openldap-technical

openldap-technical@openldap.org

1 participants
9868 discussions

ldap_bind: Can't contact LDAP server (-1)
by Aldo 06 Jul '10

06 Jul '10

Greetings, Any pointers about this question will be greatly appreciated. Thanks in advanced. I've searched all over and tried all suggestions I found so far without success. I've setup a VMWare virtual machine. It's CentOS 5.4 with a static ip address --HostOnly. My initial setup was with default, no TLS. This worked cleanly. I could login with a configured LDAP account. Then I configured TLS and I cannot login with any regular user account, be it LDAP account or local user account. I can only login as root. The /var/log/messages says: Jul 2 17:55:53 ldapServer xfs: nss_ldap: failed to bind to LDAP server ldaps://192.168.150.133/: Can't contact LDAP server Jul 2 17:55:53 ldapServer xfs: nss_ldap: could not search LDAP server - Server is unavailable A QUICK TEST AT THE CLI SAYS: [root@ldapServer]# ldapsearch -x ldap_bind: Can't contact LDAP server (-1) [root@ldapServer]# slapindex bdb_db_open: database already in use backend_startup_one: bi_db_open failed! (-1) slap_startup failed =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- I DID A SERVICE AND CONFIGURATION CHECK [root@ldapServer]# chkconfig --list | grep ldap ldap 0:off 1:off 2:off 3:on 4:off 5:on 6:off [root@ldapServer]# /etc/init.d/ldap stop Stopping slapd: [ OK ] [root@ldapServer openldap]# /etc/init.d/ldap start Checking configuration files for slapd: config file testing succeeded [ OK ] Starting slapd: [ OK ] [root@ldapServerp]# /usr/sbin/slaptest -v -f /etc/openldap/slapd.conf -u config file testing succeeded [root@ldapServer]# service ldap configtest Checking configuration files for slapd: config file testing succeeded [ OK ] THE SERVICE IS RUNNING [root@ldapServer]# ps -ef | grep ldap ldap 7027 1 0 17:12 ? 00:00:00 /usr/sbin/slapd -h ldaps:/// -u ldap THE REQUIRED PORT 636 IS LISTENING. [root@ldapServer]# fuser -n tcp 636 636/tcp: 7027 [root@ldapServer ~]# telnet localhost 636 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. Connection closed by foreign host. [root@ldapServer ~]# netstat -a | grep ldap tcp 0 0 *:ldaps *:* LISTEN tcp 0 0 *:ldaps *:* LISTEN =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- THE CONFIG FILES [root@ldapServer]# cat /etc/openldap/ldap.conf HOST 127.0.0.1 BASE dc=ldapServer,dc=lan URI ldap://127.0.0.1/ TLS_CACERTDIR /etc/openldap/cacerts [root@ldapServer]# cat /etc/openldap/slapd.conf include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args TLSCACertificateFile /etc/openldap/cacerts/server.pem TLSCertificateFile /etc/openldap/cacerts/server.pem TLSCertificateKeyFile /etc/openldap/cacerts/server.pem database bdb suffix "dc=ldapServer,dc=lan" rootdn "cn=Manager,dc=ldapServer,dc=lan" rootpw xxxxxxxxxxxxxxxxxxxxxxxx directory /var/lib/ldap =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ~af

2 2

Adding new Object Classes
by Alexander Erameh 05 Jul '10

05 Jul '10

Hi, When I try to add the attached Object Class, I get the error messages below: Ldapmodify: invalid format (line 5) entry: "cn=admin,dc=socotherm-africa,dc=com" Ldapmodify: invalid format (line 19) entry: " " Ldapmodify: invalid format (line 29) entry: " " Ldapmodify: invalid format (line 37) entry: " " Please look at the attached file and tell me what I am doing wrong. Alexander

3 5

MemberOf indexing
by Marco Pizzoli 05 Jul '10

05 Jul '10

Hi all, I'm using the memberOf overlay and would like to use it with this kind of search -filter: (memberOf=*ou=foo,dc=it) I tried with "index memberOf sub", but this kind of indexing is prohibited by OL telling me: substr index of attribute "memberOf" disallowed I've seen that in the schema definition of the attribute this attribute is defined as: ( 1.2.840.113556.1.2.102 NAME 'memberOf' DESC 'Group that the entry belongs to' SYNTAX '1.3.6.1.4.1.1466.115.121.1.12' EQUALITY distinguishedNameMatch USAGE dSAOperation X-ORIGIN 'iPlanet Delegated Administrator' ) So only equality matching seems to be allowed, as far as I can understand of course. Is there a way to obtain an index of type sub ("subfinal" in this case)? Thanks in advance Marco -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

1 0

meta setup
by Gidobo 69 05 Jul '10

05 Jul '10

Hi, I plan to set up a meta directory. It looks like a normal one according to the openldap descriptions so I was surprised that I was unable to find any howto/faq/forum entry/mailing about it. Let me describe it: I have a heterogeneous system and want to have a common ldap system for it. Here is what I have now: Two AD domains An openldap db for a software with internal users. My aim: - To be able to authenticate a domain user from either AD. - To have non-AD users as well. - To have non-AD attributes for all three. So for authentication: If user is an AD user -> authenticate from appropriate DC If user is a non-AD one -> authenticate from openldap If I want non-AD attribute added to AD users as well. If an attribute doesn't exist for an AD user in openldap ask the appropriate DC. This way I could user AD users and their groups through openldap, have independent non-AD users and have attributes for all users in openldap local db regardless of authentication source. Have I missed something and this is too 'exotic'? Example: ad1.company.com -> AD1 users, authenticates from DC1 ad2.company.com -> AD2 users, authenticates from DC2 ldap.company.com -> 'other' users, authenticates from openldap local db Attributes mapped. If user is an AD one and attribute doesn't exists in local DB, proxy the query to AD. Thanks in advance Gidobo

1 1

ldap bind and password policy
by Christian Bösch 05 Jul '10

05 Jul '10

hi, i just added password policy overlay to our openldap servers (2.4.21) it works fine in general. i can change password as user and it gets well replicated between provider and consumer. but since i added password policy i have a strange behaviour: _i do a ldapsearch on the provider and type in a wrong password for the binding user, then i get: ldap_bind: Invalid credentials (49) - as expected _if i do the same on the consumer (type in wrong password for binding) ldapsearch get me search results without to complain about wrong password. it just adds a pwdFailureTime attribute on the provider and consumer. but i also expect to get a ldap_bind: Invalid credentials (49) error? thx for any ideas! /chris

4 8

users in openLDAP
by owen nirvana 05 Jul '10

05 Jul '10

in slapd.conf, rootdn is described as a root user with unlimited priviledge, so other users are recommented to use after slapd.conf was finished. But other users like "cn=replicator" has no corresponding configuration item, should I write user item into bdb. gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

1 0

Mirror Mode and Delta-syncrepl Validation
by Matheus Morais 04 Jul '10

04 Jul '10

Hi there, I already read some threads on this list (openldap-software more precisely) and documentation about Mirror Mode and Delta-syncrepl in a two masters scenario with slaves pointing to some VIP which is an OpenLDAP proxy or a load balancer hardware. I've made some tests on this archtecture and everything is working pretty well, I'm using Delta-syncrepl for consumer (slave) replication when two masters behind the load balancer are using Mirror Mode. I've attached three configuration files, two masters configuration and one for slave. I would appreciate some review, suggestions and critique on them. PS: My main objective here is not a Multi-Master replication solution, is just have a failover option to the masters. Thanks, Matheus Morais

1 0

where should I place ldap.conf in win32
by owen nirvana 02 Jul '10

02 Jul '10

ldap for windows is no ldap.conf after installation. I write client TLS configuation in it. It seems to not work if I put it to OPEN_LDAP_DIR . gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

1 0

why LDAP and LDAPS was opened contemporary
by owen nirvana 02 Jul '10

02 Jul '10

I set tls options to use ldaps. question 1: port 389 is opened yet when I scan the LDAP Server by nmap, but I could not connect it with Apache Directory Studio v1.5.3. question 2: Nmap tell me "server still supports SSLv2", but I set TLSCipherSuite is HIGH:MEDIUM:-SSLv2 question 3: I try to import some data with ldapmodify ldapmodify -a -H ldap://mydomain.org:636 -D "cn=admin,dc=mydomain,dc=org" -x -w whatever -f init.ldif the following is error report: ldap_start_tls : Can't Contact LDAP Server(-1) addition info: error: 14000092: SSL Routine: SSL3_GET_CERTFICATE: certificate verify failed ldap_sasl_bind(Simple): Can't Contact LDAP Server(-1) gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

2 6

how to run LDAP Server with TLS automatic
by owen nirvana 02 Jul '10

02 Jul '10

It seems pem pass phrase is needed everytime, so I could not make it run automatic gtalk:freeespeech@gmail.com <gtalk%3Afreeespeech(a)gmail.com>

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical