ldapsearch result: Can't contact LDAP server (-1)
10,827
When I ran into this, I had TCP Wrappers enabled and forgot to enable slapd in the hosts.allow file.
Just add this entry to /etc/hosts.allow:
slapd:ALL
Related videos on Youtube
Author by
Neil
Updated on September 18, 2022Comments
-
Neil over 1 year
Anyone knows which the problem?
I installed LDAP:
yum -y install openldap-servers
and then checked is the installation work well startingslapd service
and doingldapsearch
like this:ldapsearch -h 127.0.0.1 -x -b '' -s base '(objectclass=*)' namingContexts -d1
log:
ldap_create ldap_url_parse_ext(ldap://127.0.0.1) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP 127.0.0.1:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_scanf fmt ({i) ber: ber_flush2: 14 bytes to sd 3 ldap_result ld 0x7f7d211a4350 msgid 1 wait4msg ld 0x7f7d211a4350 msgid 1 (infinite timeout) wait4msg continue ld 0x7f7d211a4350 msgid 1 all 1 ** ld 0x7f7d211a4350 Connections: * host: 127.0.0.1 port: 389 (default) refcnt: 2 status: Connected last used: Mon Jan 26 12:05:16 2015 ** ld 0x7f7d211a4350 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7f7d211a4350 request count 1 (abandoned 0) ** ld 0x7f7d211a4350 Response Queue: Empty ld 0x7f7d211a4350 response count 0 ldap_chkResponseList ld 0x7f7d211a4350 msgid 1 all 1 ldap_chkResponseList returns ld 0x7f7d211a4350 NULL ldap_int_select read1msg: ld 0x7f7d211a4350 msgid 1 all 1 ber_get_next ldap_err2string ldap_result: Can't contact LDAP server (-1) ldap_free_request (origid 1, msgid 1) ldap_free_connection 1 1 ldap_free_connection: actually freed
After that I've tried to configure LDAP but the problem it's the same. And I started from scratch and then I asked with this question.
My ldap.conf:
# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=example,dc=com URI ldap://127.0.0.1 #ldap://ldap-master.example.com:666 #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs # Turning this off breaks GSSAPI used with krb5 when rdns = false SASL_NOCANON on
Is it a problem of my Centos 7 server?
EDIT:
I checked and I can't ping to localhost:
ping localhost
orping 127.0.0.1
may be is the problem. How can I solve it?New Edit:
Ping is not the problem. Now I can ping but still not works. Only works ldapsearch like this:
ldapsearch -H ldapi:/// -x -b '' -s base '(objectclass=*)' namingContexts
-
Gen almost 8 yearsIs your
/etc/hosts
file alright if you can't even ping 127.0.0.1? -
alphamikevictor about 7 yearsIf you look at the debug messages it is saying it is connected to LDAP (
connect success
). Did you try to disable SELinux just for a while to check if works after disabling it?
-
-
Neil over 9 yearsIt returns the following:
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
-
Centimane over 9 yearsAlright, then it should be running, try again with: "ifconfig | grep -e 'LOOPBACK' -A 1" and check that its IP is actually 127.0.0.1
-
Neil over 9 yearsResult:
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0
-
Neil over 9 yearsIt seems to be another problem :(
-
Centimane over 9 yearsWell try replacing '127.0.0.1' with the ip of your machine and see if LDAP works
-
Neil over 9 yearsNo :( still not works. onli with
-H ldapi:///
-
Centimane over 9 yearsSounds less like an LDAP problem and more like a network issue. Is your machine able to communicate with any others?
-
Neil over 9 yearsNow I can pint to localhost. But LDAP still doesn't work.
-
Centimane over 9 yearsIf it's still not working ensure that your ldap.conf is in /etc/openldap/ not just /etc/. You may also want to use authconfig-tui, select [X] Use LDAP, then click next and fill in your LDAP settings. To make things easier try disabling TLS to make sure that's not the issue.
-
Neil over 9 yearsldap.conf is only on
/etc/openldap/
andauthconfig-tui
works into ssh? I've commentedTLS_CACERTDIR
into ldap.conf and still not working. -
Centimane over 9 yearsyes, authconfig-tui is a text based UI, you can use it while ssh into the machine.
-
Centimane over 9 yearsTLS is probably your issue, but commenting it out of your ldap.conf means your client will use the default location for keys to authenticate, and it will fail. If you check /var/log/messages you will likely see some TLS errors, eg failed to authenticate.
-
Neil over 9 yearsAnd what's the reason for it's required? In a local machine that I tested, it isn't and works.
-
Neil over 9 yearsIt doesn't appear nothing about TLS or authentication :( It appears this
auditd[805]: Audit daemon rotating log files
-
Centimane over 9 yearsTLS adds a level of security to LDAP, functioning in a similar manner as SSH keys. Essentially you create TLS certificates, one for the server, and one for clients. The clients check when LDAP commands are executed that they are querying the right LDAP server (so that someone wouldn't be able to change the LDAP server location by way of adding say, a new hostname, or specifying -H). For more information, check out: openldap.org/doc/admin24/tls.html
-
Neil over 9 yearsIf my intention is a simple Apache authentication, Do you recommends install authconfig-tui or not? Thanks for your patience I'm really newbie :( and I'm not sure if I'm doing right.
-
Centimane over 9 yearsIf system-config-authentication is installed you can use that as well, it's similar to authconfig-tui. If neither is installed I'd definitely recommend one of the two to make it easier for you rather than editing the configuration files.
-
Neil over 9 yearsCan I solve my problem with that? And how? We can talk into chat?
-
Centimane over 9 yearsYou can enter ldap server information into a client by running 'system-config-authentication' on the client and filling in the form. In this case the same machine is both the client and server, but that's fine. I can't chat now, as I am at work, and will be for a few more hours.
-
Neil over 9 yearsI thing that is not I'm looking for. :/