ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) for ldapi:/// on CentOS
Per @84104's comment, /etc/openldap/ldap.conf
is the client configuration.
Server configuration on CentOS6 is in /etc/sysconfig/ldap
(not slapd
). I made sure it included the following line:
# Run slapd with -h "... ldapi:/// ..."
# yes/no, default: yes
SLAPD_LDAPI=yes
And restarted the LDAP server:
service slapd restart
After this, ldapi:///
is available and ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'
succeeds.
Related videos on Youtube
Leo
I’m a Senior Site Reliability Engineer at Autonomic. I do Golang, Ruby, JS, Python, Elixir, as well as web scale devops with Terraform, Ansible, Kubernetes and Docker.
Updated on September 18, 2022Comments
-
Leo over 1 year
(This is a follow-up to ldap_modify: Insufficient access (50) when changing password as we identified a separate issue during diagnostics.)
Before modifying the cn=config LDAP database, I'm trying to access it. However, I'm getting a
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
error.# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /var/run/ldapi ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_close_socket: 3 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
ldapi://
(but notldapi:///
?) looks defined in/etc/openldap/ldap.conf
:# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=my_domain,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 URI ldap:// ldapi:// ldaps:// #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs
I get the same ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) error after stopping the firewall (
service iptables stop
), so the firewall is not the issue.The socket file for ldapi does not look defined:
ls -la /var/run/ldapi
ls: cannot access /var/run/ldapi: No such file or directory
Here are the other files in /var/run:
[root@my_hostname ~]# ls -la /var/run/ total 128 drwxr-xr-x. 19 root root 4096 Oct 30 13:13 . drwxr-xr-x. 20 root root 4096 Oct 20 09:23 .. drwxr-xr-x. 2 root root 4096 Oct 23 23:11 abrt -rw-r--r-- 1 root root 5 Oct 23 23:11 abrtd.pid -rw-r--r-- 1 root root 5 Oct 23 23:11 atd.pid -rw-r--r-- 1 root root 4 Oct 23 23:11 auditd.pid drwxr-xr-x. 2 root root 4096 Aug 18 09:26 console drwxr-xr-x. 2 root root 4096 Nov 10 2010 ConsoleKit -rw-r--r-- 1 root root 5 Oct 23 23:11 crond.pid ---------- 1 root root 0 Oct 23 23:11 cron.reboot drwxr-xr-x. 2 root root 4096 Oct 23 23:11 dbus drwxr-xr-x 2 root root 4096 Oct 23 23:11 fail2ban drwxr-xr-x. 2 root root 4096 Aug 18 09:26 faillock drwx------. 2 haldaemon haldaemon 4096 Oct 15 2014 hald -rw-r--r-- 1 root root 5 Oct 23 23:11 haldaemon.pid -rw-r--r-- 1 root root 5 Oct 23 23:11 irqbalance.pid drwx------. 2 root root 4096 Sep 22 09:15 lvm drwx------. 2 root root 4096 Jul 24 03:23 mdadm -rw-r--r-- 1 root root 5 Oct 23 23:11 messagebus.pid drwxrwxr-x. 2 root root 4096 Sep 22 11:47 netreport drwxr-xr-x 2 ldap ldap 4096 Oct 30 13:13 openldap drwxr-xr-x. 2 root root 4096 Aug 11 2014 plymouth drwxr-xr-x. 4 root root 4096 Oct 15 2014 pm-utils drwxr-xr-x 2 root root 4096 Oct 23 23:11 portreserve drwxr-xr-x. 2 root root 4096 Mar 25 2015 saslauthd drwxr-xr-x. 2 root root 4096 Aug 18 09:26 sepermit drwxr-xr-x. 2 root root 4096 Oct 15 2014 setrans -rw-r--r-- 2 ldap ldap 6 Oct 30 13:13 slapd.pid -rw-r--r-- 1 root root 5 Oct 23 23:11 sshd.pid -rw------- 1 root root 5 Oct 23 23:11 syslogd.pid -rw-rw-r-- 1 root utmp 5376 Nov 3 11:16 utmp -rw-r--r-- 1 root root 5 Oct 23 23:11 xe-daemon.pid [root@my_hostname ~]# ls -la /var/run/openldap/ total 16 drwxr-xr-x 2 ldap ldap 4096 Oct 30 13:13 . drwxr-xr-x. 19 root root 4096 Oct 30 13:13 .. -rw-r--r-- 1 ldap ldap 39 Oct 30 13:13 slapd.args -rw-r--r-- 2 ldap ldap 6 Oct 30 13:13 slapd.pid
slapd
looks like it's started with ldaps but not ldapi:# ps auxf | grep slapd root 28776 0.0 0.0 103308 836 pts/0 S+ 11:23 0:00 \_ grep slapd ldap 29398 0.0 1.0 370152 20348 ? Ssl Oct30 0:00 /usr/sbin/slapd -h ldaps:/// -u ldap
The only mention of ldaps: in /etc/openldap also mentions ldapi:
# grep -R 'ldaps:' /etc/openldap/ /etc/openldap/ldap.conf:URI ldap:// ldapi:// ldaps://
How do I make sure
ldapi:///
is available?-
84104 over 8 years
/etc/openldap/ldap.conf
is the client configuration. You'll want to look at/etc/sysconfig/slapd and
ss -lxp | grep slapd`. -
Leo over 8 years@84104: Thanks, that led me to the solution. I've submitted an answer, but if you want to resubmit it under your name I'll accept it.
-