# nss_ldap: failed to bind to LDAP server

## jiojio74

I followed this guide: http://gentoo-wiki.com/HOWTO_LDAP_SAMBA_PDC but...

```
Jan 12 17:35:50 michael slapd[12741]: @(#) $OpenLDAP: slapd 2.3.30 (Jan 12 2007

16:45:26) $     root@michael:/var/tmp/portage/openldap-2.3.30-r2/work/openldap-2

.3.30/servers/slapd

Jan 12 17:35:50 michael slapd[12741]: nss_ldap: failed to bind to LDAP server ld

ap://127.0.0.1: Can't contact LDAP server

...

...

Jan 12 17:36:20 michael slapd[12741]: nss_ldap: failed to bind to LDAP server ld

ap://127.0.0.1: Can't contact LDAP server

Jan 12 17:36:20 michael slapd[12741]: nss_ldap: could not search LDAP server - S

erver is unavailable
```

LDAP seem to work I can access from LDAP admin from another PC as anonim

This is my config:

```
host 127.0.0.1

base dc=ANGELS,dc=HOME

port 389

nss_reconnect_tries 4                   # number of times to double the sleep time

nss_reconnect_sleeptime 1               # initial sleep value

nss_reconnect_maxsleeptime 16   # max sleep value to cap at

nss_reconnect_maxconntries 2    # how many tries before sleeping

nss_base_passwd ou=Computers,dc=ANGELS,dc=HOME?sub

nss_base_passwd ou=Users,dc=ANGELS,dc=HOME?sub

nss_base_shadow ou=Users,dc=ANGELS,dc=HOME?sub

nss_base_group  ou=Groups,dc=ANGELS,dc=HOME?one

debug 0

logdir /var/log/nss_ldap

ssl no

pam_password md5

bind_policy = soft
```

/etc/openldap/slapd.conf

```
include         /etc/openldap/schema/core.schema

include         /etc/openldap/schema/cosine.schema

include         /etc/openldap/schema/inetorgperson.schema

include         /etc/openldap/schema/nis.schema

include         /etc/openldap/schema/samba.schema

pidfile         /var/run/openldap/slapd.pid

argsfile        /var/run/openldap/slapd.args

database        bdb

suffix          "dc=ANGELS ,dc=HOME"

rootdn          "cn=Manager,dc=ANGELS,dc=HOME"

checkpoint      32      30 # <kbyte> <min>

rootpw          {MD5}*******==

directory       /var/lib/openldap-data

index    sambaSID    eq

index    sambaPrimaryGroupSID    eq

index    sambaDomainName    eq

index objectClass,uid,uidNumber,gidNumber,memberUid eq

index cn,mail,surname,givenname   eq,subinitial

loglevel 0
```

/etc/openldap/ldap.conf

```
HOST    127.0.0.1

BASE    dc=ANGELS, dc=HOME
```

/etc/nsswitch.conf

```
passwd:      files ldap compat

shadow:      files ldap compat

group:       files ldap compat

hosts:       files nis dns

networks:    files nis dns

services:    db files

protocols:   db files

rpc:         db files

ethers:      db files

netmasks:    files

netgroup:    files

bootparams:  files

automount:   files

aliases:     files
```

/etc/nsswitch.ldap

```
passwd:         files ldap

group:          files ldap

hosts:          files dns ldap

services:   ldap [NOTFOUND=return] files

networks:   ldap [NOTFOUND=return] files

protocols:  ldap [NOTFOUND=return] files

rpc:        ldap [NOTFOUND=return] files

ethers:     ldap [NOTFOUND=return] files

netmasks:   files

bootparams: files

publickey:  files

automount:  files

aliases:    files

sendmailvars:   files

netgroup:   ldap [NOTFOUND=return] files
```

/etc/conf.d/slapd

```
OPTS="-h 'ldap:// ldapi://%2fvar%2frun%2fopenldap%2fslapd.sock'"

```

Some hint?

----------

## bensimons

I'd been seeing this error (this only occurs on the LDAP server, when it acts as a client, serving itself).

Looking carefully in the logs it appeared there was a connection trying ldap:// and then ldaps://

even though only the "uri" for ldaps:// was specified in /etc/ldap.conf

The firewall (iptables) was blocking the ldap:// connection (on port 389) but why was

it happening? the "uri" only specifies "ldaps" not "ldap". I even tried setting "port 636"

in /etc/ldap.conf but the bind error can't contact LDAP server kept appearing in the logs.

A careful reading of the manual for nss_ldap indicates you should not set 

both "host" and "uri" in /etc/ldap.conf - the manual says "uri" takes precedence

over "host". That's actually not quite right, because for it to take precedence

would mean it's ok for the host setting to be there (it just will be ignored).

Actually it's not ignored. it's what is causing the "ldap" connection. The manual

says "its not possible to combine the two" whereas it really ought to say 

specify one or the other, not both. imho.

Commenting-out the "host" setting in /etc/ldap.conf fixed it.

ie. The solution is to ONLY specify "uri" in /etc/ldap.conf

----------

