Ldap_sasl_interactive_bind_s: Can’t contact LDAP server (-1)

ldapopenldap

I am running an LDAP I can connect to, but in wanting to move away from slapd.conf and use ldif's, I am encountering the following problem(s).

When I type:ldapsearch -H ldap:// -x -s base -b "" -LLL "+"

I get

dn:
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: dc=mysite,dc=com
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.3.6.1.1.22
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
supportedSASLMechanisms: SRP
supportedSASLMechanisms: SCRAM-SHA-1
supportedSASLMechanisms: GS2-IAKERB
supportedSASLMechanisms: GS2-KRB5
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: OTP
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: NTLM
entryDN:
subschemaSubentry: cn=Subschema

I then try: sudo ldapsearch -H ldapi:// -Y EXTERNAL -b "cn=config" -LLL -Q

Resulting in:
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

When I try using ldap:// instead of ldapi://, I get:

ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
    additional info: SASL(-4): no mechanism available:

I can find a lot of stuff about TLS and authentication, but I have not configured any TLS/SSL so not sure why this would happen. Anyone experience this?

Best Answer

Are you sure that your slapd is listening on LDAPI socket at all?

It has to get started with `slapd -h "ldapi:// ldap://" to e.g. listen on Unix domain socket (default path name depends on build options) and clear-text LDAP (389/tcp).

Depending on your Linux distribution (which one?) there is probably some config file for setting parameters for the start script.

Also note that you would some more config to directly map Linux user root to a LDAP user granted write access to cn=config for more reconfiguration.

In entry cn=config (frontend configuration) you need to rewrite authc-DN to proper authz-DN:

olcAuthzRegexp: {0}"gidnumber=0\+uidnumber=0,cn=peercred,cn=external,cn=auth" "cn=config"

In entry olcDatabase={0}config you would need an ACL like this:

olcAccess: {0}to
  dn.subtree="cn=config"
  by dn.base="cn=config" write
Related Topic