Preview Tool

Cisco Bug: CSCvs96622 - FD leak when login attempts are sent and LDAP SSL certificate fails

Last Modified

Aug 27, 2020

Products (1)

  • Cisco Application Policy Infrastructure Controller (APIC)

Known Affected Releases

4.2(3i) 4.2(3l)

Description (partial)

You might not be able to log in to a Cisco ACI leaf or spine switch.

This issue occurs if LDAP is set to strict mode, but the hostname in the provider configuration does not match the hostname in the certificate that is configured on the LDAP server.

If you are able to get access to the device, you will see logs similar to the following example in the /var/sysmgr/tmp_logs/dme_logs/nginx.log file:

16807||2020-02-07T09:32:15.051075431-05:00||aaa||INFO||||LDAP failed to bind to server <IP or hostname> at bindDn CN=binduser,CN=Users,DC=<DC-Name>,DC=local (return code -1 - Can't contact LDAP server) diagnostic message TLS: hostname does not match CN in peer certificate||../dme/svc/extXMLApi/src/gen/ifc/app/./ext/||493
Bug details contain sensitive information and therefore require a account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.