LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices


Reply
  Search this Thread
Old 11-16-2005, 05:33 AM   #1
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Rep: Reputation: 30
ldap_bind Can't contact LDAP server


i installed openldap-stable-20051018.tar.gz and openssl-0.9.8a.tar.gz
i run the command:
"ldapsearch -H ldap://mydomain.org/ -b dc=mydomain,dc=org -x" and it works
but when i try to run it via SSL:
"ldapsearch -H ldaps://mydomain.org/ -b dc=mydomain,dc=org -x"
i got the following message:
"ldap_bind: Can't contact LDAP server (-1)"
the SSL certificate contains CN=mydomain.org
can anyone help?
thanks

Last edited by mesh2005; 11-16-2005 at 07:11 AM.
 
Old 11-16-2005, 07:43 AM   #2
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Try running the ldpasearch with a little more debugging info by adding "-d8" to the commandline.

It could be that your LDAP client will not accept a self-signed certificate in case you're using that.

If you see this error:
Code:
TLS certificate verification: Error, self signed certificate
TLS: can't connect.
ldap_start_tls: Connect error (91)
        additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
then try adding this to /etc/openldap/ldap.conf :
Code:
TLS_REQCERT allow
and then run the ldapsearch again.

Eric
 
Old 11-17-2005, 01:50 AM   #3
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Original Poster
Rep: Reputation: 30
Unhappy

i added the -d8 at the end of the command line but no debugging info displayed!
still the same error "ldap_bind: Can't contact LDAP server (-1)"
 
Old 11-17-2005, 03:03 AM   #4
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Did you configure LDAP over SSL at all? You should have at least defined something like these lines in slapd.conf :
Code:
TLSCertificateFile    /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
for ldap to use SSL at all.
Does anything listen at port 636 (ldaps)?
Code:
netstat -plane |grep ":636"
should show the slapd process.
Also, you could try TLS instead of SSL, by running the query as
Code:
ldapsearch -x -ZZ -h ldap://mydomain.org/ -b dc=mydomain,dc=org .....
Eric
 
Old 11-17-2005, 03:28 AM   #5
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Original Poster
Rep: Reputation: 30
thanks for ur reply, the slapd.conf contains two entries for TLS (TLSCertificateFile,TLSCertificateKeyFile)
ldapssl process is listing on port 636
now there is a strange problem, if i run slapd ldap works (non-secured) but when i run slapd -h "ldap:/// ldaps:///"
nothing works!!
i hope u can help me
 
Old 11-17-2005, 05:42 AM   #6
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Original Poster
Rep: Reputation: 30
when i run :
"ldapsearch -H ldap://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
***********************************************
wait4msg continue ld 0x9f97ef0 msgid 1 all 1
** ld 0x9f97ef0 Connections:
* host:mydomain.org port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Nov 17 12:37:47 2005

** ld 0x9f97ef0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x9f97ef0 Response Queue:
Empty
ldap_chkResponseList ld 0x9f97ef0 msgid 1 all 1
ldap_chkResponseList returns ld 0x9f97ef0 NULL
ldap_int_select
************************************************
and then it hang! no response until i close it!
when i run :
"ldapsearch -H ldaps://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
************************************************
ldap_create
ldap_url_parse_ext(ldaps://mydomain.org/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mydomain.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 170.15.2.22:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
*************************************************
i hope u can help!
 
Old 11-17-2005, 08:47 AM   #7
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
If you cannot find the cause of your problems by debugging the client connections, maybe you could look at what happens at the server level?

Stop the LDAP service (don't know what distro you're running so I don't know the exact command - you will probably know) and then run this in the console:
Code:
slapd -d 256 -f /etc/openldap/slapd.conf
or when the daemon should run as a special user (mine runs under user ldap) you type
Code:
slapd -u ldap -d 256 -f /etc/openldap/slapd.conf
And then you very carefully check the console output of the slapd process (it will not fork into the background so that you can see all it's messages in the console).
Maybe this helps you tagging the root of the problem. Try other debug levels if you want. "man slapd.conf" will tell you what the various loglevels are showing.

Eric
Code:
/usr/sbin/slapd -d 256 -t -f /etc/openldap/slapd.conf
 
Old 11-17-2005, 09:08 AM   #8
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Original Poster
Rep: Reputation: 30
my machine name is server and i use Fedors 4
please see the following:
[root@server libexec]# /usr/local/libexec/slapd -u ldap -d 256
$OpenLDAP: slapd 2.3.11 (Nov 17 2005 12:25:37) $
root@server:/0/openldap-2.3.11/servers/slapd
bdb_db_open: alock package is unstable
backend_startup_one: bi_db_open failed! (-1)
slapd stopped.
connections_destroy: nothing to destroy.

i hope u can tell me what does it mean!

Last edited by mesh2005; 11-17-2005 at 09:28 AM.
 
Old 11-17-2005, 03:18 PM   #9
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
My suspicion is that your database directory (in Fedora that would be /var/lib/ldap most probably) is not owned (anymore) by the ldap user. This is probably the effect of having run slapd manually without adding the "-u ldap" parameter.
What does
Code:
ls -la /var/lib/ldap
tell you?

On Redhat servers I manage (Redhat 8, 9 and RHEL3 and 4) the directory /var/lib/ldap is owned by user ldap and group ldap. No one else but user ldap has access to that directory. If that is not the case for you, you should run this, after stopping the ldap server:
Code:
cd /var/lib/ldap
find . -type f -exec chown ldap:ldap {} \;
find . -type f -exec chmod 600 {} \;
Then, start the server again using
Code:
service ldap start
and test again with your ldapsearch.

A word of advice: your knowledge of LDAP is lacking a little bit. You really need to find and read documentation about services and how the ldap server works if you really want to use it. Your original problem by the way (SSL not working) is still not solved. There is not enough information in your posts to make a good guess at what is wrong.

Eric
 
Old 11-20-2005, 05:04 AM   #10
mesh2005
Member
 
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155

Original Poster
Rep: Reputation: 30
thanks for ur advice, i read the Official OpenLdap manual, and i'm trying to configre the openldap using its steps, but i have a problem with ldif files
i run ldapadd -f ia.ldif -x
and i get the error:
ldap_add: Undefined attribute type (17)
additional info: dn: attribute type undefined
**************************************************************
here is my ldif file:
**************************************************************

# Organization for Test
dn:dc=mydomain,dc=org
objectClass: dcObject
objectClass: organization
o:Test
description: Test
# Organizational Role for Directory Manager
dn:cn=Head,dc=mydomain,dc=org
objectClass: organizationalRole
cn: Head
name: my_name
description: my Head
***************************************************************
here is the include part of my slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
***************************************************************
i hope u can help
thanks

Last edited by mesh2005; 11-20-2005 at 05:09 AM.
 
Old 11-20-2005, 09:55 AM   #11
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Add a space behind dn: and also behind o:. The space is required as a separator. Use the -v parameter to ldapadd if you want to see more verbose messages.

Eric
 
Old 11-05-2009, 01:18 AM   #12
void_void
LQ Newbie
 
Registered: Nov 2009
Posts: 1

Rep: Reputation: 0
I am upto here

I have the same problem..
but i am stucked in generating certificates..
can you post the process here..

Quote:
Originally Posted by Alien Bob View Post
Did you configure LDAP over SSL at all? You should have at least defined something like these lines in slapd.conf :
Code:
TLSCertificateFile    /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
for ldap to use SSL at all.
Does anything listen at port 636 (ldaps)?
Code:
netstat -plane |grep ":636"
should show the slapd process.
Also, you could try TLS instead of SSL, by running the query as
Code:
ldapsearch -x -ZZ -h ldap://mydomain.org/ -b dc=mydomain,dc=org .....
Eric
 
Old 08-04-2010, 09:22 AM   #13
Prem Kumar.J
LQ Newbie
 
Registered: Feb 2005
Location: Hyderabad
Posts: 1

Rep: Reputation: 0
Quote:
Originally Posted by void_void View Post
I have the same problem..
but i am stucked in generating certificates..
can you post the process here..
if Following is the error : ldap_bind: Can't contact LDAP server (-1)

Then probably your ldap is not running, check with the following command: # service ldap status

if status is not running, then run the following command:
# service ldap start

This should start ldap.

Regards
Prem
 
Old 08-04-2010, 09:42 AM   #14
Alien Bob
Slackware Contributor
 
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559

Rep: Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116Reputation: 8116
Prem.

Your reply has nothing to do with the original topic which is about configuring secure LDAP connections. Also your suggestions are very Redhat specific, they will not work on many other distros.

Eric
 
Old 01-14-2012, 04:14 PM   #15
Abstract Final
LQ Newbie
 
Registered: Jan 2012
Posts: 3

Rep: Reputation: Disabled
Guys, I am also new to LDAP and am stuck at this step:-
Quote:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
I get the following error:-
Quote:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
And querying status shows inactive:-
Quote:
slapd.service - LSB: starts and stopd OpenLDAP server daemon
Loaded: loaded (/etc/rc.d/init.d/slapd)
Active: inactive (dead) since Sat, 14 Jan 2012 13:58:13 -0700; 12min ago
Process: 2690 ExecStop=/etc/rc.d/init.d/slapd stop (code=exited, status=0/SUCCESS)
Process: 2665 ExecStart=/etc/rc.d/init.d/slapd start (code=exited, status=6/NOTCONFIGURED)
CGroup: name=systemd:/system/slapd.service
Any help would be appreciated. Thanks.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
LDAP: Can't contact master ldap server rulirahm Linux - Networking 2 07-14-2014 03:02 AM
LDAP server not starting as user LDAP klnasveschuk Fedora 1 02-15-2007 05:49 AM
Iptables timeout and sometimes clients cannot contact server susje Linux - Security 6 01-06-2005 12:44 AM
Server loses contact with outer world Statoilroffe Linux - Networking 0 03-29-2004 12:23 PM
ldap_sasl_interactive_bind_s: Can't contact LDAP server (81) Jingle Linux - Software 4 01-08-2004 01:41 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Networking

All times are GMT -5. The time now is 05:16 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration