ldap_bind: Can't contact LDAP server (-1)
On local server, I can write to LDAP server. From any remote server, I can only read from server.
I don't have TLS enabled, that I know of, nothing in slapd.conf at least. I do see tls_cacertdir /etc/openldap/cacerts in the /etc/ldap.conf. I don't see anything for errors in the log file when remotes fail. The 389 port is open, no selinux or iptables or any other firewall in the way.
Been searching google for hours, finding a ton of leads all of them dead ends.
Wondering if someone could help me out and give me some leads on what to look for next.
Thanks.
So, if I do it this way, I get the connect error; ldapsearch -x -b dc=mydomain,dc=com
But this way works; ldapsearch -x -b "dc=mydomain,dc=com" -H ldap://192.168.1.250 and ldapsearch -x -b "dc=mydomain,dc=com" -h 192.168.1.250
Does this imply naming error somewhere, DNS, something else?
So there we are. I can in fact add users from a remote server but only if I add the IP.
# ldapadd -D 'cn=admin,dc=mydomain,dc=com' -x -f newuser.ldif -W Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1)
# ldapadd -D 'cn=admin,dc=mydomain,dc=com' -x -f newuser.ldif -W -h 192.168.1.250 Enter LDAP Password: adding new entry "uid=JohnB,ou=users,dc=mydomain,dc=com"
You would need to either do that, or put the necessary ldap bind, etc, info into openldap's ldap.conf (not to be confused with pam_ldap's ldap.conf).
- chris
PS: it's a long weekend in the states, and a weekend everywhere else. You'll get more responses during the week, and if you include your relevant config info.
Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu
----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org openldap-technical-bounces@OpenLDAP.org To: openldap-technical openldap-technical@openldap.org Sent: Sun Jan 16 19:58:51 2011 Subject: Re: No remote writes, only reads
So there we are. I can in fact add users from a remote server but only if I add the IP.
# ldapadd -D 'cn=admin,dc=mydomain,dc=com' -x -f newuser.ldif -W Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1)
# ldapadd -D 'cn=admin,dc=mydomain,dc=com' -x -f newuser.ldif -W -h 192.168.1.250 Enter LDAP Password: adding new entry "uid=JohnB,ou=users,dc=mydomain,dc=com"
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
On Sun, 16 Jan 2011 20:02:30 -0700, Chris Jacobs wrote:
You would need to either do that, or put the necessary ldap bind, etc, info into openldap's ldap.conf (not to be confused with pam_ldap's ldap.conf).
The joomla plugin doesn't allow that, I gave it a try. I'll have to look up what you mean about putting the info into the ldap.conf file. I'm assuming you mean about the allowed remotes.
and if you include your relevant config info.
Brand new with ldap so not sure what folks might want to see in terms of postings.
PS: it's a long weekend in the states, and a weekend everywhere else. You'll get more responses during the week,
No problem, just updating my own questions as I move along with the problem :).
Thanks for the input.
On 01/17/2011 04:10 AM, mike@grounded.net wrote:
On Sun, 16 Jan 2011 20:02:30 -0700, Chris Jacobs wrote:
You would need to either do that, or put the necessary ldap bind, etc, info into openldap's ldap.conf (not to be confused with pam_ldap's ldap.conf).
The joomla plugin doesn't allow that, I gave it a try. I'll have to look up what you mean about putting the info into the ldap.conf file. I'm assuming you mean about the allowed remotes.
You need to let your Joomla plugin know which LDAP server to contact, by DNS name or IP address. Some software reads the ldap.conf file for this information, but it seems Joomla does not. Consequently, where/how this is done is a question you need to research yourself, and/or ask in a more suitable forum than the OpenLDAP mailing list.
By default, most LDAP client software assumes that the LDAP server exists on localhost. Referring to your earlier posts, stating the search base dc=example,dc=com is normally not enough to tell your LDAP client software where to look. For the command line tools included with OpenLDAP, see the tool's man page and "man ldap.conf" for more details.
You need to let your Joomla plugin know which LDAP server to contact, by DNS name or IP address. Some software reads the ldap.conf file for this information, but it seems Joomla does not.
Yes, there is a plugin which allows one to enter the server information which I've done. Since it's now working from the command line on the client server, I believe the problem is php related.
Consequently, where/how this is done is a question you need to research yourself, and/or ask in a more suitable forum than the OpenLDAP mailing list.
No, my problems were ldap related which is why I came here :). I have two problems to resolve, one was/is being new to openldap so needing help in resolving some of those issues. My joomla specific questions I've posted in the joomla forums.
By default, most LDAP client software assumes that the LDAP server exists on localhost. Referring to your earlier posts, stating the search base dc=example,dc=com is normally not enough to tell your LDAP client software where to look. For the command line tools included with OpenLDAP, see the tool's man page and "man ldap.conf" for more details.
Actually, you could have simply said to look into 'client access' in the ldap.conf and that would have been a great lead. That's what someone else posted and it was the lead I needed to at least resolve that the client wasn't even being allowed to connect. Now I need to figure out what is related to the php portion as I believe that's where the next problem lies.
So, if anyone knows of a way to test a php ldap connection from a client to a server machine, I'd sure welcome some input.
Thanks for the reply.
Ok, you meant on each client machine. Works now.
Thanks very much for the good lead.
Mike
On Sun, 16 Jan 2011 20:02:30 -0700, Chris Jacobs wrote:
You would need to either do that, or put the necessary ldap bind, etc, info into openldap's ldap.conf (not to be confused with pam_ldap's ldap.conf). - chris PS: it's a long weekend in the states, and a weekend everywhere else. You'll get more responses during the week, and if you include your relevant config info. Chris Jacobs, Systems Administrator Apollo Group | Apollo Marketing | Aptimus 2001 6th Ave Ste 3200 | Seattle, WA 98121 phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661 email: chris.jacobs@apollogrp.edu ----- Original Message ----- From: openldap-technical-bounces@OpenLDAP.org <openldap-technical- bounces@OpenLDAP.org> To: openldap-technical openldap-technical@openldap.org Sent: Sun Jan 16 19:58:51 2011 Subject: Re: No remote writes, only reads So there we are. I can in fact add users from a remote server but only if I add the IP. # ldapadd -D 'cn=admin,dc=mydomain,dc=com' -x -f newuser.ldif -W Enter LDAP Password: ldap_bind: Can't contact LDAP server (-1) # ldapadd -D 'cn=admin,dc=mydomain,dc=com' -x -f newuser.ldif -W -h 192.168.1.250 Enter LDAP Password: adding new entry "uid=JohnB,ou=users,dc=mydomain,dc=com" This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
Am Sun, 16 Jan 2011 20:42:48 -0600 schrieb "mike@grounded.net" mike@grounded.net:
So, if I do it this way, I get the connect error; ldapsearch -x -b dc=mydomain,dc=com
But this way works; ldapsearch -x -b "dc=mydomain,dc=com" -H ldap://192.168.1.250 and ldapsearch -x -b "dc=mydomain,dc=com" -h 192.168.1.250
Does this imply naming error somewhere, DNS, something else?
No, it not a DNS error, it is most likely that you have no URI parameter specified in /etc/openldap/ldap.conf, for more information read man ldap.conf(5) and you definitely should read man ldapsearch(1)
-Dieter
�No, it not a DNS error, it is most likely that you have no URI �parameter specified in /etc/openldap/ldap.conf, for more information �read man ldap.conf(5) and you definitely should read man ldapsearch(1)
Thank you and yes, you are right, this is what the problem was indeed. As for reading, as I've said, it's not like I've not been reading, needed leads to know where to go next.
openldap-technical@openldap.org
-
Bjørn Ruberg -
Chris Jacobs -
Dieter Kluenter -
mike@grounded.net