Hi guys, I have installed openldap on debian lenny as said here "http://www.debuntu.org/ldap-server-and-linux-ldap-clients" for both ldap server and ldap client on 192.168.1.192. Now I can make normal ldap successfully but I would like to do secure ldap and replication ldap too. "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" here is the error I got stuck with when I follow this link for replication and ssl/tls part. "http://wiki.ucc.asn.au/LDAP/LazySysadmin#Replication"

Then I google to find solution and then try these commands
debian:/etc/ldap# ldapsearch -H ldap://192.168.1.192 -b dc=webon -x -d-1
ldap_url_parse_ext(ldap://192.168.1.192)
ldap_create
ldap_url_parse_ext(ldap://192.168.1.192:389/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.1.192:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.192:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

ldapsearch -H ldaps://192.168.1.192 -b dc=webon -x -d-1
Here is the result of the command :
tls_read: want=5, got=5
0000: 16 03 02 00 d0 .....
tls_read: want=208, got=208
0000: 82 f5 6d 48 ca 22 c1 d5 e3 1d 01 bb 7c 8d 8d 26 .HSH.K]..@......
00c0: 57 4e e6 73 d8 ed 44 28 0b 89 68 8d cd 2e fb b5 WN.s..D(..h.....
TLS: hostname (192.168.1.192) does not match common name in certificate (192.168.1.192).
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Regarding to this error "TLS: hostname (192.168.1.192) does not match common name in certificate (192.168.1.192)." I think maybe I cann't sign certificate by using IP Address of ldap server as common name. By the way I really have no idea how to solve "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" Does anyone know how to solve this?

Thanks
NeverLand.

Hi,

The error means that either slapd is not running, or it's behind a firewall that's blocking access to port 389.

Regards

Thank you for your quick reply, here is what I 've checked.
I am not sure about the red letter maybe it should be 0.0.0.0 right?
What should I do to fix this ?
debian:/etc/ldap# netstat -plane |grep ":636"
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 0 8880 2945/slapd
tcp6 0 0 :::636 :::* LISTEN 0 8879 2945/slapd
debian:/etc/ldap# netstat -plane |grep ":389"
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN 0 8876 2945/slapd


the below line is firewall, so don't think this is the problem.
debian:/etc/ldap# iptables -L
Chain INPUT (policy ACCEPT)
target prot opt source destination

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

the below line is slap which is running.
debian:/etc/ldap# ps -ef | grep slap
openldap 2945 1 0 03:40 ? 00:00:00 /usr/sbin/slapd -h ldap://127.0.0.1:389/ ldaps:/// ldapi:/// -g openldap -u openldap -f /etc/ldap/slapd.conf

Hi, here is log after I try to redo cert but using hostname instead of IP Address.
BTW: I got this error instead "TLS: peer cert untrusted or revoked (0x42)"
ldap_err2string
But this error "ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)" still the same.

debian:/etc/ssl/CA# ldapsearch -d 255 -x
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.1.192:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.192:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_int_open_connection
ldap_connect_to_host: TCP 192.168.1.192:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.1.192:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
tls_write: want=93, written=93
0000: 16 03 02 00 58 01 00 00 54 03 02 4b 90 47 0f 06 ....X...T..K.G..
0010: a6 2f 8e cf 6a ae 2f 88 43 4d 79 de 4a 87 22 78 ./..j./.CMy.J."x
0020: 5e 84 52 8b 2b e3 35 83 42 77 6a 00 00 24 00 33 ^.R.+.5.Bwj..$.3
0030: 00 45 00 39 00 88 00 16 00 32 00 44 00 38 00 87 .E.9.....2.D.8..
0040: 00 13 00 66 00 2f 00 41 00 35 00 84 00 0a 00 05 ...f./.A.5......
0050: 00 04 01 00 00 07 00 09 00 03 02 00 01 .............
tls_read: want=5, got=5
0000: 16 03 02 00 4a ....J
tls_read: want=74, got=74
0000: 02 00 00 46 03 02 4b 90 47 0f b5 e8 7d 77 10 8e ...F..K.G...}w..
0010: e2 56 ed bc 5e f5 a3 00 2b 3a 2c 49 77 76 23 bb .V..^...+:,Iwv#.
0020: 39 5c 7e 8d c0 81 20 5e 3a 28 4f e7 4e 8a e3 35 9\~... ^O.N..5
0030: ab 28 65 1b 3f 62 85 9f db 39 91 3b 51 b6 45 aa .(e.?b...9.;Q.E.
0040: 97 83 b8 3b f4 77 18 00 2f 00 ...;.w../.
tls_read: want=5, got=5
0000: 16 03 02 03 d9 .....
tls_read: want=985, got=985
0000: 0b 00 03 d5 00 03 d2 00 03 cf 30 82 03 cb 30 82 ..........0...0.
0010: 03 34 a0 03 02 01 02 02 01 01 30 0d 06 09 2a 86 .4........0...*.
0020: 48 86 f7 0d 01 01 05 05 00 30 81 80 31 0b 30 09 H........0..1.0.
0030: 06 03 55 04 06 13 02 74 68 31 0c 30 0a 06 03 55 ..U....th1.0...U
0040: 04 08 13 03 62 6b 6b 31 0c 30 0a 06 03 55 04 07 ....bkk1.0...U..
0050: 13 03 62 6b 6b 31 0e 30 0c 06 03 55 04 0a 13 05 ..bkk1.0...U....
0060: 77 65 62 6f 6e 31 0e 30 0c 06 03 55 04 0b 13 05 webon1.0...U....
0070: 77 65 62 6f 6e 31 16 30 14 06 03 55 04 03 13 0d webon1.0...U....
0080: 31 39 32 2e 31 36 38 2e 31 2e 31 39 32 31 1d 30 192.168.1.1921.0
0090: 1b 06 09 2a 86 48 86 f7 0d 01 09 01 16 0e 73 6f ...*.H........so
00a0: 6d 6f 40 77 65 62 6f 6e 2e 6e 65 74 30 1e 17 0d mo@webon.net0...
00b0: 31 30 30 33 30 34 31 39 34 36 33 35 5a 17 0d 32 100304194635Z..2
00c0: 30 30 33 30 31 31 39 34 36 33 35 5a 30 81 80 31 00301194635Z0..1
00d0: 0b 30 09 06 03 55 04 06 13 02 74 68 31 0c 30 0a .0...U....th1.0.
00e0: 06 03 55 04 08 13 03 62 6b 6b 31 0c 30 0a 06 03 ..U....bkk1.0...
00f0: 55 04 07 13 03 62 6b 6b 31 0e 30 0c 06 03 55 04 U....bkk1.0...U.
0100: 0a 13 05 77 65 62 6f 6e 31 0e 30 0c 06 03 55 04 ...webon1.0...U.
0110: 0b 13 05 77 65 62 6f 6e 31 16 30 14 06 03 55 04 ...webon1.0...U.
0120: 03 13 0d 31 39 32 2e 31 36 38 2e 31 2e 31 39 32 ...192.168.1.192
0130: 31 1d 30 1b 06 09 2a 86 48 86 f7 0d 01 09 01 16 1.0...*.H.......
0140: 0e 73 6f 6d 6f 40 77 65 62 6f 6e 2e 6e 65 74 30 .somo@webon.net0
0150: 81 9f 30 0d 06 09 2a 86 48 86 f7 0d 01 01 01 05 ..0...*.H.......
0160: 00 03 81 8d 00 30 81 89 02 81 81 00 b8 71 a9 7e .....0.......q.~
0170: 2c f0 f9 d0 18 08 e5 87 6f 30 42 b9 d5 08 e6 4b ,.......o0B....K
0180: c3 58 c4 90 db b5 6b 4d a4 38 10 ec a5 02 da 6c .X....kM.8.....l
0190: 45 81 82 63 3f c2 1e 98 bb 45 40 ea 31 ca 6a 81 E..c?....E@.1.j.
01a0: e6 87 49 6c a3 e9 83 b8 1e 83 d2 3f 7f 2d 16 f3 ..Il.......?.-..
01b0: 86 eb 34 1b bd 58 6b b7 d2 d1 31 ec 9e 22 70 ee ..4..Xk...1.."p.
01c0: 56 db 1e 2a 73 55 c5 36 f8 dd 03 f9 c2 80 a9 af V..*sU.6........
01d0: 90 a5 1b 1c 9c 9b af 9c a3 3b 0d ae f6 7c 3a 7b .........;...|:{
01e0: f1 41 50 73 cc f0 7e f7 17 fe 78 67 02 03 01 00 .APs..~...xg....
01f0: 01 a3 82 01 51 30 82 01 4d 30 09 06 03 55 1d 13 ....Q0..M0...U..
0200: 04 02 30 00 30 11 06 09 60 86 48 01 86 f8 42 01 ..0.0...`.H...B.
0210: 01 04 04 03 02 06 40 30 34 06 09 60 86 48 01 86 ......@04..`.H..
0220: f8 42 01 0d 04 27 16 25 45 61 73 79 2d 52 53 41 .B...'.%Easy-RSA
0230: 20 47 65 6e 65 72 61 74 65 64 20 53 65 72 76 65 Generated Serve
0240: 72 20 43 65 72 74 69 66 69 63 61 74 65 30 1d 06 r Certificate0..
0250: 03 55 1d 0e 04 16 04 14 7b ab be 77 56 77 22 eb .U......{..wVw".
0260: 81 a2 95 db 9b e5 77 35 e2 ed 66 37 30 81 b5 06 ......w5..f70...
0270: 03 55 1d 23 04 81 ad 30 81 aa 80 14 5a 62 06 72 .U.#...0....Zb.r
0280: 81 b1 a3 74 69 c2 24 05 5f cb ec a2 c0 48 50 9a ...ti.$._....HP.
0290: a1 81 86 a4 81 83 30 81 80 31 0b 30 09 06 03 55 ......0..1.0...U
02a0: 04 06 13 02 74 68 31 0c 30 0a 06 03 55 04 08 13 ....th1.0...U...
02b0: 03 62 6b 6b 31 0c 30 0a 06 03 55 04 07 13 03 62 .bkk1.0...U....b
02c0: 6b 6b 31 0e 30 0c 06 03 55 04 0a 13 05 77 65 62 kk1.0...U....web
02d0: 6f 6e 31 0e 30 0c 06 03 55 04 0b 13 05 77 65 62 on1.0...U....web
02e0: 6f 6e 31 16 30 14 06 03 55 04 03 13 0d 31 39 32 on1.0...U....192
02f0: 2e 31 36 38 2e 31 2e 31 39 32 31 1d 30 1b 06 09 .168.1.1921.0...
0300: 2a 86 48 86 f7 0d 01 09 01 16 0e 73 6f 6d 6f 40 *.H........somo@
0310: 77 65 62 6f 6e 2e 6e 65 74 82 09 00 c1 d8 3b 34 webon.net.....;4
0320: cd e9 5d 6d 30 13 06 03 55 1d 25 04 0c 30 0a 06 ..]m0...U.%..0..
0330: 08 2b 06 01 05 05 07 03 01 30 0b 06 03 55 1d 0f .+.......0...U..
0340: 04 04 03 02 05 a0 30 0d 06 09 2a 86 48 86 f7 0d ......0...*.H...
0350: 01 01 05 05 00 03 81 81 00 c7 52 f7 54 6b 19 f4 ..........R.Tk..
0360: f0 48 66 b4 19 96 59 63 3f 65 82 81 26 98 94 43 .Hf...Yc?e..&..C
0370: 3b 62 22 cb 59 cc 4b 2d 01 fb 35 6b e2 08 bf b8 ;b".Y.K-..5k....
0380: 16 84 dc f5 fe 59 39 4d 98 87 8b 6c bf 91 2e 58 .....Y9M...l...X
0390: 49 b8 02 37 69 0f a3 34 e0 a5 16 aa fd 65 6f ca I..7i..4.....eo.
03a0: 28 ff 6e 6c 8a a4 27 82 4e e1 66 4d 6a 77 26 d5 (.nl..'.N.fMjw&.
03b0: 5a 6d 8f 18 03 8d be 31 ad fb 77 1a 68 34 86 ab Zm.....1..w.h4..
03c0: 4b 13 39 0f 1a 63 69 f9 06 e5 18 a7 1c c1 02 d7 K.9..ci.........
03d0: 13 90 92 6a 64 12 ad 27 dd ...jd..'.
tls_read: want=5, got=5
0000: 16 03 02 00 04 .....
tls_read: want=4, got=4
0000: 0e 00 00 00 ....
tls_write: want=139, written=139
0000: 16 03 02 00 86 10 00 00 82 00 80 33 a1 2c 78 f7 ...........3.,x.
0010: 3c 32 3f ab 10 2c 0a 1a cc f9 8b 4b dd 70 c3 e8 <2?..,.....K.p..
0020: 97 c6 97 fb 5c 3e f2 1e f8 ac 98 56 c4 09 fe 07 ....\>.....V....
0030: 67 45 b8 b5 61 fa 24 35 16 a1 a9 db 0e bb 93 e8 gE..a.$5........
0040: ef 6e 60 26 ad 50 94 c6 a9 4f 18 ce 7f 2e de 57 .n`&.P...O.....W
0050: 98 02 cb dd 1a 4b d8 f0 73 f8 0b f2 ba 53 4f 9b .....K..s....SO.
0060: 0c e7 a7 40 cf 85 a4 02 ed 79 68 85 35 77 62 ad ...@.....yh.5wb.
0070: 6a 16 f5 96 65 be 1a 02 67 ef c2 5d 35 f4 d7 5c j...e...g..]5..\
0080: a7 fb d0 a9 71 52 c8 a6 31 f3 b2 ....qR..1..
tls_write: want=6, written=6
0000: 14 03 02 00 01 01 ......
tls_write: want=133, written=133
0000: 16 03 02 00 80 e8 f8 73 0c 85 22 9e 5f 09 50 c7 .......s.."._.P.
0010: 96 a3 65 52 eb 06 66 d6 16 30 f7 b2 de ea 67 4a ..eR..f..0....gJ
0020: ef 57 cb bf c8 48 9e 38 1f 5c 37 e1 d9 15 15 38 .W...H.8.\7....8
0030: 10 af b4 18 74 02 f6 c7 bf 3f 66 f4 e1 78 2d af ....t....?f..x-.
0040: 53 6c 30 db 99 2e 3f 42 64 f4 e4 ff aa cf 9a 48 Sl0...?Bd......H
0050: ac 39 dd 56 95 fe e5 df b7 8c 0b da de 45 18 70 .9.V.........E.p
0060: cf 79 38 a8 11 89 df 43 09 fb 11 82 08 46 e5 74 .y8....C.....F.t
0070: b9 0c 36 dd 20 a9 26 1f 52 7c c8 16 fd 6b 12 6e ..6. .&.R|...k.n
0080: 02 a5 b0 66 f5 ...f.
tls_read: want=5, got=5
0000: 14 03 02 00 01 .....
tls_read: want=1, got=1
0000: 01 .
tls_read: want=5, got=5
0000: 16 03 02 00 f0 .....
tls_read: want=240, got=240
0000: ff 3d 0d 51 ed e3 bc df 0b 54 26 7f b1 90 8a 6d .=.Q.....T&....m
0010: 00 90 b3 66 65 98 4d 6b 5b 10 e6 fb e3 72 14 0d ...fe.Mk[....r..
0020: a3 ff 20 a3 dc a3 90 b2 a6 2e c1 21 c5 62 60 e5 .. ........!.b`.
0030: 29 18 72 b7 e4 3c ce 68 26 c5 6a 39 75 b8 e0 55 ).r..<.h&.j9u..U
0040: 37 8f c4 55 04 24 e0 3a 5f 3f 0b cd 98 44 ef 2f 7..U.$.:_?...D./
0050: b1 25 ad 2d 6a 82 97 5a b5 1e 89 b9 ef 45 7a ae .%.-j..Z.....Ez.
0060: 69 77 43 7a 88 af e2 7c 1c dd ec 32 cc 84 04 10 iwCz...|...2....
0070: 1a 7a ce bd e2 7d f0 cb 2e e4 71 0d ca 59 68 00 .z...}....q..Yh.
0080: 81 9d c4 a6 d4 5f 20 91 99 f5 e2 a9 fe 89 d1 d2 ....._ .........
0090: d0 66 88 cb 71 38 81 45 e9 b5 5f f9 14 8e a2 cb .f..q8.E.._.....
00a0: 5e 4d 68 4a 40 69 54 36 e4 5b 18 65 5e 8e bd 03 ^MhJ@iT6.[.e^...
00b0: 31 e6 db 59 7d 33 f3 a1 41 14 5b 91 77 63 61 f3 1..Y}3..A.[.wca.
00c0: 22 f6 91 1d 98 03 02 ff 5e e2 9f a2 09 7d da 19 ".......^....}..
00d0: e2 e1 70 54 a5 1f 07 3b da 89 c4 f4 e7 88 6c 33 ..pT...;......l3
00e0: 3e 51 fe a8 9c 07 95 97 86 9e 8a c7 53 d9 0f d9 >Q..........S...
TLS: peer cert untrusted or revoked (0x42)
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Hi,

The way you start slapd
makes it listen on localhost for plain ldap and on all available interfaces for ldaps, as you already pointed out from netstat output.

Now after a little searching, it looks like the Debian/Ubuntu gnutls package has some bugs that can be responsible for the "
"Can't contact LDAP server (-1)" problem (here is just one of them).

So you cannot connect to slapd with plain ldap because it listens only on the loopback interface and you cannot connect using ldaps probably because of a bug in TLS.

Until you can patch the affected packages, change the slapd service startup options, so it listens also on 0.0.0.0:389

Regards

For loop case, I have changed config file on /etc/default/slapd from
SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
to be
SLAPD_SERVICES="ldap://0.0.0.0:389/ ldaps:/// ldapi:///"
and then I restart service and netstat
here is result
debian:~# netstat -na
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:33926 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN
tcp 0 52 192.168.1.192:22 192.168.1.118:50397 ESTABLISHED
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::636 :::* LISTEN

but there is no 0.0.0.0:389 as local address for tcp6, will it be any problem?

About bug issue, I think all packages I have is the newest one since I got every packages from apt-get
What should I do to fix this?

Thanks.

It's not a problem. If you want to use both ipv4 and ipv6, use "ldap:///" in your startup options.
The error you get is the same as those reported in Ubuntu/Debian bug-tracking system. I cannot help you more on this, until you can verify that the packages version you're using has no bugs.

Have you check if you can connect using plain ldap protocol?

Regards

openldap-2.4.11
It is fine with plain ldap protocol.

Guys, I am also new to LDAP and am stuck at this step:-
I get the following error:-
And querying status shows inactive:-
Any help would be appreciated. Thanks.

If you observer this Error while configuring the Openldap do the following changes in

Check by Telnet with localhost if not connecting try to add the following in
/etc/hosts

#vi /etc/hosts

127.0.0.1 localhost


You can be Solved with this format.

1 members found this post helpful.

Thank you many times gopa!
You saved me.

Althought I already had "127.0.0.1 localhost" but adding "192.168.1.1 ldapserver" fixed the "Can't contact LDAP server" issue.

Thank you one more time.
Aas.