Hi Trying to configure ldap client connection for AD, in the ldap.conf , what configuration needs to be carried, like is it required for PAM & NSS configuration .tried to test in ldap command as initial test, but getting the below error, ./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S subEnter LDAP Password: *** ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)Please do know what needs to be included ThanksSantosh Sr Software developer
Santosh Kumar wrote:
./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S sub Enter LDAP Password: ***
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This means the server is not reachable at TCP level. Make sure your AD is reachable on the IP address given with -h.
Ciao, Michael.
I have encountered this issue before.This I fixed by allowing permissions(anonymous read) on the ADS.By default anonymous read on ADS is not allowed by windows.To do this you need to select a dc from the ADS and right click on it and add "ANONYMOUS LOGON" user to it.Then change the permission to "list all contents".This will work then.
Let me know.
Thanks,
Sankhadip ----- Original Message ----- From: "Michael Ströder" michael@stroeder.com To: "Santosh Kumar" santosh.kb@rediffmail.com Cc: openldap-technical@openldap.org Sent: Friday, March 06, 2009 5:59 AM Subject: Re: openldap client configuration to connect to AD
Santosh Kumar wrote:
./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S sub Enter LDAP Password: ***
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This means the server is not reachable at TCP level. Make sure your AD is reachable on the IP address given with -h.
Ciao, Michael.
Sankhadip Sengupta wrote:
Michael Ströder wrote:
Santosh Kumar wrote:
./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S sub Enter LDAP Password: ***
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This means the server is not reachable at TCP level. Make sure your AD is reachable on the IP address given with -h.
I have encountered this issue before.This I fixed by allowing permissions(anonymous read) on the ADS.By default anonymous read on ADS is not allowed by windows.To do this you need to select a dc from the ADS and right click on it and add "ANONYMOUS LOGON" user to it.Then change the permission to "list all contents".This will work then.
1. The error message "Can't contact LDAP server (-1)" clearly indicates that the server wasn't reachable at TCP level. You definitely won't solve that by allowing anonymous access in AD. Santosh has to solve that issue at network level.
2. Changing the AD configuration to allow anonymous access might give you some issues with people auditing your system (e.g. in the banking business).
Ciao, Michael.
What I meant was that the server refuses to accept connections.Which means a TCP level RST bit set.
Now can't contact LDAP server message is very generic and it doesnt show deep info on what actually happened.
I would imagine no body would have errors setting up an LDAP server ip address. nmap it and see if you are listening on 389.
If you are then listening on 389 and still cannot connect use tcpdump to see if server is sending anything or not.If not then your server refuses to do the search.
Quoting Michael Ströder michael@stroeder.com:
Sankhadip Sengupta wrote:
Michael Ströder wrote:
Santosh Kumar wrote:
./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S sub Enter LDAP Password: ***
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This means the server is not reachable at TCP level. Make sure your AD is reachable on the IP address given with -h.
I have encountered this issue before.This I fixed by allowing permissions(anonymous read) on the ADS.By default anonymous read on ADS is not allowed by windows.To do this you need to select a dc from the ADS and right click on it and add "ANONYMOUS LOGON" user to it.Then change the permission to "list all contents".This will work then.
- The error message "Can't contact LDAP server (-1)" clearly indicates
that the server wasn't reachable at TCP level. You definitely won't solve that by allowing anonymous access in AD. Santosh has to solve that issue at network level.
- Changing the AD configuration to allow anonymous access might give
you some issues with people auditing your system (e.g. in the banking business).
Ciao, Michael.
Sankhadip Sengupta wrote:
Quoting Michael Ströder michael@stroeder.com:
Sankhadip Sengupta wrote:
Michael Ströder wrote:
Santosh Kumar wrote:
./ldapsearch -x -W -h 10.10.10.10 -b "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal" -S sub Enter LDAP Password: ***
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
This means the server is not reachable at TCP level. Make sure your AD is reachable on the IP address given with -h.
I have encountered this issue before.This I fixed by allowing permissions(anonymous read) on the ADS.By default anonymous read on ADS is not allowed by windows.To do this you need to select a dc from the ADS and right click on it and add "ANONYMOUS LOGON" user to it.Then change the permission to "list all contents".This will work then.
- The error message "Can't contact LDAP server (-1)" clearly indicates
that the server wasn't reachable at TCP level. You definitely won't solve that by allowing anonymous access in AD. Santosh has to solve that issue at network level.
- Changing the AD configuration to allow anonymous access might give
you some issues with people auditing your system (e.g. in the banking business).
What I meant was that the server refuses to accept connections.Which means a TCP level RST bit set.
Now can't contact LDAP server message is very generic and it doesnt show deep info on what actually happened.
It clearly indicates that the LDAP connection could not be established at all. Another case where this error message is shown if something's going wrong with establishing a SSL connection (which seems not relevant here).
If you hit the famous AD-not-allowing-anon-access issue the message is definitely different.
I would imagine no body would have errors setting up an LDAP server ip address.
There could be a firewall in between or any other IP networking problem. The original poster has to check this.
Ciao, Michael.
openldap-technical@openldap.org
-
Michael Ströder -
Sankhadip Sengupta -
Santosh Kumar