Discussion:
OpenLDAP error - ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Varadi, Louis - 0442 - MITLL
2015-09-10 22:23:37 UTC
Permalink
Hello, I am new to OpenLDAP and could please use your help.

I just created a brand new install of the latest OpenLDAP server -
openldap-ltb.x86_64 0:2.4.42-1.el6

on Centos 6.7



There are no entries in the bdb database as this is a new install.



I am getting the error when running to following command.

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



# ldapsearch -x -d 1 -LLL

ldap_create

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP localhost:389

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying ::1 389

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect errno: 111

ldap_close_socket: 3

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:389

ldap_pvt_connect: fd: 3 tm: -1 async: 0

attempting to connect:

connect errno: 110

ldap_close_socket: 3

ldap_err2string

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)



Any help would be greatly appreciated. I came up very short with my google
searches.



Thank you - Lou
Clément OUDOT
2015-09-11 05:16:22 UTC
Permalink
Post by Varadi, Louis - 0442 - MITLL
Hello, I am new to OpenLDAP and could please use your help.
I just created a brand new install of the latest OpenLDAP server -
openldap-ltb.x86_64 0:2.4.42-1.el6
on Centos 6.7
There are no entries in the bdb database as this is a new install.
I am getting the error when running to following command.
*ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)*
# ldapsearch -x -d 1 -LLL
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
connect errno: 111
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
connect errno: 110
ldap_close_socket: 3
ldap_err2string
*ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)*
Any help would be greatly appreciated. I came up very short with my
google searches.
Could you check that the service is up wih:
# /etc/init.d/slapd status

You can also check logs on /var/log/openldap.log

Or run OpenLDAP with logs in console :
# /etc/init.d/slapd debug
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
87, rue de Turbigo - 75003 PARIS
Clément OUDOT
2015-09-11 13:07:00 UTC
Permalink
Hello, thank you for your reply. Here are the answers to your questions
Yes the process is running.
/etc/init.d/slapd status
slapd: [INFO] Using /etc/default/slapd for configuration
slapd: [INFO] LDAP Tool Box OpenLDAP init script version 2.1
slapd: [INFO] Process OpenLDAP is not running
slapd: [INFO] Detected suffix: dc=group44,dc=ldap
slapd: [INFO] Using /etc/default/slapd for configuration
slapd: [INFO] LDAP Tool Box OpenLDAP init script version 2.1
slapd: [INFO] Process OpenLDAP is running (PID 1814)
slapd: [INFO] Listening to services ldap://*:389 ldaps://*:636
slapd: [INFO] Process usage: 0.1% CPU / 0.4% MEM
slapd: [INFO] Detected suffix: dc=group44,dc=ldap
This is the OpenLDAP process running.
Sep 11 08:34:41 lenldap slapd[1826]: [INFO] Using /etc/default/slapd
for configuration
Sep 11 08:34:41 lenldap slapd[1831]: [INFO] LDAP Tool Box OpenLDAP
init script version 2.1
Sep 11 08:34:41 lenldap slapd[1834]: [INFO] Process OpenLDAP is
running (PID 1814)
Sep 11 08:34:41 lenldap slapd[1835]: [INFO] Listening to services
ldap://*:389 ldaps://*:636
Sep 11 08:34:41 lenldap slapd[1838]: [INFO] Process usage: 0.1% CPU
/ 0.4% MEM
dc=group44,dc=ldap
_______________
I ran the command tail –f /var/log/openldap.log
In another terminal I ran the ldapsearch –x command.
I did not see any output to the openldap.log.
I am still getting the Can’t contact LDAP server error after the command.
ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
_______________
I ran the command.
/etc/init.d/slapd debug
In another window I ran the command ldapsearch –x
Again, no output to debug.
Again - getting the Can’t contact LDAP server error
ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Thoughts?
Maybe you are using the ldapsearch command from the distro, which may
not work with LTB package. Try /usr/local/openldap/bin/ldapsearch

Check also your selinux configuration and your iptables.
--
Clément OUDOT
Consultant en logiciels libres, Expert infrastructure et sécurité
Savoir-faire Linux
Andrew Findlay
2015-09-14 11:43:03 UTC
Permalink
[INFO] Listening to services ldap://*:389 ldaps://*:636 [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[194.106.223.201 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: skills-1st.co.uk]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
Cc: "Varadi, Louis - 0442 - MITLL" <***@ll.mit.edu>,
"openldap-***@openldap.org" <openldap-***@openldap.org>
X-BeenThere: openldap-***@openldap.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: OpenLDAP Technical Discussion list <openldap-technical.openldap.org>
List-Unsubscribe: <http://www.openldap.org/lists/mm/options/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=unsubscribe>
List-Archive: <http://www.openldap.org/lists/openldap-technical/>
List-Post: <mailto:openldap-***@openldap.org>
List-Help: <mailto:openldap-technical-***@openldap.org?subject=help>
List-Subscribe: <http://www.openldap.org/lists/mm/listinfo/openldap-technical>,
<mailto:openldap-technical-***@openldap.org?subject=subscribe>
Errors-To: openldap-technical-***@openldap.org
Sender: "openldap-technical" <openldap-technical-***@openldap.org>
X-Spam-Score: -4.2 (----)
X-Spam-Report: Spam detection software, running on the system "gauss.openldap.net", has
identified this incoming email as possible spam. The original message
has been attached to this so you can view it (if it isn't spam) or label
similar future email. If you have any questions, see
the administrator of that system for details.
[INFO] Listening to services ldap://*:389 ldaps://*:636 [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[194.106.223.201 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: skills-1st.co.uk]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]
slapd: [INFO] Listening to services ldap://*:389 ldaps://*:636
I ran the command tail –f /var/log/openldap.log
Maybe you are using the ldapsearch command from the distro, which may not work
with LTB package. Try /usr/local/openldap/bin/ldapsearch
Check also your selinux configuration and your iptables.
It is worth trying ldapsearch with the debug option to see where
it is trying to connect:

ldapsearch -x -d 1

The first few lines of output should look something like this:

ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP ldap.example.com:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 2001:479:1f45:20::201 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request

Using the same command on a machine that does not have an LDAP server
configured looks like this:

ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
attempting to connect:
connect errno: 111
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

Look particularly at the ldap_connect_to_host: lines.

Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
Loading...