MSIS3328: Unable to query the LDAP Servers. The LDAP server is unavailable RRS feed

  • Question

  • I've been posting multiple threads in here regards to configure AD FS to authenticate users stored in an LDAP directory. I want to express my gratitude many who have replied back to my questions which was great learning experience for me.

    I am finally begin to have a grasp of what I am trying to do. While executing Add-AdfsLocalClaimsProviderTrust cmdlet, I ran into The LDAP server is unavailable Error code: 81.

    I talked to our network engineer to open up a port and I was able to use LDAP Admin program to access a target OUD directory just fine from AD FS server. Both AD FS and OUD sit in AWS cloud by the way.

    To access OUD from 3rd party program LDAP Admin I provide following information.

    Host: xxx.xxx.xxx.xxx

    Port :389

    Simple Authentication is selected

    Username: cn=Directory Manager

    password: password1234

    And I executed following cmdlets in sequential order in powershell as an administrator.

    $ldapuser = ConvertTo-SecureString -string "cn=Directory Manager" -asplaintext -force

    $DirectoryCred = Get-Credential -username $ldapuser -Message "Enter the credentials to bind to the LDAP instance:"

    $vendorDirectory = New-AdfsLdapServerConnection -HostName xxx.xxx.xxx.xxx -Port 389 -SslMode Ssl -AuthenticationMethod Basic -Credential $DirectoryCred

    $DisplayName = New-AdfsLdapAttributeToClaimMapping -LdapAttribute "displayName" -ClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/displayname"

    Add-AdfsLocalClaimsProviderTrust -Name "oud" -Identifier "urn:oud" -Type ldap -LdapServerConnection $vendorDirectory -UserObjectClass inetOrgPerson -UserContainer "c=us" -LdapAuthenticationMethod Basic -AnchorClaimLdapAttribute mail -AnchorClaimType "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn"  -Enabled $True -LdapAttributeToClaimMapping $DisplayName

    All go well until I executed at the last cmdlet "Add-AdfsLocalClaimsProviderTrust".  I am wondering if I provided any invalid arguments to the cmdlet. Can you spot any mistake I may have made? Interestingly before the port was opened, I got the same exception while the port was blocked.  I am trying to identify if it is related to network blockage or something else is causing this (hiding actual exception but misleading me into believe something else) Here is the exact error message:

    Monday, November 26, 2018 4:13 PM

All replies

  • Can you try with a user that has no space character in its DN?

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, November 26, 2018 6:09 PM
  • ah... you mean "cn=Directory Manager" that is username for accessing OUD. I will try to find a way if that is possible. Ty for your advice!
    Monday, November 26, 2018 7:19 PM
  • I gave another DN that has no space in it which allowed me to access OUD via Ldap Admin program but Add-AdfsLocalClaimsProviderTrust execution returns LDAP server is unavailable still.
    Monday, November 26, 2018 7:28 PM
  • Hello,

    Are you sure you use SSL on the LDAP 389 port (with StartTLS for example) ? (New-AdfsLDAPServerConnection [...] -SslMode Ssl[...])

    Could you try with :
    New-AdfsLDAPServerConnection [...] -SslMode None [...]

    Doc : https://docs.microsoft.com/en-us/powershell/module/adfs/new-adfsldapserverconnection

    • Proposed as answer by ITPro-Tips Monday, December 3, 2018 9:01 PM
    • Unproposed as answer by ITPro-Tips Monday, December 10, 2018 9:01 PM
    • Proposed as answer by ITPro-Tips Monday, December 10, 2018 9:01 PM
    • Edited by ITPro-Tips Monday, December 10, 2018 9:01 PM
    Monday, December 3, 2018 12:12 AM