| View previous topic :: View next topic |
| Author |
Message |
René1983
Tux's lil' helper
Joined: 15 Dec 2003
Posts: 108
Location: Netherlands
|
 Posted: Thu Oct 04, 2007 7:22 pm Post subject: Ldap: Can't contact |
 |
|
Today I've been busy with LDAP. Somehow it wont work. The servers starts, but when I do a:
| Code: | | ldapsearch -D "cn=Manager,dc=domainname,dc=local" -W -d 255 |
I get the following error:
| Code: |
ldap_create
Enter LDAP Password:
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
[b]ldap_connect_timeout: fd: 3 tm: -1 async: 0[/b]
ldap_close_socket: 3
ldap_perror
[b]ldap_bind: Can't contact LDAP server (-1)[/b] |
Because I configured my server with ssl I also tried to connect at port 636:
| Code: | ldap_create
ldap_url_parse_ext(ldap://localhost:636)
Enter LDAP Password:
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x0805f208 ptr=0x0805f208 end=0x0805f242 len=58
0000: 30 38 02 01 01 60 33 02 01 03 04 24 63 6e 3d 4d 08...`3....$cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 69 2d 6c 6c 75 6d anager,dc=i-llum
0020: 69 6e 61 74 69 6f 6e 2c 64 63 3d 6c 6f 63 61 6c ination,dc=local
0030: 80 08 26 70 75 34 24 71 2a 2a ..&pu4$q**
ber_scanf fmt ({i) ber:
ber_dump: buf=0x0805f208 ptr=0x0805f20d end=0x0805f242 len=53
0000: 60 33 02 01 03 04 24 63 6e 3d 4d 61 6e 61 67 65 `3....$cn=Manage
0010: 72 2c 64 63 3d 69 2d 6c 6c 75 6d 69 6e 61 74 69 r,dc=i-lluminati
0020: 6f 6e 2c 64 63 3d 6c 6f 63 61 6c 80 08 26 70 75 on,dc=local..&pu
0030: 34 24 71 2a 2a 4$q**
ber_flush: 58 bytes to sd 3
0000: 30 38 02 01 01 60 33 02 01 03 04 24 63 6e 3d 4d 08...`3....$cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 69 2d 6c 6c 75 6d anager,dc=i-llum
0020: 69 6e 61 74 69 6f 6e 2c 64 63 3d 6c 6f 63 61 6c ination,dc=local
0030: 80 08 26 70 75 34 24 71 2a 2a ..&pu4$q**
ldap_write: want=58, written=58
0000: 30 38 02 01 01 60 33 02 01 03 04 24 63 6e 3d 4d 08...`3....$cn=M
0010: 61 6e 61 67 65 72 2c 64 63 3d 69 2d 6c 6c 75 6d anager,dc=i-llum
0020: 69 6e 61 74 69 6f 6e 2c 64 63 3d 6c 6f 63 61 6c ination,dc=local
0030: 80 08 26 70 75 34 24 71 2a 2a ..&pu4$q**
ldap_result ld 0x8056dd8 msgid 1
ldap_chkResponseList ld 0x8056dd8 msgid 1 all 1
ldap_chkResponseList returns ld 0x8056dd8 NULL
wait4msg ld 0x8056dd8 msgid 1 (infinite timeout)
wait4msg continue ld 0x8056dd8 msgid 1 all 1
** ld 0x8056dd8 Connections:
* host: localhost port: 636 (default)
refcnt: 2 status: Connected
last used: Thu Oct 4 21:28:36 2007
** ld 0x8056dd8 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
** ld 0x8056dd8 Response Queue:
Empty
ldap_chkResponseList ld 0x8056dd8 msgid 1 all 1
ldap_chkResponseList returns ld 0x8056dd8 NULL
ldap_int_select
read1msg: ld 0x8056dd8 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0
ber_get_next failed.
ldap_perror
ldap_result: Can't contact LDAP server (-1) |
I really have no idea what to do now. And the documentation on the internet is, unfortunately, pretty poor.
Anybody? |
|
| Back to top |
|
 |
reavertm
Developer
Joined: 05 Feb 2004
Posts: 265
Location: Wrocław
|
| Posted: Fri Oct 05, 2007 5:42 pm Post subject: |
|
|
run LDAP server (slapd) in verbose mode (I don't remember the switch, maybe -d like 'debug', consult manual) - there should be possibility to add this option in /etc/conf.d/ldap or sth.
and then try to connect as a client, maybe the server is rejecting or just not started (configgured) properly?
_________________
Maciek |
|
| Back to top |
|
|
ianw1974
Guru
Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland
|
| Posted: Fri Oct 05, 2007 7:02 pm Post subject: |
|
|
Do:
and see if ports 389 and 636 are listening. If they are, the output of the command I gave above, should also list slapd against both of these ports for easy identification. If not, run slaptest to check the config file and see where the problems might be. |
|
| Back to top |
|
|
dahoste
Tux's lil' helper
Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA
|
| Posted: Wed Nov 07, 2007 5:24 pm Post subject: |
|
|
Did the original poster ever find a solution to this? I'm struggling with ldap after an update and am having the same issue -- namely getting the following message when I attempt any communication with ldap: "ldap_bind: Can't contact LDAP server (-1)".
slapd refuses to start, citing the following:
| Code: | bdb_db_open: dbenv_open(/var/lib/openldap-data)
bdb_db_open: Database cannot be opened, err 22. Restore from backup!
====> bdb_cache_release_all
bdb(dc=NEGATIVESUM,dc=NET): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem
bdb(dc=NEGATIVESUM,dc=NET): txn_checkpoint interface requires an environment configured for the transaction subsystem
bdb_db_close: txn_checkpoint failed: Invalid argument (22)
backend_startup_one: bi_db_open failed! (22)
slapd shutdown: initiated
====> bdb_cache_release_all
bdb_db_close: alock_close failed
slapd destroy: freeing system resources.
|
And attempts to use manual ldap commands like ldapdelete, ldapsearch, result in this:
| Code: | ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_perror
ldap_bind: Can't contact LDAP server (-1)
|
And that's with '-d 5' to get some debug output, and 'debug 256' in /etc/ldap.conf. /var/log/nss_ldap/ldap.* log files get created, but they're always empty.
Additional version info:
| Code: | [ebuild R ] net-nds/openldap-2.3.38 USE="berkdb crypt gdbm kerberos perl readline samba ssl tcpd -debug -ipv6 -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd" 0 kB
[ebuild R ] sys-auth/nss_ldap-253 USE="-debug -sasl" 0 kB
[ebuild R ] sys-auth/pam_ldap-183 USE="ssl -sasl" 0 kB
|
Any suggestions?
This was otherwise a stable ldap config that's been running successfully for over a year.
thanks. |
|
| Back to top |
|
|
ianw1974
Guru
Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland
|
| Posted: Wed Nov 07, 2007 8:39 pm Post subject: |
|
|
When I've had "Can't connect to LDAP Server" it was because the SSL use flag was enabled. In the end, I disabled it just for the openldap package, and my problems went away.
Of course, this was because I didn't need to use SSL functionality for openldap, as I was happy to use on port 389 and not 636. |
|
| Back to top |
|
|
dahoste
Tux's lil' helper
Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA
|
| Posted: Wed Nov 07, 2007 8:48 pm Post subject: |
|
|
hmm... I can reconfigure for non-SSL ldap, but I'd rather not. The really frustrating thing about this is that 2 days ago I had a perfectly working system. Now, ldap simply doesn't work. At all. Period. And I can't associate it with anything specific.
I'll try non-SSL, as I'm am totally dead in the water at the moment, with nothing else to try.
Note that with 'ssl start_tls' in /etc/ldap.conf, SSL is actually used on port 389 (if I understand the different between 'ssl on' and 'ssl start_tls' correctly).
Anyway, thanks for the reply. Any further advice is also appreciated. |
|
| Back to top |
|
|
ianw1974
Guru
Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland
|
| Posted: Wed Nov 07, 2007 8:50 pm Post subject: |
|
|
I simply went non-ssl because I too had it working and then it stopped, but this was in a matter of a day. After that, I didn't bother to try SSL again. Although I know the reasoning behind preferring to use this.
Have a go with that, when you got standard working, check out SSL after this. |
|
| Back to top |
|
|
dahoste
Tux's lil' helper
Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA
|
| Posted: Wed Nov 07, 2007 11:44 pm Post subject: |
|
|
[SOLVED] well... if completely deleting the bdb folder and reconstructing the ldap db is 'solving' the problem.
I couldn't get any of the berkeley tools to behave or apparently do anything constructive, so I just wiped the /var/lib/openldap-data folder, re-emerged openldap (just for good measure), and used slapadd to do a full repopulation of the ldap db from a nightly slapcat dump (ldif file).
Had this been a higher traffic production system, I'd probably be pissed. Though I now officially hate ldap. This is like the 4th or 5th time I've wasted hours recovering from some arcane breakage of what is proving to be an annoyingly fragile tool.
Oh well. Sally forth. |
|
| Back to top |
|
|
ianw1974
Guru
Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland
|
| Posted: Thu Nov 08, 2007 7:02 am Post subject: |
|
|
| Try using ldbm instead. I use this as I also had some problems with bdb from time to time. Similar to yours in fact, I had an installation go corrupt. |
|
| Back to top |
|
|
dahoste
Tux's lil' helper
Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA
|
| Posted: Thu Nov 08, 2007 4:26 pm Post subject: |
|
|
This from the openldap FAQ:
| Quote: | | back-ldbm is obsolete and should not be used. |
http://www.openldap.org/faq/data/cache/756.html
back-hdb seems to have more traction than back-bdb. Maybe that's the way to go. |
|
| Back to top |
|
|
|
Networking & Security
