LDAPS Connection Issue - Unable to open socket

Hi everyone,

I am just starting out with pgAdmin and trying to configure an LDAPS connection to Active Directory, however, I am receiving the error message below.

[cid:image002(dot)png(at)01D63A77(dot)D22D6D40]

This installation is on a CentOS 8 server with firewalld and SELinux currently disabled. Here are the relevant LDAP settings from /usr/lib/python3.6/site-packages/pgadmin4-web/config_local.py file -

AUTHENTICATION_SOURCES = ['ldap']
LDAP_AUTO_CREATE_USER = True
LDAP_CONNECTION_TIMEOUT = 10
LDAP_SERVER_URI = 'ldaps://ad:636'
LDAP_BASE_DN = '(&(objectClass=user)(memberof=CN=pgAdmin,OU=Security Groups,OU=Domain Groups,DC=[REDACTED],DC=[REDACTED]))'
LDAP_USERNAME_ATTRIBUTE = 'sAMAccountName'
LDAP_SEARCH_BASE_DN = '<Search-Base-DN>'
LDAP_SEARCH_FILTER = '(objectclass=user)'
LDAP_SEARCH_SCOPE = 'SUBTREE'
LDAP_USE_STARTTLS = True
LDAP_CA_CERT_FILE = '/etc/pki/tls/certs/chain.cer'
LDAP_CERT_FILE = '/etc/pki/tls/certs/[REDACTED].crt'
LDAP_KEY_FILE = '/etc/pki/tls/private/[REDACTED].key'

I have verified the chain CA cert against my local server cert and it is showing as ok.

I also was able to connect to the server using openssl s_client as shown below –

openssl s_client -connect ad:636 -CAfile /etc/pki/tls/certs/chain.cer

CONNECTED(00000003)
Can't use SSL_get_servername
depth=2 CN = ROOT-CA
verify return:1
depth=1 DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA
verify return:1
depth=0
verify return:1
---
Certificate chain
0 s:
i:DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA
1 s:DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA
i:CN = ROOT-CA
---
Server certificate
-----BEGIN CERTIFICATE-----
[REDACTED]
-----END CERTIFICATE-----
subject=

issuer=DC = [REDACTED], DC = [REDACTED], CN = Intermediate-CA

---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: ECDH, P-384, 384 bits
---
SSL handshake has read 3355 bytes and written 469 bytes
Verification: OK
---
New, TLSv1.2, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 2048 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-GCM-SHA384
Session-ID: [REDACTED]
Session-ID-ctx:
Master-Key: [REDACTED]
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1591252114
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: yes

I am also able to connect and bind with the relevant account using ldp.exe from my Windows machine, so it looks like the server is able to connect to this port on the AD server fine. At this point I really don’t know what this issue is pointing to and can not find any documentation on the issue. What am I missing here?!

Kind regards

Mat Hanson
Network Security Engineer
[cid:image004(dot)png(at)01D638BF(dot)ABB58F80]

Chrysos Corporation Limited
Waite Road, Urrbrae SA 5064 Australia
Locked Bag 2, Glen Osmond SA 5064 Australia
M +61 411 22 5753 E Mat(dot)Hanson(at)chrysos(dot)com(dot)au<mailto:Mat(dot)Hanson(at)chrysos(dot)com(dot)au>
www.chrysos.com.au<http://www.chrysos.com.au/>

This e-mail message is intended only for the addressee(s) and contains information which may be confidential. If you are not the intended recipient please advise the sender by return email at info(at)chrysos(dot)com(dot)au<mailto:info(at)chrysos(dot)com(dot)au>. Delete this message and any attachments from your system and do not use or disclose the contents.