ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Hi guys, I have installed openldap on debian lenny as said here "http://www.debuntu.org/ldap-server-and-linux-ldap-clients" for both ldap server and ldap client on 192.168.1.192. Now I can make normal ldap successfully but I would like to do secure ldap and replication ldap too. "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" here is the error I got stuck with when I follow this link for replication and ssl/tls part. "http://wiki.ucc.asn.au/LDAP/LazySysadmin#Replication"
Then I google to find solution and then try these commands debian:/etc/ldap# ldapsearch -H ldap://192.168.1.192 -b dc=webon -x -d-1 ldap_url_parse_ext(ldap://192.168.1.192) ldap_create ldap_url_parse_ext(ldap://192.168.1.192:389/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.1.192:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.192:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ldapsearch -H ldaps://192.168.1.192 -b dc=webon -x -d-1 Here is the result of the command : tls_read: want=5, got=5 0000: 16 03 02 00 d0 ..... tls_read: want=208, got=208 0000: 82 f5 6d 48 ca 22 c1 d5 e3 1d 01 bb 7c 8d 8d 26 .HSH.K]..@...... 00c0: 57 4e e6 73 d8 ed 44 28 0b 89 68 8d cd 2e fb b5 WN.s..D(..h..... TLS: hostname (192.168.1.192) does not match common name in certificate (192.168.1.192). ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Regarding to this error "TLS: hostname (192.168.1.192) does not match common name in certificate (192.168.1.192)." I think maybe I cann't sign certificate by using IP Address of ldap server as common name. By the way I really have no idea how to solve "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" Does anyone know how to solve this? Thanks NeverLand. |
Hi,
The error means that either slapd is not running, or it's behind a firewall that's blocking access to port 389. Regards |
Quote:
I am not sure about the red letter maybe it should be 0.0.0.0 right? What should I do to fix this ? debian:/etc/ldap# netstat -plane |grep ":636" tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 0 8880 2945/slapd tcp6 0 0 :::636 :::* LISTEN 0 8879 2945/slapd debian:/etc/ldap# netstat -plane |grep ":389" tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 0 8876 2945/slapd the below line is firewall, so don't think this is the problem. debian:/etc/ldap# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination the below line is slap which is running. debian:/etc/ldap# ps -ef | grep slap openldap 2945 1 0 03:40 ? 00:00:00 /usr/sbin/slapd -h ldap://127.0.0.1:389/ ldaps:/// ldapi:/// -g openldap -u openldap -f /etc/ldap/slapd.conf |
Hi, here is log after I try to redo cert but using hostname instead of IP Address.
BTW: I got this error instead "TLS: peer cert untrusted or revoked (0x42)" ldap_err2string But this error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" still the same. debian:/etc/ssl/CA# ldapsearch -d 255 -x ldap_create ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.1.192:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.192:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_int_open_connection ldap_connect_to_host: TCP 192.168.1.192:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.1.192:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 tls_write: want=93, written=93 0000: 16 03 02 00 58 01 00 00 54 03 02 4b 90 47 0f 06 ....X...T..K.G.. 0010: a6 2f 8e cf 6a ae 2f 88 43 4d 79 de 4a 87 22 78 ./..j./.CMy.J."x 0020: 5e 84 52 8b 2b e3 35 83 42 77 6a 00 00 24 00 33 ^.R.+.5.Bwj..$.3 0030: 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87 .E.9.....2.D.8.. 0040: 00 13 00 66 00 2f 00 41 00 35 00 84 00 0a 00 05 ...f./.A.5...... 0050: 00 04 01 00 00 07 00 09 00 03 02 00 01 ............. tls_read: want=5, got=5 0000: 16 03 02 00 4a ....J tls_read: want=74, got=74 0000: 02 00 00 46 03 02 4b 90 47 0f b5 e8 7d 77 10 8e ...F..K.G...}w.. 0010: e2 56 ed bc 5e f5 a3 00 2b 3a 2c 49 77 76 23 bb .V..^...+:,Iwv#. 0020: 39 5c 7e 8d c0 81 20 5e 3a 28 4f e7 4e 8a e3 35 9\~... ^:(O.N..5 0030: ab 28 65 1b 3f 62 85 9f db 39 91 3b 51 b6 45 aa .(e.?b...9.;Q.E. 0040: 97 83 b8 3b f4 77 18 00 2f 00 ...;.w../. tls_read: want=5, got=5 0000: 16 03 02 03 d9 ..... tls_read: want=985, got=985 0000: 0b 00 03 d5 00 03 d2 00 03 cf 30 82 03 cb 30 82 ..........0...0. 0010: 03 34 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 .4........0...*. 0020: 48 86 f7 0d 01 01 05 05 00 30 81 80 31 0b 30 09 H........0..1.0. 0030: 06 03 55 04 06 13 02 74 68 31 0c 30 0a 06 03 55 ..U....th1.0...U 0040: 04 08 13 03 62 6b 6b 31 0c 30 0a 06 03 55 04 07 ....bkk1.0...U.. 0050: 13 03 62 6b 6b 31 0e 30 0c 06 03 55 04 0a 13 05 ..bkk1.0...U.... 0060: 77 65 62 6f 6e 31 0e 30 0c 06 03 55 04 0b 13 05 webon1.0...U.... 0070: 77 65 62 6f 6e 31 16 30 14 06 03 55 04 03 13 0d webon1.0...U.... 0080: 31 39 32 2e 31 36 38 2e 31 2e 31 39 32 31 1d 30 192.168.1.1921.0 0090: 1b 06 09 2a 86 48 86 f7 0d 01 09 01 16 0e 73 6f ...*.H........so 00a0: 6d 6f 40 77 65 62 6f 6e 2e 6e 65 74 30 1e 17 0d mo@webon.net0... 00b0: 31 30 30 33 30 34 31 39 34 36 33 35 5a 17 0d 32 100304194635Z..2 00c0: 30 30 33 30 31 31 39 34 36 33 35 5a 30 81 80 31 00301194635Z0..1 00d0: 0b 30 09 06 03 55 04 06 13 02 74 68 31 0c 30 0a .0...U....th1.0. 00e0: 06 03 55 04 08 13 03 62 6b 6b 31 0c 30 0a 06 03 ..U....bkk1.0... 00f0: 55 04 07 13 03 62 6b 6b 31 0e 30 0c 06 03 55 04 U....bkk1.0...U. 0100: 0a 13 05 77 65 62 6f 6e 31 0e 30 0c 06 03 55 04 ...webon1.0...U. 0110: 0b 13 05 77 65 62 6f 6e 31 16 30 14 06 03 55 04 ...webon1.0...U. 0120: 03 13 0d 31 39 32 2e 31 36 38 2e 31 2e 31 39 32 ...192.168.1.192 0130: 31 1d 30 1b 06 09 2a 86 48 86 f7 0d 01 09 01 16 1.0...*.H....... 0140: 0e 73 6f 6d 6f 40 77 65 62 6f 6e 2e 6e 65 74 30 .somo@webon.net0 0150: 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 ..0...*.H....... 0160: 00 03 81 8d 00 30 81 89 02 81 81 00 b8 71 a9 7e .....0.......q.~ 0170: 2c f0 f9 d0 18 08 e5 87 6f 30 42 b9 d5 08 e6 4b ,.......o0B....K 0180: c3 58 c4 90 db b5 6b 4d a4 38 10 ec a5 02 da 6c .X....kM.8.....l 0190: 45 81 82 63 3f c2 1e 98 bb 45 40 ea 31 ca 6a 81 E..c?....E@.1.j. 01a0: e6 87 49 6c a3 e9 83 b8 1e 83 d2 3f 7f 2d 16 f3 ..Il.......?.-.. 01b0: 86 eb 34 1b bd 58 6b b7 d2 d1 31 ec 9e 22 70 ee ..4..Xk...1.."p. 01c0: 56 db 1e 2a 73 55 c5 36 f8 dd 03 f9 c2 80 a9 af V..*sU.6........ 01d0: 90 a5 1b 1c 9c 9b af 9c a3 3b 0d ae f6 7c 3a 7b .........;...|:{ 01e0: f1 41 50 73 cc f0 7e f7 17 fe 78 67 02 03 01 00 .APs..~...xg.... 01f0: 01 a3 82 01 51 30 82 01 4d 30 09 06 03 55 1d 13 ....Q0..M0...U.. 0200: 04 02 30 00 30 11 06 09 60 86 48 01 86 f8 42 01 ..0.0...`.H...B. 0210: 01 04 04 03 02 06 40 30 34 06 09 60 86 48 01 86 ......@04..`.H.. 0220: f8 42 01 0d 04 27 16 25 45 61 73 79 2d 52 53 41 .B...'.%Easy-RSA 0230: 20 47 65 6e 65 72 61 74 65 64 20 53 65 72 76 65 Generated Serve 0240: 72 20 43 65 72 74 69 66 69 63 61 74 65 30 1d 06 r Certificate0.. 0250: 03 55 1d 0e 04 16 04 14 7b ab be 77 56 77 22 eb .U......{..wVw". 0260: 81 a2 95 db 9b e5 77 35 e2 ed 66 37 30 81 b5 06 ......w5..f70... 0270: 03 55 1d 23 04 81 ad 30 81 aa 80 14 5a 62 06 72 .U.#...0....Zb.r 0280: 81 b1 a3 74 69 c2 24 05 5f cb ec a2 c0 48 50 9a ...ti.$._....HP. 0290: a1 81 86 a4 81 83 30 81 80 31 0b 30 09 06 03 55 ......0..1.0...U 02a0: 04 06 13 02 74 68 31 0c 30 0a 06 03 55 04 08 13 ....th1.0...U... 02b0: 03 62 6b 6b 31 0c 30 0a 06 03 55 04 07 13 03 62 .bkk1.0...U....b 02c0: 6b 6b 31 0e 30 0c 06 03 55 04 0a 13 05 77 65 62 kk1.0...U....web 02d0: 6f 6e 31 0e 30 0c 06 03 55 04 0b 13 05 77 65 62 on1.0...U....web 02e0: 6f 6e 31 16 30 14 06 03 55 04 03 13 0d 31 39 32 on1.0...U....192 02f0: 2e 31 36 38 2e 31 2e 31 39 32 31 1d 30 1b 06 09 .168.1.1921.0... 0300: 2a 86 48 86 f7 0d 01 09 01 16 0e 73 6f 6d 6f 40 *.H........somo@ 0310: 77 65 62 6f 6e 2e 6e 65 74 82 09 00 c1 d8 3b 34 webon.net.....;4 0320: cd e9 5d 6d 30 13 06 03 55 1d 25 04 0c 30 0a 06 ..]m0...U.%..0.. 0330: 08 2b 06 01 05 05 07 03 01 30 0b 06 03 55 1d 0f .+.......0...U.. 0340: 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d ......0...*.H... 0350: 01 01 05 05 00 03 81 81 00 c7 52 f7 54 6b 19 f4 ..........R.Tk.. 0360: f0 48 66 b4 19 96 59 63 3f 65 82 81 26 98 94 43 .Hf...Yc?e..&..C 0370: 3b 62 22 cb 59 cc 4b 2d 01 fb 35 6b e2 08 bf b8 ;b".Y.K-..5k.... 0380: 16 84 dc f5 fe 59 39 4d 98 87 8b 6c bf 91 2e 58 .....Y9M...l...X 0390: 49 b8 02 37 69 0f a3 34 e0 a5 16 aa fd 65 6f ca I..7i..4.....eo. 03a0: 28 ff 6e 6c 8a a4 27 82 4e e1 66 4d 6a 77 26 d5 (.nl..'.N.fMjw&. 03b0: 5a 6d 8f 18 03 8d be 31 ad fb 77 1a 68 34 86 ab Zm.....1..w.h4.. 03c0: 4b 13 39 0f 1a 63 69 f9 06 e5 18 a7 1c c1 02 d7 K.9..ci......... 03d0: 13 90 92 6a 64 12 ad 27 dd ...jd..'. tls_read: want=5, got=5 0000: 16 03 02 00 04 ..... tls_read: want=4, got=4 0000: 0e 00 00 00 .... tls_write: want=139, written=139 0000: 16 03 02 00 86 10 00 00 82 00 80 33 a1 2c 78 f7 ...........3.,x. 0010: 3c 32 3f ab 10 2c 0a 1a cc f9 8b 4b dd 70 c3 e8 <2?..,.....K.p.. 0020: 97 c6 97 fb 5c 3e f2 1e f8 ac 98 56 c4 09 fe 07 ....\>.....V.... 0030: 67 45 b8 b5 61 fa 24 35 16 a1 a9 db 0e bb 93 e8 gE..a.$5........ 0040: ef 6e 60 26 ad 50 94 c6 a9 4f 18 ce 7f 2e de 57 .n`&.P...O.....W 0050: 98 02 cb dd 1a 4b d8 f0 73 f8 0b f2 ba 53 4f 9b .....K..s....SO. 0060: 0c e7 a7 40 cf 85 a4 02 ed 79 68 85 35 77 62 ad ...@.....yh.5wb. 0070: 6a 16 f5 96 65 be 1a 02 67 ef c2 5d 35 f4 d7 5c j...e...g..]5..\ 0080: a7 fb d0 a9 71 52 c8 a6 31 f3 b2 ....qR..1.. tls_write: want=6, written=6 0000: 14 03 02 00 01 01 ...... tls_write: want=133, written=133 0000: 16 03 02 00 80 e8 f8 73 0c 85 22 9e 5f 09 50 c7 .......s.."._.P. 0010: 96 a3 65 52 eb 06 66 d6 16 30 f7 b2 de ea 67 4a ..eR..f..0....gJ 0020: ef 57 cb bf c8 48 9e 38 1f 5c 37 e1 d9 15 15 38 .W...H.8.\7....8 0030: 10 af b4 18 74 02 f6 c7 bf 3f 66 f4 e1 78 2d af ....t....?f..x-. 0040: 53 6c 30 db 99 2e 3f 42 64 f4 e4 ff aa cf 9a 48 Sl0...?Bd......H 0050: ac 39 dd 56 95 fe e5 df b7 8c 0b da de 45 18 70 .9.V.........E.p 0060: cf 79 38 a8 11 89 df 43 09 fb 11 82 08 46 e5 74 .y8....C.....F.t 0070: b9 0c 36 dd 20 a9 26 1f 52 7c c8 16 fd 6b 12 6e ..6. .&.R|...k.n 0080: 02 a5 b0 66 f5 ...f. tls_read: want=5, got=5 0000: 14 03 02 00 01 ..... tls_read: want=1, got=1 0000: 01 . tls_read: want=5, got=5 0000: 16 03 02 00 f0 ..... tls_read: want=240, got=240 0000: ff 3d 0d 51 ed e3 bc df 0b 54 26 7f b1 90 8a 6d .=.Q.....T&....m 0010: 00 90 b3 66 65 98 4d 6b 5b 10 e6 fb e3 72 14 0d ...fe.Mk[....r.. 0020: a3 ff 20 a3 dc a3 90 b2 a6 2e c1 21 c5 62 60 e5 .. ........!.b`. 0030: 29 18 72 b7 e4 3c ce 68 26 c5 6a 39 75 b8 e0 55 ).r..<.h&.j9u..U 0040: 37 8f c4 55 04 24 e0 3a 5f 3f 0b cd 98 44 ef 2f 7..U.$.:_?...D./ 0050: b1 25 ad 2d 6a 82 97 5a b5 1e 89 b9 ef 45 7a ae .%.-j..Z.....Ez. 0060: 69 77 43 7a 88 af e2 7c 1c dd ec 32 cc 84 04 10 iwCz...|...2.... 0070: 1a 7a ce bd e2 7d f0 cb 2e e4 71 0d ca 59 68 00 .z...}....q..Yh. 0080: 81 9d c4 a6 d4 5f 20 91 99 f5 e2 a9 fe 89 d1 d2 ....._ ......... 0090: d0 66 88 cb 71 38 81 45 e9 b5 5f f9 14 8e a2 cb .f..q8.E.._..... 00a0: 5e 4d 68 4a 40 69 54 36 e4 5b 18 65 5e 8e bd 03 ^MhJ@iT6.[.e^... 00b0: 31 e6 db 59 7d 33 f3 a1 41 14 5b 91 77 63 61 f3 1..Y}3..A.[.wca. 00c0: 22 f6 91 1d 98 03 02 ff 5e e2 9f a2 09 7d da 19 ".......^....}.. 00d0: e2 e1 70 54 a5 1f 07 3b da 89 c4 f4 e7 88 6c 33 ..pT...;......l3 00e0: 3e 51 fe a8 9c 07 95 97 86 9e 8a c7 53 d9 0f d9 >Q..........S... TLS: peer cert untrusted or revoked (0x42) ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) |
Hi,
The way you start slapd Quote:
Now after a little searching, it looks like the Debian/Ubuntu gnutls package has some bugs that can be responsible for the " "Can't contact LDAP server (-1)" problem (here is just one of them). So you cannot connect to slapd with plain ldap because it listens only on the loopback interface and you cannot connect using ldaps probably because of a bug in TLS. Until you can patch the affected packages, change the slapd service startup options, so it listens also on 0.0.0.0:389 Regards |
Quote:
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///" to be SLAPD_SERVICES="ldap://0.0.0.0:389/ ldaps:/// ldapi:///" and then I restart service and netstat here is result debian:~# netstat -na Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:33926 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN tcp 0 52 192.168.1.192:22 192.168.1.118:50397 ESTABLISHED tcp6 0 0 :::80 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tcp6 0 0 :::636 :::* LISTEN but there is no 0.0.0.0:389 as local address for tcp6, will it be any problem? About bug issue, I think all packages I have is the newest one since I got every packages from apt-get What should I do to fix this? Thanks. |
Quote:
Quote:
Have you check if you can connect using plain ldap protocol? Regards |
Quote:
It is fine with plain ldap protocol. |
Guys, I am also new to LDAP and am stuck at this step:-
Quote:
Quote:
Quote:
|
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) Reply to Thread
If you observer this Error while configuring the Openldap do the following changes in
Check by Telnet with localhost if not connecting try to add the following in /etc/hosts #vi /etc/hosts 127.0.0.1 localhost You can be Solved with this format. |
Quote:
You saved me. Althought I already had "127.0.0.1 localhost" but adding "192.168.1.1 ldapserver" fixed the "Can't contact LDAP server" issue. Thank you one more time. Aas. |
All times are GMT -5. The time now is 07:28 PM. |