is working in the lower environments. I just did a full server reboot last night (my maintenance window) and that didn't help. I changed the port to 389 and set SSL to FALSE, I have repopulated the keyring db 3 times, updated my LDAP ID 3 times. My server admin (I know enough about Linux to be dangerous) and there's no outbound port blocked for 389, 636, or 3269 on the CMOD server. IBM had me add ARS_LDAP_REFFERALS=FALSE and I tested that last night with no success.

My last options will be use the other ID to connect and/or fine tune the BASE_DN to OU=XXXXX People,DC=xxx,DC=xxxx,DC=xxxxx,DC=com.

This is what I get:
9978:140246905972480 06/16/2024 21:08:28:097711 FLOW arsldap.c(2427)ArcLDAP_Authenticate:Enter
29978:140246905972480 06/16/2024 21:08:28:097767 FLOW arsldap.c(2350)ArcLDAPP_CheckIgnoreUsers:Enter
29978:140246905972480 06/16/2024 21:08:28:097776 FLOW arsldap.c(2398)ArcLDAPP_CheckIgnoreUsers:Return rc=0
29978:140246905972480 06/16/2024 21:08:28:097786 ERROR arsldap.c(2446)ArcLDAP_Authenticate:LDAP has not been initialized
29978:140246905972480 06/16/2024 21:08:28:097797 FLOW arsldap.c(2772)ArcLDAP_Authenticate:Return arccs return code=6,ARCCS_FAILED

I'm fresh out of ideas.

[rjrussel]

It looks like you didn't enable LDAP through the Windows ADMIN client for the server you are now trying to set up.

Log into your server, Right click on it and select "System Parameters". Click the Login Information tab and make sure the Enable LDAP box is checked.

You will need to recycle arssockd once this change is made.