LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   ldap_bind Can't contact LDAP server (http://www.linuxquestions.org/questions/linux-networking-3/ldap_bind-can%27t-contact-ldap-server-383602/)

mesh2005 11-16-2005 04:33 AM

ldap_bind Can't contact LDAP server
 
i installed openldap-stable-20051018.tar.gz and openssl-0.9.8a.tar.gz
i run the command:
"ldapsearch -H ldap://mydomain.org/ -b dc=mydomain,dc=org -x" and it works
but when i try to run it via SSL:
"ldapsearch -H ldaps://mydomain.org/ -b dc=mydomain,dc=org -x"
i got the following message:
"ldap_bind: Can't contact LDAP server (-1)"
the SSL certificate contains CN=mydomain.org
can anyone help?
thanks

Alien Bob 11-16-2005 06:43 AM

Try running the ldpasearch with a little more debugging info by adding "-d8" to the commandline.

It could be that your LDAP client will not accept a self-signed certificate in case you're using that.

If you see this error:
Code:

TLS certificate verification: Error, self signed certificate
TLS: can't connect.
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed

then try adding this to /etc/openldap/ldap.conf :
Code:

TLS_REQCERT allow
and then run the ldapsearch again.

Eric

mesh2005 11-17-2005 12:50 AM

i added the -d8 at the end of the command line but no debugging info displayed!
still the same error "ldap_bind: Can't contact LDAP server (-1)"

Alien Bob 11-17-2005 02:03 AM

Did you configure LDAP over SSL at all? You should have at least defined something like these lines in slapd.conf :
Code:

TLSCertificateFile    /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

for ldap to use SSL at all.
Does anything listen at port 636 (ldaps)?
Code:

netstat -plane |grep ":636"
should show the slapd process.
Also, you could try TLS instead of SSL, by running the query as
Code:

ldapsearch -x -ZZ -h ldap://mydomain.org/ -b dc=mydomain,dc=org .....
Eric

mesh2005 11-17-2005 02:28 AM

thanks for ur reply, the slapd.conf contains two entries for TLS (TLSCertificateFile,TLSCertificateKeyFile)
ldapssl process is listing on port 636
now there is a strange problem, if i run slapd ldap works (non-secured) but when i run slapd -h "ldap:/// ldaps:///"
nothing works!!
i hope u can help me

mesh2005 11-17-2005 04:42 AM

when i run :
"ldapsearch -H ldap://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
***********************************************
wait4msg continue ld 0x9f97ef0 msgid 1 all 1
** ld 0x9f97ef0 Connections:
* host:mydomain.org port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Nov 17 12:37:47 2005

** ld 0x9f97ef0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x9f97ef0 Response Queue:
Empty
ldap_chkResponseList ld 0x9f97ef0 msgid 1 all 1
ldap_chkResponseList returns ld 0x9f97ef0 NULL
ldap_int_select
************************************************
and then it hang! no response until i close it!
when i run :
"ldapsearch -H ldaps://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
************************************************
ldap_create
ldap_url_parse_ext(ldaps://mydomain.org/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mydomain.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 170.15.2.22:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
*************************************************
i hope u can help!

Alien Bob 11-17-2005 07:47 AM

If you cannot find the cause of your problems by debugging the client connections, maybe you could look at what happens at the server level?

Stop the LDAP service (don't know what distro you're running so I don't know the exact command - you will probably know) and then run this in the console:
Code:

slapd -d 256 -f /etc/openldap/slapd.conf
or when the daemon should run as a special user (mine runs under user ldap) you type
Code:

slapd -u ldap -d 256 -f /etc/openldap/slapd.conf
And then you very carefully check the console output of the slapd process (it will not fork into the background so that you can see all it's messages in the console).
Maybe this helps you tagging the root of the problem. Try other debug levels if you want. "man slapd.conf" will tell you what the various loglevels are showing.

Eric
Code:

/usr/sbin/slapd -d 256 -t -f /etc/openldap/slapd.conf

mesh2005 11-17-2005 08:08 AM

my machine name is server and i use Fedors 4
please see the following:
[root@server libexec]# /usr/local/libexec/slapd -u ldap -d 256
$OpenLDAP: slapd 2.3.11 (Nov 17 2005 12:25:37) $
root@server:/0/openldap-2.3.11/servers/slapd
bdb_db_open: alock package is unstable
backend_startup_one: bi_db_open failed! (-1)
slapd stopped.
connections_destroy: nothing to destroy.

i hope u can tell me what does it mean!

Alien Bob 11-17-2005 02:18 PM

My suspicion is that your database directory (in Fedora that would be /var/lib/ldap most probably) is not owned (anymore) by the ldap user. This is probably the effect of having run slapd manually without adding the "-u ldap" parameter.
What does
Code:

ls -la /var/lib/ldap
tell you?

On Redhat servers I manage (Redhat 8, 9 and RHEL3 and 4) the directory /var/lib/ldap is owned by user ldap and group ldap. No one else but user ldap has access to that directory. If that is not the case for you, you should run this, after stopping the ldap server:
Code:

cd /var/lib/ldap
find . -type f -exec chown ldap:ldap {} \;
find . -type f -exec chmod 600 {} \;

Then, start the server again using
Code:

service ldap start
and test again with your ldapsearch.

A word of advice: your knowledge of LDAP is lacking a little bit. You really need to find and read documentation about services and how the ldap server works if you really want to use it. Your original problem by the way (SSL not working) is still not solved. There is not enough information in your posts to make a good guess at what is wrong.

Eric

mesh2005 11-20-2005 04:04 AM

thanks for ur advice, i read the Official OpenLdap manual, and i'm trying to configre the openldap using its steps, but i have a problem with ldif files
i run ldapadd -f ia.ldif -x
and i get the error:
ldap_add: Undefined attribute type (17)
additional info: dn: attribute type undefined
**************************************************************
here is my ldif file:
**************************************************************

# Organization for Test
dn:dc=mydomain,dc=org
objectClass: dcObject
objectClass: organization
o:Test
description: Test
# Organizational Role for Directory Manager
dn:cn=Head,dc=mydomain,dc=org
objectClass: organizationalRole
cn: Head
name: my_name
description: my Head
***************************************************************
here is the include part of my slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
***************************************************************
i hope u can help
thanks

Alien Bob 11-20-2005 08:55 AM

Add a space behind dn: and also behind o:. The space is required as a separator. Use the -v parameter to ldapadd if you want to see more verbose messages.

Eric

void_void 11-05-2009 12:18 AM

I am upto here
 
I have the same problem..
but i am stucked in generating certificates..
can you post the process here..

Quote:

Originally Posted by Alien Bob (Post 1955731)
Did you configure LDAP over SSL at all? You should have at least defined something like these lines in slapd.conf :
Code:

TLSCertificateFile    /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem

for ldap to use SSL at all.
Does anything listen at port 636 (ldaps)?
Code:

netstat -plane |grep ":636"
should show the slapd process.
Also, you could try TLS instead of SSL, by running the query as
Code:

ldapsearch -x -ZZ -h ldap://mydomain.org/ -b dc=mydomain,dc=org .....
Eric


Prem Kumar.J 08-04-2010 08:22 AM

Quote:

Originally Posted by void_void (Post 3745280)
I have the same problem..
but i am stucked in generating certificates..
can you post the process here..

if Following is the error : ldap_bind: Can't contact LDAP server (-1)

Then probably your ldap is not running, check with the following command: # service ldap status

if status is not running, then run the following command:
# service ldap start

This should start ldap.

Regards
Prem

Alien Bob 08-04-2010 08:42 AM

Prem.

Your reply has nothing to do with the original topic which is about configuring secure LDAP connections. Also your suggestions are very Redhat specific, they will not work on many other distros.

Eric

Abstract Final 01-14-2012 03:14 PM

Guys, I am also new to LDAP and am stuck at this step:-
Quote:

ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
I get the following error:-
Quote:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
And querying status shows inactive:-
Quote:

slapd.service - LSB: starts and stopd OpenLDAP server daemon
Loaded: loaded (/etc/rc.d/init.d/slapd)
Active: inactive (dead) since Sat, 14 Jan 2012 13:58:13 -0700; 12min ago
Process: 2690 ExecStop=/etc/rc.d/init.d/slapd stop (code=exited, status=0/SUCCESS)
Process: 2665 ExecStart=/etc/rc.d/init.d/slapd start (code=exited, status=6/NOTCONFIGURED)
CGroup: name=systemd:/system/slapd.service
Any help would be appreciated. Thanks.


All times are GMT -5. The time now is 11:06 AM.