Describe the bug
We have an Forgerock DS server hosted on a non-standard port (5636 for eg.,) which is also published via a load balancer on standard port 636. Trying to run a Find-LdapObject throws an error of "The LDAP server is unavailable". The command successfully completes on non-standard unencrypted port 4389 and on standard ports via load balancer (389 & 636).
This is all that is on the error message
PSMessageDetails :
Exception : System.Management.Automation.MethodInvocationException: Exception calling "SendRequest" with
"1" argument(s): "The LDAP server is unavailable." --->
System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest
request, Int32& messageID)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request,
TimeSpan requestTimeout)
at CallSite.Target(Closure , CallSite , LdapConnection , SearchRequest )
--- End of inner exception stack trace ---
at System.Management.Automation.ExceptionHandlingOps.CheckActionPreference(FunctionContext
funcContext, Exception exception)
at System.Management.Automation.Interpreter.ActionCallInstruction`2.Run(InterpretedFrame
frame)
at
System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
frame)
at
System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
frame)
at
System.Management.Automation.Interpreter.EnterTryCatchFinallyInstruction.Run(InterpretedFrame
frame)
TargetObject :
CategoryInfo : NotSpecified: (:) [], MethodInvocationException
FullyQualifiedErrorId : LdapException
ErrorDetails :
InvocationInfo : System.Management.Automation.InvocationInfo
ScriptStackTrace : at GetResultsDirectlyInternal, C:\Program
Files\WindowsPowerShell\Modules\S.DS.P\2.1.6\S.DS.P.psm1: line 2000
at Find-LdapObject, C:\Program
Files\WindowsPowerShell\Modules\S.DS.P\2.1.6\S.DS.P.psm1: line 416
at , : line 1
PipelineIterationInfo : {}
When I look at the LDAP server logs, I can see a connection being initiated but that's about it.
[29/Nov/2023:04:18:03 +0400] CONNECT conn=2414127 from=10.1.10.111:52746 to=10.225.0.120:5636 protocol=LDAPS
There are nothing else on the logs. Usually, there are lines indicating a BIND, SEARCH/MODIFY/COMPARE, UNBIND and DISCONNECT operations. And eventually at about 90 seconds mark, I see a DISCONNECT due to timeout.
I thought it could be something to do with Certificates, so I added -CertificateValidationFlags AllFlag
and this time, the command takes a while thinking about it yet returns nothing. However on the logs, I see a CONNECT, BIND, SEARCH, UNBIND & DISCONNECT operations with SEARCH returning 2 results. I don't see these two entries returned as a response on the console.
To clarify, the certificates are trusted on the local machine (in fact SSL offloading is not enabled on load balancer so connecting via load balancer presents the same certificate as the server) and all DNS names are present as SAN. I'm not quite sure what the issue is here.
Environment (please complete the following information):
- OS: WIN11/Server 2019
- PowerShell version [$psVersionTable]: 5.1.17763.4974 & 7.2.1 on server side & 7.2.16 on client side
- S.DS.P Module version [e.g. 1.9.1]: 2.1.6
Not posting the correct ports/IP addresses/server names/logs because this is a production server but if required, can share these info on direct message.