i installed openldap-stable-20051018.tar.gz and openssl-0.9.8a.tar.gz
i run the command:
"ldapsearch -H ldap://mydomain.org/ -b dc=mydomain,dc=org -x" and it works
but when i try to run it via SSL:
"ldapsearch -H ldaps://mydomain.org/ -b dc=mydomain,dc=org -x"
i got the following message:
"ldap_bind: Can't contact LDAP server (-1)"
the SSL certificate contains CN=mydomain.org
can anyone help?
thanks

Try running the ldpasearch with a little more debugging info by adding "-d8" to the commandline.

It could be that your LDAP client will not accept a self-signed certificate in case you're using that.

If you see this error:
then try adding this to /etc/openldap/ldap.conf : and then run the ldapsearch again.

Eric

i added the -d8 at the end of the command line but no debugging info displayed!
still the same error "ldap_bind: Can't contact LDAP server (-1)"

Did you configure LDAP over SSL at all? You should have at least defined something like these lines in slapd.conf :
for ldap to use SSL at all.
Does anything listen at port 636 (ldaps)? should show the slapd process.
Also, you could try TLS instead of SSL, by running the query as Eric

thanks for ur reply, the slapd.conf contains two entries for TLS (TLSCertificateFile,TLSCertificateKeyFile)
ldapssl process is listing on port 636
now there is a strange problem, if i run slapd ldap works (non-secured) but when i run slapd -h "ldap:/// ldaps:///"
nothing works!!
i hope u can help me

when i run :
"ldapsearch -H ldap://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
***********************************************
wait4msg continue ld 0x9f97ef0 msgid 1 all 1
** ld 0x9f97ef0 Connections:
* host:mydomain.org port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Nov 17 12:37:47 2005

** ld 0x9f97ef0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x9f97ef0 Response Queue:
Empty
ldap_chkResponseList ld 0x9f97ef0 msgid 1 all 1
ldap_chkResponseList returns ld 0x9f97ef0 NULL
ldap_int_select
************************************************
and then it hang! no response until i close it!
when i run :
"ldapsearch -H ldaps://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
************************************************
ldap_create
ldap_url_parse_ext(ldaps://mydomain.org/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mydomain.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 170.15.2.22:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
*************************************************
i hope u can help!

If you cannot find the cause of your problems by debugging the client connections, maybe you could look at what happens at the server level?

Stop the LDAP service (don't know what distro you're running so I don't know the exact command - you will probably know) and then run this in the console:
or when the daemon should run as a special user (mine runs under user ldap) you type And then you very carefully check the console output of the slapd process (it will not fork into the background so that you can see all it's messages in the console).
Maybe this helps you tagging the root of the problem. Try other debug levels if you want. "man slapd.conf" will tell you what the various loglevels are showing.

Eric

my machine name is server and i use Fedors 4
please see the following:
[root@server libexec]# /usr/local/libexec/slapd -u ldap -d 256
$OpenLDAP: slapd 2.3.11 (Nov 17 2005 12:25:37) $
root@server:/0/openldap-2.3.11/servers/slapd
bdb_db_open: alock package is unstable
backend_startup_one: bi_db_open failed! (-1)
slapd stopped.
connections_destroy: nothing to destroy.

i hope u can tell me what does it mean!

My suspicion is that your database directory (in Fedora that would be /var/lib/ldap most probably) is not owned (anymore) by the ldap user. This is probably the effect of having run slapd manually without adding the "-u ldap" parameter.
What does tell you?

On Redhat servers I manage (Redhat 8, 9 and RHEL3 and 4) the directory /var/lib/ldap is owned by user ldap and group ldap. No one else but user ldap has access to that directory. If that is not the case for you, you should run this, after stopping the ldap server:
Then, start the server again using and test again with your ldapsearch.

A word of advice: your knowledge of LDAP is lacking a little bit. You really need to find and read documentation about services and how the ldap server works if you really want to use it. Your original problem by the way (SSL not working) is still not solved. There is not enough information in your posts to make a good guess at what is wrong.

Eric

thanks for ur advice, i read the Official OpenLdap manual, and i'm trying to configre the openldap using its steps, but i have a problem with ldif files
i run ldapadd -f ia.ldif -x
and i get the error:
ldap_add: Undefined attribute type (17)
additional info: dn: attribute type undefined
**************************************************************
here is my ldif file:
**************************************************************

# Organization for Test
dn:dc=mydomain,dc=org
objectClass: dcObject
objectClass: organization
o:Test
description: Test
# Organizational Role for Directory Manager
dn:cn=Head,dc=mydomain,dc=org
objectClass: organizationalRole
cn: Head
name: my_name
description: my Head
***************************************************************
here is the include part of my slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
***************************************************************
i hope u can help
thanks

Add a space behind dn: and also behind o:. The space is required as a separator. Use the -v parameter to ldapadd if you want to see more verbose messages.

Eric

I have the same problem..
but i am stucked in generating certificates..
can you post the process here..

if Following is the error : ldap_bind: Can't contact LDAP server (-1)

Then probably your ldap is not running, check with the following command: # service ldap status

if status is not running, then run the following command:
# service ldap start

This should start ldap.

Regards
Prem

Prem.

Your reply has nothing to do with the original topic which is about configuring secure LDAP connections. Also your suggestions are very Redhat specific, they will not work on many other distros.

Eric

Guys, I am also new to LDAP and am stuck at this step:-
I get the following error:-
And querying status shows inactive:-
Any help would be appreciated. Thanks.