Problem: When attempting to use the ldapi:// URI to interact with the OpenLDAP server using commands like ldapmodify or ldapsearch, an error is encountered: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1).
Process is running # ps -aux |grep ldap ldap 9 0.0 0.4 42232968 79472 ? Sl Jan23 0:10 /usr/libexec/slapd -u ldap -h ldap:/// ldapi:/// ldaps:/// -F /etc/openldap/slapd.d -d 256
Troubleshooting Steps Taken:
Verified the ldapi URI configuration. Inspected the OpenLDAP configuration using slapd.conf or cn=config. Examined ACLs and access control rules.
Additional Information:
OpenLDAP is running as a Docker container on RHEL 9 Basis OS Docker Compose configuration includes port mappings for LDAP (3269:389) and LDAPS (3268:636). The whole configuration was migrated from a working RHEL7 Server with Openladp 2.4.5. the new version in place is 2.5.13
Any additional insights or recommendations for resolving the ldapi connection issue would be greatly appreciated.
Additional to this, I would like to activate pagination, but I have not been able to find any configuration for it. Is this something that needs to be done on the server or client side?
On Fri, Feb 9, 2024 at 1:07 PM chilimili1@outlook.de wrote:
Problem: When attempting to use the ldapi:// URI to interact with the OpenLDAP server using commands like ldapmodify or ldapsearch, an error is encountered: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1).
Process is running # ps -aux |grep ldap ldap 9 0.0 0.4 42232968 79472 ? Sl Jan23 0:10 /usr/libexec/slapd -u ldap -h ldap:/// ldapi:/// ldaps:/// -F /etc/openldap/slapd.d -d 256
Troubleshooting Steps Taken:
Verified the ldapi URI configuration. Inspected the OpenLDAP configuration using slapd.conf or cn=config. Examined ACLs and access control rules.
Additional Information:
OpenLDAP is running as a Docker container on RHEL 9 Basis OS Docker Compose configuration includes port mappings for LDAP (3269:389) and LDAPS (3268:636). The whole configuration was migrated from a working RHEL7 Server with Openladp 2.4.5. the new version in place is 2.5.13
The ldapi listener is a unix domain socket ( https://en.wikipedia.org/wiki/Unix_domain_socket), effectively a special file on the server that you can only talk to *from* the server. If you're running inside a docker container, the only processes that could talk to the ldapi socket would be inside the docker container itself. You can map the TCP ports to the docker host, but that doesn't apply to a unix domain socket.
Ben
Thank you for your feedback. To clarify, my intention is to perform searches within the container. However, due to the nature of the ldapi listener being a unix domain socket, only processes within the Docker container itself can communicate with it. Could you please provide guidance on how to conduct searches within the container given this constraint?
Regarding my second question about activating pagination, do you have any idea how I should proceed? Is this something that needs to be configured on the client or server side?
Am 09.02.24 um 16:45 schrieb chilimili1@outlook.de:
Could you please provide guidance on how to conduct searches within
the container given this constraint?
docker exec <container_name> ldapsearch ...
Additional to this, I would like to activate pagination, but I have not been able to find any configuration for it. Is this something that needs to be done on the server or client side?
client side. For ldapsearch for example you may pass -E 'pr=50/prompt' / -E 'pr=50/noprompt'
Best regards Ulf
per example :
ourside of the container : docker exec -it <container_name"ldapsearch -H ldapi:/// ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
inside the container: ldapsearch -H ldapi:/// ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
Am 12.02.24 um 13:18 schrieb Chili Mili:
per example :
ourside of the container : docker exec -it <container_name"ldapsearch -H ldapi:/// ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
inside the container: ldapsearch -H ldapi:/// ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
lsof -U |grep slapd
would be interesting.
Best regards Ulf
inside the container: lsof -U |grep slapd bash: lsof: command not found
outside: lsof -U |grep slapd --> no output
it seems that Unix sockets aren't being used. I've compared the results with the old server, and they are consistent. Additionally, I've checked using lsof -U -a -p <PID> with the same outcome.
Please keep in mind that the ldap is running in the docker container
Am 12.02.24 um 17:01 schrieb Chili Mili:
it seems that Unix sockets aren't being used. I've compared the results with the old server, and they are consistent. Additionally, I've checked using lsof -U -a -p <PID> with the same outcome.
Please keep in mind that the ldap is running in the docker container
Yes, I aware of that. So you should look for the socket inside of the container.
Best regards
Ulf
find / -type s find: '/proc/9/map_files': Permission denied /usr/var/run/ldapi
The Unix socket file located inside the container is at /usr/var/run/ldapi. I have tried to mount it to the host system but encountered the same result.
any idea?
thanks
Am 12.02.24 um 18:09 schrieb Chili Mili:
find / -type s find: '/proc/9/map_files': Permission denied /usr/var/run/ldapi
The Unix socket file located inside the container is at /usr/var/run/ldapi. I have tried to mount it to the host system but encountered the same result.
Again, use it from inside of the container. You can put the socket after the -H ldapi://.
If I remember correctly, you have to replace the slashes with %2F.
So you will need something like -H ldapi://%2Fusr%2Fvar%2Frun%2Fldapi
Best regards
Ulf
--On Monday, February 12, 2024 5:09 PM +0000 Chili Mili chilimili1@outlook.de wrote:
find / -type s find: '/proc/9/map_files': Permission denied /usr/var/run/ldapi
The Unix socket file located inside the container is at /usr/var/run/ldapi. I have tried to mount it to the host system but encountered the same result.
any idea?
This sounds like the slapd process is being told to use a different location than the compile time default for the unix socket, which is why ldapi:/// doesn't work (it defaults to the compile time location). You'll have to explicitly pass the location OR change the startup to just use the default location.
--Quanah
Le 12/02/2024 à 16:19, Chili Mili a écrit :
outside: lsof -U |grep slapd --> no output
Hi,
maybe I can help here If lsof isn't installed inside the container you may use nsenter ("namespace enter") on the host
You'll need the PID of the running container
Details here https://contractdesign.github.io/docker/2021/06/10/nsenter.html
openldap-technical@openldap.org
-
Ben Poliakoff -
Chili Mili -
chilimili1@outlook.de
-
Gregory ROCHER -
Quanah Gibson-Mount -
Ulf Volmer