ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) for ldapi:/// on CentOS

ldap centos6 openldap

13,716

Per @84104's comment, /etc/openldap/ldap.conf is the client configuration.

Server configuration on CentOS6 is in /etc/sysconfig/ldap (not slapd). I made sure it included the following line:

# Run slapd with -h "... ldapi:/// ..."
#   yes/no, default: yes
SLAPD_LDAPI=yes

And restarted the LDAP server:

service slapd restart

After this, ldapi:/// is available and ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' succeeds.

13,716

Leo

I’m a Senior Site Reliability Engineer at Autonomic. I do Golang, Ruby, JS, Python, Elixir, as well as web scale devops with Terraform, Ansible, Kubernetes and Docker.

Updated on September 18, 2022

Comments

Leo over 1 year

(This is a follow-up to ldap_modify: Insufficient access (50) when changing password as we identified a separate issue during diagnostics.)

Before modifying the cn=config LDAP database, I'm trying to access it. However, I'm getting a ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) error.

# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 3
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_close_socket: 3
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

ldapi:// (but not ldapi:/// ?) looks defined in /etc/openldap/ldap.conf:

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my_domain,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
URI     ldap:// ldapi:// ldaps://

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF          never

TLS_CACERTDIR /etc/openldap/certs

I get the same ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) error after stopping the firewall (service iptables stop), so the firewall is not the issue.

The socket file for ldapi does not look defined:

ls -la /var/run/ldapi

ls: cannot access /var/run/ldapi: No such file or directory

Here are the other files in /var/run:

[root@my_hostname ~]# ls -la /var/run/
total 128
drwxr-xr-x. 19 root      root      4096 Oct 30 13:13 .
drwxr-xr-x. 20 root      root      4096 Oct 20 09:23 ..
drwxr-xr-x.  2 root      root      4096 Oct 23 23:11 abrt
-rw-r--r--   1 root      root         5 Oct 23 23:11 abrtd.pid
-rw-r--r--   1 root      root         5 Oct 23 23:11 atd.pid
-rw-r--r--   1 root      root         4 Oct 23 23:11 auditd.pid
drwxr-xr-x.  2 root      root      4096 Aug 18 09:26 console
drwxr-xr-x.  2 root      root      4096 Nov 10  2010 ConsoleKit
-rw-r--r--   1 root      root         5 Oct 23 23:11 crond.pid
----------   1 root      root         0 Oct 23 23:11 cron.reboot
drwxr-xr-x.  2 root      root      4096 Oct 23 23:11 dbus
drwxr-xr-x   2 root      root      4096 Oct 23 23:11 fail2ban
drwxr-xr-x.  2 root      root      4096 Aug 18 09:26 faillock
drwx------.  2 haldaemon haldaemon 4096 Oct 15  2014 hald
-rw-r--r--   1 root      root         5 Oct 23 23:11 haldaemon.pid
-rw-r--r--   1 root      root         5 Oct 23 23:11 irqbalance.pid
drwx------.  2 root      root      4096 Sep 22 09:15 lvm
drwx------.  2 root      root      4096 Jul 24 03:23 mdadm
-rw-r--r--   1 root      root         5 Oct 23 23:11 messagebus.pid
drwxrwxr-x.  2 root      root      4096 Sep 22 11:47 netreport
drwxr-xr-x   2 ldap      ldap      4096 Oct 30 13:13 openldap
drwxr-xr-x.  2 root      root      4096 Aug 11  2014 plymouth
drwxr-xr-x.  4 root      root      4096 Oct 15  2014 pm-utils
drwxr-xr-x   2 root      root      4096 Oct 23 23:11 portreserve
drwxr-xr-x.  2 root      root      4096 Mar 25  2015 saslauthd
drwxr-xr-x.  2 root      root      4096 Aug 18 09:26 sepermit
drwxr-xr-x.  2 root      root      4096 Oct 15  2014 setrans
-rw-r--r--   2 ldap      ldap         6 Oct 30 13:13 slapd.pid
-rw-r--r--   1 root      root         5 Oct 23 23:11 sshd.pid
-rw-------   1 root      root         5 Oct 23 23:11 syslogd.pid
-rw-rw-r--   1 root      utmp      5376 Nov  3 11:16 utmp
-rw-r--r--   1 root      root         5 Oct 23 23:11 xe-daemon.pid

[root@my_hostname ~]# ls -la /var/run/openldap/
total 16
drwxr-xr-x   2 ldap ldap 4096 Oct 30 13:13 .
drwxr-xr-x. 19 root root 4096 Oct 30 13:13 ..
-rw-r--r--   1 ldap ldap   39 Oct 30 13:13 slapd.args
-rw-r--r--   2 ldap ldap    6 Oct 30 13:13 slapd.pid

slapd looks like it's started with ldaps but not ldapi:

# ps auxf | grep slapd
root     28776  0.0  0.0 103308   836 pts/0    S+   11:23   0:00          \_ grep slapd
ldap     29398  0.0  1.0 370152 20348 ?        Ssl  Oct30   0:00 /usr/sbin/slapd -h  ldaps:/// -u ldap

The only mention of ldaps: in /etc/openldap also mentions ldapi:

# grep -R 'ldaps:' /etc/openldap/
/etc/openldap/ldap.conf:URI ldap:// ldapi:// ldaps://

How do I make sure ldapi:/// is available?

84104 over 8 years

/etc/openldap/ldap.conf is the client configuration. You'll want to look at /etc/sysconfig/slapd and ss -lxp | grep slapd`.
Leo over 8 years

@84104: Thanks, that led me to the solution. I've submitted an answer, but if you want to resubmit it under your name I'll accept it.