LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)
-   -   ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) (https://www.linuxquestions.org/questions/linux-server-73/ldap_sasl_bind-simple-cant-contact-ldap-server-1-a-4175482184/)

techmom50 10-25-2013 02:18 PM
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
 
I have configured OpenLDAP on a my Gentoo server. Following the admin guide when I execute the command
Code:
ldapsearch -x -D "cn=Manager,dc=pacificcabinets,dc-com" -W
it returns
Code:
Enter LDAP Password:
I enter the SSHA password from slappasswd and it returns this error? I have also tried the plain-text password used to create with no success.
Code:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Any assistance would be appreciated. Am I missing something in the config file. Using slapd.conf for now.

bathory 10-26-2013 02:43 AM
Quote:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Since ldapsearch complains it can't contact the server, check if slapd is running
Code:
netstat -tanpl|grep slapd

techmom50 10-28-2013 07:17 PM
Code:
tux / # netstat -tanpl|grep slapd
tcp        0      0 0.0.0.0:636            0.0.0.0:*              LISTEN                                    23330/slapd
tcp        0      0 0.0.0.0:389            0.0.0.0:*              LISTEN                                    23330/slapd
tcp6      0      0 :::636                  :::*                    LISTEN                                    23330/slapd
tcp6      0      0 :::389                  :::*                    LISTEN                                    23330/slapd
Code:
tux / # top
23330 ldap      20  0  267m 5084 2128 S  0.0  0.1  0:00.02 slapd
Quote:
Here is my Slapd.conf very vanilla, I have tried with & without a slappasswd and I receive the same error. I am using the OpenLDAP that came with Gentoo portage (I updated on Friday from openldap 2-4.30 to 2.4.35). I have goggled and have came accross some articles that say SASL was not complied in OpenLDAP if that be the case do I need to find the Cryus SASL and install that. I see this error as actually two 1st it cannot authenticate and 2nd it does not see my ldap server.
Code:
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include        /etc/openldap/schema/core.schema
include        /etc/openldap/schema/cosine.schema
include        /etc/openldap/schema/inetorgperson.schema
include        /etc/openldap/schema/nis.schema

# Define global ACLs to disable default read access.

# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral      ldap://root.openldap.org

pidfile        /var/run/openldap/slapd.pid
argsfile        /var/run/openldap/slapd.args

loglevel 480

# Load dynamic backend modules:
 modulepath    /usr/lib64/openldap/openldap
# moduleload    back_sql.so
# moduleload    back_sock.so
# moduleload    back_shell.so
# moduleload    back_relay.so
# moduleload    back_passwd.so
# moduleload    back_null.so
# moduleload    back_monitor.so
# moduleload    back_meta.so
# moduleload    back_ldap.so
# moduleload    back_dnssrv.so

# Sample security restrictions
#      Require integrity protection (prevent hijacking)
#      Require 112-bit (3DES or better) encryption for updates
#      Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64

#added 10252013 4:29pm
access to attrs=userPassword
        by dn="uid=root,ou=People,dc=pacificcabinets,dc=com" write
        by dn="cn=Manager,dc=pacificcabinets,dc=com" write
        by anonymous auth
        by self write
        by * none


# Sample access control policy:
#      Root DSE: allow anyone to read it
#      Subschema (sub)entry DSE: allow anyone to read it
#      Other DSEs:
#              Allow self write access
#              Allow authenticated users read access
#              Allow anonymous users to authenticate
#      Directives needed to implement policy:
access to dn.base="" by * read
access to *
        by dn="cn=Manager,dc=pacificcabinets,dc=com"
        by * read
# access to dn.base="cn=Subschema" by * read
# access to *
#      by self write
#      by users read
#      by anonymous auth

# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn.  (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!

#######################################################################
# BDB database definitions
#######################################################################

database        hdb
suffix          "dc=pacificcabinets,dc=com"
#        <kbyte> <min>
checkpoint      32      30
rootdn          "cn=Manager,dc=pacificcabinets,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoid.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          shhh secret
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory      /var/lib/openldap-data
# Indices to maintain
index  objectClass    eq

bathory 10-29-2013 07:22 AM
Quote:
I have goggled and have came accross some articles that say SASL was not complied in OpenLDAP if that be the case do I need to find the Cryus SASL and install that
I'm not familiar with gentoo package system, but you can try to debug the output using
Code:
ldapsearch -x -D "cn=Manager,dc=pacificcabinets,dc=com" -W -d7 -H ldap://127.0.0.1

techmom50 10-29-2013 03:09 PM
Quote:
This is without the slappasswd just using a plain text(for testing)I guess I will try the same thing with the slappasswd RESULTS below:
Code:
tux ~ # ldapsearch -x -D "cn=Manager,dc=pacificcabinets,dc=com" -W -d7 -H ldap://127.0.0.1
ldap_url_parse_ext(ldap://127.0.0.1)
ldap_create
ldap_url_parse_ext(ldap://127.0.0.1:389/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 56 bytes to sd 3
ldap_write: want=56, written=56
  0000:  30 36 02 01 01 60 31 02  01 03 04 24 63 6e 3d 4d  06...`1....$cn=M
  0010:  61 6e 61 67 65 72 2c 64  63 3d 70 61 63 69 66 69  anager,dc=pacifi
  0020:  63 63 61 62 69 6e 65 74  73 2c 64 63 3d 63 6f 6d  ccabinets,dc=com
  0030:  80 06 73 65 63 72 65 74                            ..secret
ldap_result ld 0x614650 msgid 1
wait4msg ld 0x614650 msgid 1 (infinite timeout)
wait4msg continue ld 0x614650 msgid 1 all 1
** ld 0x614650 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Oct 29 12:57:48 2013


** ld 0x614650 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x614650 request count 1 (abandoned 0)
** ld 0x614650 Response Queue:
  Empty
  ld 0x614650 response count 0
ldap_chkResponseList ld 0x614650 msgid 1 all 1
ldap_chkResponseList returns ld 0x614650 NULL
ldap_int_select
read1msg: ld 0x614650 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 01 61 07 0a                            0....a..
ldap_read: want=6, got=6
  0000:  01 00 04 00 04 00                                  ......
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x614650 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x614650 0 new referrals
read1msg:  mark request completed, ld 0x614650 msgid 1
request done: ld 0x614650 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=pacificcabinets,dc=com> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_write: want=64, written=64
  0000:  30 3e 02 01 02 63 39 04  19 64 63 3d 70 61 63 69  0>...c9..dc=paci
  0010:  66 69 63 63 61 62 69 6e  65 74 73 2c 64 63 3d 63  ficcabinets,dc=c
  0020:  6f 6d 0a 01 02 0a 01 00  02 01 0c 02 01 0f 01 01  om..............
  0030:  00 87 0b 6f 62 6a 65 63  74 63 6c 61 73 73 30 00  ...objectclass0.
ldap_result ld 0x614650 msgid -1
wait4msg ld 0x614650 msgid -1 (infinite timeout)
wait4msg continue ld 0x614650 msgid -1 all 0
** ld 0x614650 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Tue Oct 29 12:57:48 2013


** ld 0x614650 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x614650 request count 1 (abandoned 0)
** ld 0x614650 Response Queue:
  Empty
  ld 0x614650 response count 0
ldap_chkResponseList ld 0x614650 msgid -1 all 0
ldap_chkResponseList returns ld 0x614650 NULL
ldap_int_select
read1msg: ld 0x614650 msgid -1 all 0
ber_get_next
ldap_read: want=8, got=8
  0000:  30 0c 02 01 02 65 07 0a                            0....e..
ldap_read: want=6, got=6
  0000:  01 20 04 00 04 00                                  . ....
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x614650 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x614650 0 new referrals
read1msg:  mark request completed, ld 0x614650 msgid 2
request done: ld 0x614650 msgid 2
res_errno: 32, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 32 No such object
ldap_msgfree

# numResponses: 1
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_write: want=7, written=7
  0000:  30 05 02 01 03 42 00                              0....B.
ldap_free_connection: actually freed
Quote:
Now to understand what all this is as I am new to Linux OpenLDAP

bathory 10-29-2013 04:33 PM
Quote:
result: 32 No such object
You got an answer from ldap, so you can contact it. Try the following to get some results
Code:
ldapsearch -x -D "cn=Manager,dc=pacificcabinets,dc=com" -W -H ldap://127.0.0.1 -b "dc=pacificcabinets,dc=com"
Regards

techmom50 10-29-2013 05:30 PM
I still get result: 32 No Such object -- Which would be correct I have not created any .ldif database yet so searching for Manager would not work. Hum, Why would the documentation have you to test a search on something that you haven't even created. Is there any more accurate documentation for OpenLDAP besides the ADMIN guide and Gentoo Wiki which seems to not be current/correct. This is very frustrating to a new person who is trying to grasp & understand Linux.

bathory 10-30-2013 01:42 AM
Quote:
I still get result: 32 No Such object -- Which would be correct I have not created any .ldif database yet so searching for Manager would not work. Hum, Why would the documentation have you to test a search on something that you haven't even created. Is there any more accurate documentation for OpenLDAP besides the ADMIN guide and Gentoo Wiki which seems to not be current/correct. This is very frustrating to a new person who is trying to grasp & understand Linux.
I would suggest reading this guide.

Regards

techmom50 11-01-2013 07:05 PM
Quote:
I installed the Cryus-SASL from Gentoo portage, these are the results with and without SASL it shows a connection
Quote:
With SASL Password in Slapd.conf
Code:
tux openldap # ldapsearch -h 127.0.0.1 -p 389 -b "dc=pacificcabinets,dc=com" -d5
ldap_create
ldap_url_parse_ext(ldap://127.0.0.1:389)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x6146b0 msgid 1
wait4msg ld 0x6146b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x6146b0 msgid 1 all 1
** ld 0x6146b0 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Nov  1 16:12:11 2013


** ld 0x6146b0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x6146b0 request count 1 (abandoned 0)
** ld 0x6146b0 Response Queue:
  Empty
  ld 0x6146b0 response count 0
ldap_chkResponseList ld 0x6146b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x6146b0 NULL
ldap_int_select
read1msg: ld 0x6146b0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x6146b0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x6146b0 0 new referrals
read1msg:  mark request completed, ld 0x6146b0 msgid 1
request done: ld 0x6146b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=pacificcabinets,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_result ld 0x6146b0 msgid -1
wait4msg ld 0x6146b0 msgid -1 (infinite timeout)
wait4msg continue ld 0x6146b0 msgid -1 all 0
** ld 0x6146b0 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Nov  1 16:12:11 2013


** ld 0x6146b0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x6146b0 request count 1 (abandoned 0)
** ld 0x6146b0 Response Queue:
  Empty
  ld 0x6146b0 response count 0
ldap_chkResponseList ld 0x6146b0 msgid -1 all 0
ldap_chkResponseList returns ld 0x6146b0 NULL
ldap_int_select
read1msg: ld 0x6146b0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x6146b0 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x6146b0 0 new referrals
read1msg:  mark request completed, ld 0x6146b0 msgid 2
request done: ld 0x6146b0 msgid 2
res_errno: 32, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 32 No such object
ldap_msgfree

# numResponses: 1
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed

Quote:
Without SASL password(below)
Code:
tux openldap # ldapsearch -h 127.0.0.1 -p 389 -b "dc=pacificcabinets,dc=com" -d5
ldap_create
ldap_url_parse_ext(ldap://127.0.0.1:389)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect success
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({i) ber:
ber_flush2: 14 bytes to sd 3
ldap_result ld 0x6146b0 msgid 1
wait4msg ld 0x6146b0 msgid 1 (infinite timeout)
wait4msg continue ld 0x6146b0 msgid 1 all 1
** ld 0x6146b0 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Nov  1 15:55:57 2013


** ld 0x6146b0 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x6146b0 request count 1 (abandoned 0)
** ld 0x6146b0 Response Queue:
  Empty
  ld 0x6146b0 response count 0
ldap_chkResponseList ld 0x6146b0 msgid 1 all 1
ldap_chkResponseList returns ld 0x6146b0 NULL
ldap_int_select
read1msg: ld 0x6146b0 msgid 1 all 1
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x6146b0 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x6146b0 0 new referrals
read1msg:  mark request completed, ld 0x6146b0 msgid 1
request done: ld 0x6146b0 msgid 1
res_errno: 0, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_msgfree
# extended LDIF
#
# LDAPv3
# base <dc=pacificcabinets,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

ldap_search_ext
put_filter: "(objectclass=*)"
put_filter: simple
put_simple_filter: "objectclass=*"
ldap_build_search_req ATTRS: *
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush2: 64 bytes to sd 3
ldap_result ld 0x6146b0 msgid -1
wait4msg ld 0x6146b0 msgid -1 (infinite timeout)
wait4msg continue ld 0x6146b0 msgid -1 all 0
** ld 0x6146b0 Connections:
* host: 127.0.0.1  port: 389  (default)
  refcnt: 2  status: Connected
  last used: Fri Nov  1 15:55:57 2013


** ld 0x6146b0 Outstanding Requests:
 * msgid 2,  origid 2, status InProgress
  outstanding referrals 0, parent count 0
  ld 0x6146b0 request count 1 (abandoned 0)
** ld 0x6146b0 Response Queue:
  Empty
  ld 0x6146b0 response count 0
ldap_chkResponseList ld 0x6146b0 msgid -1 all 0
ldap_chkResponseList returns ld 0x6146b0 NULL
ldap_int_select
read1msg: ld 0x6146b0 msgid -1 all 0
ber_get_next
ber_get_next: tag 0x30 len 12 contents:
read1msg: ld 0x6146b0 msgid 2 message type search-result
ber_scanf fmt ({eAA) ber:
read1msg: ld 0x6146b0 0 new referrals
read1msg:  mark request completed, ld 0x6146b0 msgid 2
request done: ld 0x6146b0 msgid 2
res_errno: 32, res_error: <>, res_matched: <>
ldap_free_request (origid 2, msgid 2)
# search result
search: 2
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_scanf fmt (}) ber:
ldap_err2string
result: 32 No such object
ldap_msgfree

# numResponses: 1
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
ldap_free_connection: actually freed
Quote:
Per LDAP Troubleshooting:
LDAP_NO_SUCH_OBJECT 32 (x'20)The specified entry does not exist in the directory (DIT).
Quote:
I am trying to add my entry with ldappadd via ssh to my linux server from my windows 7 desktop I get
Code:
ldapadd -f /tmp/createdit.ldif -h 127.0.0.1 -p 389 -w -d7
ldap_bind: Invalid credentials (49)

Code:
tux openldap # netstat -antp |grep slapd
tcp        0      0 0.0.0.0:636            0.0.0.0:*              LISTEN      23008/slapd
tcp        0      0 0.0.0.0:389            0.0.0.0:*              LISTEN      23008/slapd
tcp6      0      0 :::636                  :::*                    LISTEN      23008/slapd
tcp6      0      0 :::389                  :::*                    LISTEN      23008/slapd

bathory 11-02-2013 04:04 AM
Quote:
ldapadd -f /tmp/createdit.ldif -h 127.0.0.1 -p 389 -w -d7
You need to supply the correct credentials (full dn and password) of the admin:
Code:
ldapadd -f /tmp/createdit.ldif -h 127.0.0.1 -p 389  -D "cn=Manager,dc=pacificcabinets,dc=com" -w password
Or you can stop slapd from running and use slapadd
Code:
slapadd -l /tmp/createdit.ldif


All times are GMT -5. The time now is 11:58 AM.