[SOLVED] OpenLDAP: ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

[bleedingsamurai]

So I looked up this error and found out it supposedly means slapd isn't running, but on my system it is. And it looks like it is trying to use SASL.

This error happens every time I issue an LDAP client command such as ldapadd or ldapsearch, even if I specify the -x argument which is supposed to force the tool to use simple authentication.

I thought non-SASL was default but apparently there is something I'm missing to disable SASL. I need to be able to use simple authentication while I'm testing.

/etc/openldap/ldap.conf

Code:

BASE         dc=minamoto,dc=local
URI          ldap://ldap.minamoto.local:389/
#TLS_REQCERT  allow
TIMELIMIT    2

/etc/openldap/slapd.conf

Code:

#
##
### GLOBAL CONFIG
##
#
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
#include /etc/openldap/schema/samba.schema

# TEMPORARY!!!
#access to *
#       by * write

loglevel        -1
logfile         /var/log/openldap/openldap.log
#pidfile         /var/run/openldap/slapd.pid
# argsfile      /var/run/slapd.args # DONT use
threads         2

TLSCipherSuite          HIGH:MEDIUM:+SSLv2
TLSCertificateFile      /etc/openldap/ssl/slapdcert.pem
TLSCertificateKeyFile   /etc/openldap/ssl/slapdkey.pem

#
##
### PER-DIRECTORY CONFIG
##
#
database        bdb
directory       /var/lib/minamoto.local
mode            0600
cachesize       100
# SLAPD_SERVICES="ldaps://"
# TLS_REQCERT             allow
suffix "dc=minamoto,dc=local"
password-hash   {SSHA}
rootdn "cn=manager,dc=minamoto,dc=local"
rootpw {SSHA}LOL_JK
checkpoint      32      30

index           objectClass             eq
index           cn,sn,mail              pres,sub,eq
index           uid                     pres,eq

# TEMPORARY!!!
#access to *
#       by * write

[atreyu]

i thought the "-x" was all you need to disable SASL auth, too.

i assume you can ping the ldap server. is your firewall running, and blocking the port, maybe? you can also nmap the box and see what ports are listening, e.g.:

Code:

nmap -n <LDAP_IP_ADDRESS>

[bleedingsamurai]

Yes, I can ping the server. I actually was sitting at the console when doing this so the firewall shouldn't have come into play, but I had also turned off the firewall on the server temporarily.
I also tried su'ing to root and executing the commands to test a user account permission issue, which doesn't seem to be the issue.

[atreyu]

have you run authconfig? maybe try it on another Linux client PC, one that you don't mind messing around w/the LDAP settings.

here's an example of what I run, on a client:

Code:

authconfig --enableshadow \
--enableldap \
--enableldapauth \
--ldapserver=ldap://<LDAP_IP_ADDR>/ \
--ldapbase="o=myorg" \
--enablelocauthorize \
--enablemkhomedir \
--nostart \
--updateall

on the LDAP server, you've successfully created an LDAP user (using an LDIF file, etc)?

Does the "slapcat" command run properly on the server?

[bleedingsamurai]

Erm. I don't appear to have authconfig. I think that is a distro specific script.

I haven't gotten that far. I ran into this error when I went to make the top level OUs. I only ran ldapsearch to see if it would get the same error or yell at me for having an empty directory.

slapcat seems to work, though it doesn't spit anything out because the directory is currently empty.

[atreyu]

Erm. I don't appear to have authconfig. I think that is a distro specific script.

what's your distro?

I haven't gotten that far. I ran into this error when I went to make the top level OUs. I only ran ldapsearch to see if it would get the same error or yell at me for having an empty directory.

okay, so the database is empty. are you sure that the ldap daemon is running? maybe you just need to add something to it first. after i add a simple LDAP db entry, this is how i'd test it:

Code:

ldapsearch -x -b 'o=myorg'

[bleedingsamurai]

I am running Gentoo.
If it comes down to it, I can just build a VM with another distro for testing purposes.

Yes, I'm sure. I can see it when I run

Code:

ps aux | grep slapd

[bleedingsamurai]

* I used slapadd to import some top level OU structures. Then I restarted slapd. slapcat is working correctly. But I'm still getting the same error when I try to use:

Code:

ldapsearch -x -b "dn=minamoto,dn=local" "(objectclass=*)"

from the server's console as root

[atreyu]

how about adding this to slapd.conf (and restarting), does that make a difference?

Code:

allow bind_v2

also, i assume you can resolve your LDAP url (ldap.minamoto.local)?

[bleedingsamurai]

Well, now I feel kind of dumb, XP

named wasn't running. Before when I checked for connectivity, I used IP address only. (<_<) (>_>)