Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
|
11-16-2005, 05:33 AM
|
#1
|
Member
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155
Rep:
|
ldap_bind Can't contact LDAP server
i installed openldap-stable-20051018.tar.gz and openssl-0.9.8a.tar.gz
i run the command:
"ldapsearch -H ldap://mydomain.org/ -b dc=mydomain,dc=org -x" and it works
but when i try to run it via SSL:
"ldapsearch -H ldaps://mydomain.org/ -b dc=mydomain,dc=org -x"
i got the following message:
"ldap_bind: Can't contact LDAP server (-1)"
the SSL certificate contains CN=mydomain.org
can anyone help?
thanks
Last edited by mesh2005; 11-16-2005 at 07:11 AM.
|
|
|
11-16-2005, 07:43 AM
|
#2
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Try running the ldpasearch with a little more debugging info by adding "-d8" to the commandline.
It could be that your LDAP client will not accept a self-signed certificate in case you're using that.
If you see this error:
Code:
TLS certificate verification: Error, self signed certificate
TLS: can't connect.
ldap_start_tls: Connect error (91)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
then try adding this to /etc/openldap/ldap.conf : and then run the ldapsearch again.
Eric
|
|
|
11-17-2005, 01:50 AM
|
#3
|
Member
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155
Original Poster
Rep:
|
i added the -d8 at the end of the command line but no debugging info displayed!
still the same error "ldap_bind: Can't contact LDAP server (-1)"
|
|
|
11-17-2005, 03:03 AM
|
#4
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Did you configure LDAP over SSL at all? You should have at least defined something like these lines in slapd.conf :
Code:
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
for ldap to use SSL at all.
Does anything listen at port 636 (ldaps)?
Code:
netstat -plane |grep ":636"
should show the slapd process.
Also, you could try TLS instead of SSL, by running the query as
Code:
ldapsearch -x -ZZ -h ldap://mydomain.org/ -b dc=mydomain,dc=org .....
Eric
|
|
|
11-17-2005, 03:28 AM
|
#5
|
Member
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155
Original Poster
Rep:
|
thanks for ur reply, the slapd.conf contains two entries for TLS (TLSCertificateFile,TLSCertificateKeyFile)
ldapssl process is listing on port 636
now there is a strange problem, if i run slapd ldap works (non-secured) but when i run slapd -h "ldap:/// ldaps:///"
nothing works!!
i hope u can help me
|
|
|
11-17-2005, 05:42 AM
|
#6
|
Member
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155
Original Poster
Rep:
|
when i run :
"ldapsearch -H ldap://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
***********************************************
wait4msg continue ld 0x9f97ef0 msgid 1 all 1
** ld 0x9f97ef0 Connections:
* host:mydomain.org port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Nov 17 12:37:47 2005
** ld 0x9f97ef0 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x9f97ef0 Response Queue:
Empty
ldap_chkResponseList ld 0x9f97ef0 msgid 1 all 1
ldap_chkResponseList returns ld 0x9f97ef0 NULL
ldap_int_select
************************************************
and then it hang! no response until i close it!
when i run :
"ldapsearch -H ldaps://demo.archive.bibalex.org/ -b dc=demo,dc=archive,dc=bibalex,dc=org -x -d-1"
the output is:
************************************************
ldap_create
ldap_url_parse_ext(ldaps://mydomain.org/)
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP mydomain.org:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 170.15.2.22:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
*************************************************
i hope u can help!
|
|
|
11-17-2005, 08:47 AM
|
#7
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
If you cannot find the cause of your problems by debugging the client connections, maybe you could look at what happens at the server level?
Stop the LDAP service (don't know what distro you're running so I don't know the exact command - you will probably know) and then run this in the console:
Code:
slapd -d 256 -f /etc/openldap/slapd.conf
or when the daemon should run as a special user (mine runs under user ldap) you type
Code:
slapd -u ldap -d 256 -f /etc/openldap/slapd.conf
And then you very carefully check the console output of the slapd process (it will not fork into the background so that you can see all it's messages in the console).
Maybe this helps you tagging the root of the problem. Try other debug levels if you want. " man slapd.conf" will tell you what the various loglevels are showing.
Eric
Code:
/usr/sbin/slapd -d 256 -t -f /etc/openldap/slapd.conf
|
|
|
11-17-2005, 09:08 AM
|
#8
|
Member
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155
Original Poster
Rep:
|
my machine name is server and i use Fedors 4
please see the following:
[root@server libexec]# /usr/local/libexec/slapd -u ldap -d 256
$OpenLDAP: slapd 2.3.11 (Nov 17 2005 12:25:37) $
root@server:/0/openldap-2.3.11/servers/slapd
bdb_db_open: alock package is unstable
backend_startup_one: bi_db_open failed! (-1)
slapd stopped.
connections_destroy: nothing to destroy.
i hope u can tell me what does it mean!
Last edited by mesh2005; 11-17-2005 at 09:28 AM.
|
|
|
11-17-2005, 03:18 PM
|
#9
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
My suspicion is that your database directory (in Fedora that would be /var/lib/ldap most probably) is not owned (anymore) by the ldap user. This is probably the effect of having run slapd manually without adding the "-u ldap" parameter.
What does
Code:
ls -la /var/lib/ldap
tell you?
On Redhat servers I manage (Redhat 8, 9 and RHEL3 and 4) the directory /var/lib/ldap is owned by user ldap and group ldap. No one else but user ldap has access to that directory. If that is not the case for you, you should run this, after stopping the ldap server:
Code:
cd /var/lib/ldap
find . -type f -exec chown ldap:ldap {} \;
find . -type f -exec chmod 600 {} \;
Then, start the server again using and test again with your ldapsearch.
A word of advice: your knowledge of LDAP is lacking a little bit. You really need to find and read documentation about services and how the ldap server works if you really want to use it. Your original problem by the way (SSL not working) is still not solved. There is not enough information in your posts to make a good guess at what is wrong.
Eric
|
|
|
11-20-2005, 05:04 AM
|
#10
|
Member
Registered: Sep 2005
Location: Ägypten
Distribution: Ubuntu 5.10
Posts: 155
Original Poster
Rep:
|
thanks for ur advice, i read the Official OpenLdap manual, and i'm trying to configre the openldap using its steps, but i have a problem with ldif files
i run ldapadd -f ia.ldif -x
and i get the error:
ldap_add: Undefined attribute type (17)
additional info: dn: attribute type undefined
**************************************************************
here is my ldif file:
**************************************************************
# Organization for Test
dn:dc=mydomain,dc=org
objectClass: dcObject
objectClass: organization
o:Test
description: Test
# Organizational Role for Directory Manager
dn:cn=Head,dc=mydomain,dc=org
objectClass: organizationalRole
cn: Head
name: my_name
description: my Head
***************************************************************
here is the include part of my slapd.conf:
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
include /usr/local/etc/openldap/schema/openldap.schema
***************************************************************
i hope u can help
thanks
Last edited by mesh2005; 11-20-2005 at 05:09 AM.
|
|
|
11-20-2005, 09:55 AM
|
#11
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Add a space behind dn: and also behind o:. The space is required as a separator. Use the -v parameter to ldapadd if you want to see more verbose messages.
Eric
|
|
|
11-05-2009, 01:18 AM
|
#12
|
LQ Newbie
Registered: Nov 2009
Posts: 1
Rep:
|
I am upto here
I have the same problem..
but i am stucked in generating certificates..
can you post the process here..
Quote:
Originally Posted by Alien Bob
Did you configure LDAP over SSL at all? You should have at least defined something like these lines in slapd.conf :
Code:
TLSCertificateFile /usr/share/ssl/certs/slapd.pem
TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
for ldap to use SSL at all.
Does anything listen at port 636 (ldaps)?
Code:
netstat -plane |grep ":636"
should show the slapd process.
Also, you could try TLS instead of SSL, by running the query as
Code:
ldapsearch -x -ZZ -h ldap://mydomain.org/ -b dc=mydomain,dc=org .....
Eric
|
|
|
|
08-04-2010, 09:22 AM
|
#13
|
LQ Newbie
Registered: Feb 2005
Location: Hyderabad
Posts: 1
Rep:
|
Quote:
Originally Posted by void_void
I have the same problem..
but i am stucked in generating certificates..
can you post the process here..
|
if Following is the error : ldap_bind: Can't contact LDAP server (-1)
Then probably your ldap is not running, check with the following command: # service ldap status
if status is not running, then run the following command:
# service ldap start
This should start ldap.
Regards
Prem
|
|
|
08-04-2010, 09:42 AM
|
#14
|
Slackware Contributor
Registered: Sep 2005
Location: Eindhoven, The Netherlands
Distribution: Slackware
Posts: 8,559
|
Prem.
Your reply has nothing to do with the original topic which is about configuring secure LDAP connections. Also your suggestions are very Redhat specific, they will not work on many other distros.
Eric
|
|
|
01-14-2012, 04:14 PM
|
#15
|
LQ Newbie
Registered: Jan 2012
Posts: 3
Rep:
|
Guys, I am also new to LDAP and am stuck at this step:-
Quote:
ldapsearch -x -b '' -s base '(objectclass=*)' namingContexts
|
I get the following error:-
Quote:
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
|
And querying status shows inactive:-
Quote:
slapd.service - LSB: starts and stopd OpenLDAP server daemon
Loaded: loaded (/etc/rc.d/init.d/slapd)
Active: inactive (dead) since Sat, 14 Jan 2012 13:58:13 -0700; 12min ago
Process: 2690 ExecStop=/etc/rc.d/init.d/slapd stop (code=exited, status=0/SUCCESS)
Process: 2665 ExecStart=/etc/rc.d/init.d/slapd start (code=exited, status=6/NOTCONFIGURED)
CGroup: name=systemd:/system/slapd.service
|
Any help would be appreciated. Thanks.
|
|
|
All times are GMT -5. The time now is 05:16 PM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|