KNOWLEDGE BASE

Error "External identity store was unreachable" When Importing LDAP identityStore With Simple Bind


Published: 15 Mar 2018
Last Modified Date: 21 Apr 2020

Issue

When importing LDAP identityStore json with simple bind, the following error might occur:

"Identity store Configuration Error: External identity store was unreachable. The external store is either down or Tableau Server is unable to establish a connection."

Additionally, the following error may be found in the logs:
...: DEBUG com.tableausoftware.certificates.LinuxCertManager - Loading CA certificates from /etc/pki/ca-trust/extracted/java/cacerts
...: ERROR com.tableausoftware.tabadmin.webapp.impl.IdentityStoreService - IdentityStoreService failure:com.tableausoftware.domain.ldap.LdapConnectException: javax.naming.CommunicationException: simple bind failed: ldaps.host.local:636 [Root exception is javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: None of the TrustManagers trust this certificate chain] (errorCode=100081)

Environment

Tableau Server

Resolution

Ensure that all SSL Certificates for accessing the LDAP server over SSL have been added to the Java Keystore file.

For more specific information, follow the instructions described in the following article: Identity Store - LDAP bind (Linux) or Identity Store - LDAP over SSL (Windows) in Tableau Help. 

 

Additional Information

To further diagnose issues with the SSL cerficiate, OpenSSL can be used to export the SSL certificate from the LDAP server to verify matching and authenticity. Instructions can be found below:
OpenSSL Cookbook: Chapter 2. Testing with OpenSSL

Additionally, instructions for working with the keytool.exe tool included with Tableau can be found at the link below. The Keytool utility can list or export SSL certificates stored to verify that the correct / matching certificate has been added.
Keytool documentation
Did this article resolve the issue?