Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Ldap: Can't contact
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
René1983
Tux's lil' helper
Tux's lil' helper


Joined: 15 Dec 2003
Posts: 108
Location: Netherlands

PostPosted: Thu Oct 04, 2007 7:22 pm    Post subject: Ldap: Can't contact Reply with quote

Today I've been busy with LDAP. Somehow it wont work. The servers starts, but when I do a:

Code:
ldapsearch -D "cn=Manager,dc=domainname,dc=local" -W -d 255


I get the following error:
Code:

ldap_create
Enter LDAP Password:
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
[b]ldap_connect_timeout: fd: 3 tm: -1 async: 0[/b]
ldap_close_socket: 3
ldap_perror
[b]ldap_bind: Can't contact LDAP server (-1)[/b]


Because I configured my server with ssl I also tried to connect at port 636:

Code:
ldap_create
ldap_url_parse_ext(ldap://localhost:636)
Enter LDAP Password:
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x0805f208 ptr=0x0805f208 end=0x0805f242 len=58
  0000:  30 38 02 01 01 60 33 02  01 03 04 24 63 6e 3d 4d   08...`3....$cn=M
  0010:  61 6e 61 67 65 72 2c 64  63 3d 69 2d 6c 6c 75 6d   anager,dc=i-llum
  0020:  69 6e 61 74 69 6f 6e 2c  64 63 3d 6c 6f 63 61 6c   ination,dc=local
  0030:  80 08 26 70 75 34 24 71  2a 2a                     ..&pu4$q**
ber_scanf fmt ({i) ber:
ber_dump: buf=0x0805f208 ptr=0x0805f20d end=0x0805f242 len=53
  0000:  60 33 02 01 03 04 24 63  6e 3d 4d 61 6e 61 67 65   `3....$cn=Manage
  0010:  72 2c 64 63 3d 69 2d 6c  6c 75 6d 69 6e 61 74 69   r,dc=i-lluminati
  0020:  6f 6e 2c 64 63 3d 6c 6f  63 61 6c 80 08 26 70 75   on,dc=local..&pu
  0030:  34 24 71 2a 2a                                     4$q**
ber_flush: 58 bytes to sd 3
  0000:  30 38 02 01 01 60 33 02  01 03 04 24 63 6e 3d 4d   08...`3....$cn=M
  0010:  61 6e 61 67 65 72 2c 64  63 3d 69 2d 6c 6c 75 6d   anager,dc=i-llum
  0020:  69 6e 61 74 69 6f 6e 2c  64 63 3d 6c 6f 63 61 6c   ination,dc=local
  0030:  80 08 26 70 75 34 24 71  2a 2a                     ..&pu4$q**
ldap_write: want=58, written=58
  0000:  30 38 02 01 01 60 33 02  01 03 04 24 63 6e 3d 4d   08...`3....$cn=M
  0010:  61 6e 61 67 65 72 2c 64  63 3d 69 2d 6c 6c 75 6d   anager,dc=i-llum
  0020:  69 6e 61 74 69 6f 6e 2c  64 63 3d 6c 6f 63 61 6c   ination,dc=local
  0030:  80 08 26 70 75 34 24 71  2a 2a                     ..&pu4$q**
ldap_result ld 0x8056dd8 msgid 1
ldap_chkResponseList ld 0x8056dd8 msgid 1 all 1
ldap_chkResponseList returns ld 0x8056dd8 NULL
wait4msg ld 0x8056dd8 msgid 1 (infinite timeout)
wait4msg continue ld 0x8056dd8 msgid 1 all 1
** ld 0x8056dd8 Connections:
* host: localhost  port: 636  (default)
  refcnt: 2  status: Connected
  last used: Thu Oct  4 21:28:36 2007

** ld 0x8056dd8 Outstanding Requests:
 * msgid 1,  origid 1, status InProgress
   outstanding referrals 0, parent count 0
** ld 0x8056dd8 Response Queue:
   Empty
ldap_chkResponseList ld 0x8056dd8 msgid 1 all 1
ldap_chkResponseList returns ld 0x8056dd8 NULL
ldap_int_select
read1msg: ld 0x8056dd8 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=0

ber_get_next failed.
ldap_perror
ldap_result: Can't contact LDAP server (-1)


I really have no idea what to do now. And the documentation on the internet is, unfortunately, pretty poor.

Anybody?
Back to top
View user's profile Send private message
reavertm
Developer
Developer


Joined: 05 Feb 2004
Posts: 265
Location: Wrocław

PostPosted: Fri Oct 05, 2007 5:42 pm    Post subject: Reply with quote

run LDAP server (slapd) in verbose mode (I don't remember the switch, maybe -d like 'debug', consult manual) - there should be possibility to add this option in /etc/conf.d/ldap or sth.

and then try to connect as a client, maybe the server is rejecting or just not started (configgured) properly?
_________________
Maciek
Back to top
View user's profile Send private message
ianw1974
Guru
Guru


Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland

PostPosted: Fri Oct 05, 2007 7:02 pm    Post subject: Reply with quote

Do:

Code:
netstat -tunlp


and see if ports 389 and 636 are listening. If they are, the output of the command I gave above, should also list slapd against both of these ports for easy identification. If not, run slaptest to check the config file and see where the problems might be.
Back to top
View user's profile Send private message
dahoste
Tux's lil' helper
Tux's lil' helper


Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA

PostPosted: Wed Nov 07, 2007 5:24 pm    Post subject: Reply with quote

Did the original poster ever find a solution to this? I'm struggling with ldap after an update and am having the same issue -- namely getting the following message when I attempt any communication with ldap: "ldap_bind: Can't contact LDAP server (-1)".

slapd refuses to start, citing the following:

Code:
bdb_db_open: dbenv_open(/var/lib/openldap-data)
bdb_db_open: Database cannot be opened, err 22. Restore from backup!
====> bdb_cache_release_all
bdb(dc=NEGATIVESUM,dc=NET): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem
bdb(dc=NEGATIVESUM,dc=NET): txn_checkpoint interface requires an environment configured for the transaction subsystem
bdb_db_close: txn_checkpoint failed: Invalid argument (22)
backend_startup_one: bi_db_open failed! (22)
slapd shutdown: initiated
====> bdb_cache_release_all
bdb_db_close: alock_close failed
slapd destroy: freeing system resources.


And attempts to use manual ldap commands like ldapdelete, ldapsearch, result in this:

Code:
ldap_bind
ldap_simple_bind
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP 127.0.0.1:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_perror
ldap_bind: Can't contact LDAP server (-1)



And that's with '-d 5' to get some debug output, and 'debug 256' in /etc/ldap.conf. /var/log/nss_ldap/ldap.* log files get created, but they're always empty.

Additional version info:

Code:
[ebuild   R   ] net-nds/openldap-2.3.38  USE="berkdb crypt gdbm kerberos perl readline samba ssl tcpd -debug -ipv6 -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd" 0 kB
[ebuild   R   ] sys-auth/nss_ldap-253  USE="-debug -sasl" 0 kB
[ebuild   R   ] sys-auth/pam_ldap-183  USE="ssl -sasl" 0 kB


Any suggestions?

This was otherwise a stable ldap config that's been running successfully for over a year.

thanks.
Back to top
View user's profile Send private message
ianw1974
Guru
Guru


Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland

PostPosted: Wed Nov 07, 2007 8:39 pm    Post subject: Reply with quote

When I've had "Can't connect to LDAP Server" it was because the SSL use flag was enabled. In the end, I disabled it just for the openldap package, and my problems went away.

Of course, this was because I didn't need to use SSL functionality for openldap, as I was happy to use on port 389 and not 636.
Back to top
View user's profile Send private message
dahoste
Tux's lil' helper
Tux's lil' helper


Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA

PostPosted: Wed Nov 07, 2007 8:48 pm    Post subject: Reply with quote

hmm... I can reconfigure for non-SSL ldap, but I'd rather not. The really frustrating thing about this is that 2 days ago I had a perfectly working system. Now, ldap simply doesn't work. At all. Period. And I can't associate it with anything specific.

I'll try non-SSL, as I'm am totally dead in the water at the moment, with nothing else to try.

Note that with 'ssl start_tls' in /etc/ldap.conf, SSL is actually used on port 389 (if I understand the different between 'ssl on' and 'ssl start_tls' correctly).

Anyway, thanks for the reply. Any further advice is also appreciated.
Back to top
View user's profile Send private message
ianw1974
Guru
Guru


Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland

PostPosted: Wed Nov 07, 2007 8:50 pm    Post subject: Reply with quote

I simply went non-ssl because I too had it working and then it stopped, but this was in a matter of a day. After that, I didn't bother to try SSL again. Although I know the reasoning behind preferring to use this.

Have a go with that, when you got standard working, check out SSL after this.
Back to top
View user's profile Send private message
dahoste
Tux's lil' helper
Tux's lil' helper


Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA

PostPosted: Wed Nov 07, 2007 11:44 pm    Post subject: Reply with quote

[SOLVED] well... if completely deleting the bdb folder and reconstructing the ldap db is 'solving' the problem.

I couldn't get any of the berkeley tools to behave or apparently do anything constructive, so I just wiped the /var/lib/openldap-data folder, re-emerged openldap (just for good measure), and used slapadd to do a full repopulation of the ldap db from a nightly slapcat dump (ldif file).

Had this been a higher traffic production system, I'd probably be pissed. Though I now officially hate ldap. This is like the 4th or 5th time I've wasted hours recovering from some arcane breakage of what is proving to be an annoyingly fragile tool.

Oh well. Sally forth.
Back to top
View user's profile Send private message
ianw1974
Guru
Guru


Joined: 18 Oct 2006
Posts: 387
Location: UK and Poland

PostPosted: Thu Nov 08, 2007 7:02 am    Post subject: Reply with quote

Try using ldbm instead. I use this as I also had some problems with bdb from time to time. Similar to yours in fact, I had an installation go corrupt.
Back to top
View user's profile Send private message
dahoste
Tux's lil' helper
Tux's lil' helper


Joined: 01 Dec 2005
Posts: 138
Location: Maryland, USA

PostPosted: Thu Nov 08, 2007 4:26 pm    Post subject: Reply with quote

This from the openldap FAQ:

Quote:
back-ldbm is obsolete and should not be used.


http://www.openldap.org/faq/data/cache/756.html

back-hdb seems to have more traction than back-bdb. Maybe that's the way to go.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum