Linux – Can connect to LDAP server, but cannot bind: OpenLdap error message: Can’t contact LDAP server

We have a PHP application deployed on a RHEL6 machine that relies on some ldap calls to function. In particular, ldap_connect and ldap_bind are used to verify users and also to look up their details.

This mechanism works just fine on our development server, which runs on Ubuntu server. On our production machine, which runs on RHEL6, the process fails. In both cases, we connect to the same LDAP server using the same credentials, so clearly something is wrong on the RHEL6 server. We're using basic LDAP, no SSL stuff.

I can confirm that there is no firewall or network issue on the new server. Pinging to the LDAP server works just fine. Also, a ldap_connect call is succesful as well.

To isolate the issue from our application, I used the below simple PHP test script:

<?php 
// Set the ldap server
$ldapurl = "[snipped]";
$ldapuser = "[snipped]";
$ldappass = "[snipped]";
// Set the debug flag
$debug = true;

// Set debugging
if ($debug) {
  ldap_set_option(NULL, LDAP_OPT_DEBUG_LEVEL, 7);
}

// connect to ldap server
echo "Trying to connect<br/>";
echo "1: " . date('l jS \of F Y h:i:s A') . "<br/>";
$ldapconn = ldap_connect($ldapurl) or die ("Couldn't connect"); 
echo "2: " . date('l jS \of F Y h:i:s A') . "<br/>";

// binding to ldap server
echo "Trying to bind with $ldapuser - $ldappass<br/>";
echo "3: " . date('l jS \of F Y h:i:s A') . "<br/>";
$ldapbind = @ldap_bind($ldapconn, $ldapuser, $ldappass);
echo "4: " . date('l jS \of F Y h:i:s A') . "<br/>";

if (!$ldapbind) {
echo "Unable to bind to server $ldapurl\n";
echo "OpenLdap error message: " . ldap_error($ldapconn) . "\n";
exit;
}

// Rest of code goes here

?>

I'm running the above script on both servers. On our development server, all is well. On our RHEL6 server, the connect works, but the bind fails after a delay of over a minute:

OpenLdap error message: Can't contact LDAP server

I'm not a sysadmin at all, therefore most discussions found regarding this error online I do not fully grasp. I am hoping someone here is able to help me with this. Many thanks in advance.

Best Answer

Unlike RHEL5, RHEL6 requires ssl certificates (more specifically TLS) to connect to openldap. I went round and round trying to find a workaround and finally settled with the fact that using a ssl certificate was easier and more secure than finding a way not to use it.

This link might help: http://www.linuxquestions.org/questions/linux-enterprise-47/rhel-6-ldap-now-requires-tls-843917/

You can try to force legacy mode, and that may work, but I found that it doesn't completely work and you may see issues later down the road.

authconfig --enableldap --enableldapauth --forcelegacy=yes --ldapserver=myldapserver.com --ldapbasedn="dc=example,dc=com" --update

Best Answer

Related Solutions

Ldap – OpenLDAP client configuration. Can search but cannot login

LDAP configuration for Mac server

Related Topic