# Ldap: Can't contact

## René1983

Today I've been busy with LDAP. Somehow it wont work. The servers starts, but when I do a:

```
ldapsearch -D "cn=Manager,dc=domainname,dc=local" -W -d 255
```

I get the following error:

```

ldap_create

Enter LDAP Password:

ldap_bind

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP localhost:389

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:389

[b]ldap_connect_timeout: fd: 3 tm: -1 async: 0[/b]

ldap_close_socket: 3

ldap_perror

[b]ldap_bind: Can't contact LDAP server (-1)[/b]
```

Because I configured my server with ssl I also tried to connect at port 636:

```
ldap_create

ldap_url_parse_ext(ldap://localhost:636)

Enter LDAP Password:

ldap_bind

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP localhost:636

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:636

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_open_defconn: successful

ldap_send_server_request

ber_scanf fmt ({it) ber:

ber_dump: buf=0x0805f208 ptr=0x0805f208 end=0x0805f242 len=58

  0000:  30 38 02 01 01 60 33 02  01 03 04 24 63 6e 3d 4d   08...`3....$cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 69 2d 6c 6c 75 6d   anager,dc=i-llum

  0020:  69 6e 61 74 69 6f 6e 2c  64 63 3d 6c 6f 63 61 6c   ination,dc=local

  0030:  80 08 26 70 75 34 24 71  2a 2a                     ..&pu4$q**

ber_scanf fmt ({i) ber:

ber_dump: buf=0x0805f208 ptr=0x0805f20d end=0x0805f242 len=53

  0000:  60 33 02 01 03 04 24 63  6e 3d 4d 61 6e 61 67 65   `3....$cn=Manage

  0010:  72 2c 64 63 3d 69 2d 6c  6c 75 6d 69 6e 61 74 69   r,dc=i-lluminati

  0020:  6f 6e 2c 64 63 3d 6c 6f  63 61 6c 80 08 26 70 75   on,dc=local..&pu

  0030:  34 24 71 2a 2a                                     4$q**

ber_flush: 58 bytes to sd 3

  0000:  30 38 02 01 01 60 33 02  01 03 04 24 63 6e 3d 4d   08...`3....$cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 69 2d 6c 6c 75 6d   anager,dc=i-llum

  0020:  69 6e 61 74 69 6f 6e 2c  64 63 3d 6c 6f 63 61 6c   ination,dc=local

  0030:  80 08 26 70 75 34 24 71  2a 2a                     ..&pu4$q**

ldap_write: want=58, written=58

  0000:  30 38 02 01 01 60 33 02  01 03 04 24 63 6e 3d 4d   08...`3....$cn=M

  0010:  61 6e 61 67 65 72 2c 64  63 3d 69 2d 6c 6c 75 6d   anager,dc=i-llum

  0020:  69 6e 61 74 69 6f 6e 2c  64 63 3d 6c 6f 63 61 6c   ination,dc=local

  0030:  80 08 26 70 75 34 24 71  2a 2a                     ..&pu4$q**

ldap_result ld 0x8056dd8 msgid 1

ldap_chkResponseList ld 0x8056dd8 msgid 1 all 1

ldap_chkResponseList returns ld 0x8056dd8 NULL

wait4msg ld 0x8056dd8 msgid 1 (infinite timeout)

wait4msg continue ld 0x8056dd8 msgid 1 all 1

** ld 0x8056dd8 Connections:

* host: localhost  port: 636  (default)

  refcnt: 2  status: Connected

  last used: Thu Oct  4 21:28:36 2007

** ld 0x8056dd8 Outstanding Requests:

 * msgid 1,  origid 1, status InProgress

   outstanding referrals 0, parent count 0

** ld 0x8056dd8 Response Queue:

   Empty

ldap_chkResponseList ld 0x8056dd8 msgid 1 all 1

ldap_chkResponseList returns ld 0x8056dd8 NULL

ldap_int_select

read1msg: ld 0x8056dd8 msgid 1 all 1

ber_get_next

ldap_read: want=8, got=0

ber_get_next failed.

ldap_perror

ldap_result: Can't contact LDAP server (-1)
```

I really have no idea what to do now. And the documentation on the internet is, unfortunately, pretty poor.

Anybody?

----------

## reavertm

run LDAP server (slapd) in verbose mode (I don't remember the switch, maybe -d like 'debug', consult manual) - there should be possibility to add this option in /etc/conf.d/ldap or sth.

and then try to connect as a client, maybe the server is rejecting or just not started (configgured) properly?

----------

## ianw1974

Do:

```
netstat -tunlp
```

and see if ports 389 and 636 are listening.  If they are, the output of the command I gave above, should also list slapd against both of these ports for easy identification.  If not, run slaptest to check the config file and see where the problems might be.

----------

## dahoste

Did the original poster ever find  a solution to this?  I'm struggling with ldap after an update and am having the same issue -- namely getting the following message when I attempt any communication with ldap: "ldap_bind: Can't contact LDAP server (-1)".

slapd refuses to start, citing the following:

```
bdb_db_open: dbenv_open(/var/lib/openldap-data)

bdb_db_open: Database cannot be opened, err 22. Restore from backup!

====> bdb_cache_release_all

bdb(dc=NEGATIVESUM,dc=NET): DB_ENV->lock_id_free interface requires an environment configured for the locking subsystem

bdb(dc=NEGATIVESUM,dc=NET): txn_checkpoint interface requires an environment configured for the transaction subsystem

bdb_db_close: txn_checkpoint failed: Invalid argument (22)

backend_startup_one: bi_db_open failed! (22)

slapd shutdown: initiated

====> bdb_cache_release_all

bdb_db_close: alock_close failed

slapd destroy: freeing system resources.

```

And attempts to use manual ldap commands like ldapdelete, ldapsearch, result in this:

```
ldap_bind

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection 1 1 0

ldap_int_open_connection

ldap_connect_to_host: TCP 127.0.0.1:389

ldap_new_socket: 3

ldap_prepare_socket: 3

ldap_connect_to_host: Trying 127.0.0.1:389

ldap_connect_timeout: fd: 3 tm: -1 async: 0

ldap_close_socket: 3

ldap_perror

ldap_bind: Can't contact LDAP server (-1)

```

And that's with '-d 5' to get some debug output, and 'debug 256' in /etc/ldap.conf.  /var/log/nss_ldap/ldap.* log files get created, but they're always empty.

Additional version info:

```
[ebuild   R   ] net-nds/openldap-2.3.38  USE="berkdb crypt gdbm kerberos perl readline samba ssl tcpd -debug -ipv6 -minimal -odbc -overlays -sasl (-selinux) -slp -smbkrb5passwd" 0 kB 

[ebuild   R   ] sys-auth/nss_ldap-253  USE="-debug -sasl" 0 kB 

[ebuild   R   ] sys-auth/pam_ldap-183  USE="ssl -sasl" 0 kB 

```

Any suggestions?

This was otherwise a stable ldap config that's been running successfully for over a year.

thanks.

----------

## ianw1974

When I've had "Can't connect to LDAP Server" it was because the SSL use flag was enabled.  In the end, I disabled it just for the openldap package, and my problems went away.

Of course, this was because I didn't need to use SSL functionality for openldap, as I was happy to use on port 389 and not 636.

----------

## dahoste

hmm... I can reconfigure for non-SSL ldap, but I'd rather not.  The really frustrating thing about this is that 2 days ago I had a perfectly working system.  Now, ldap simply doesn't work.  At all.  Period.  And I can't associate it with anything specific.

I'll try non-SSL, as I'm am totally dead in the water at the moment, with nothing else to try.

Note that with 'ssl start_tls' in /etc/ldap.conf, SSL is actually used on port 389 (if I understand the different between 'ssl on' and 'ssl start_tls' correctly).

Anyway, thanks for the reply.  Any further advice is also appreciated.

----------

## ianw1974

I simply went non-ssl because I too had it working and then it stopped, but this was in a matter of a day.  After that, I didn't bother to try SSL again.  Although I know the reasoning behind preferring to use this.

Have a go with that, when you got standard working, check out SSL after this.

----------

## dahoste

[SOLVED]   well... if completely deleting the bdb folder and reconstructing the ldap db is 'solving' the problem.

I couldn't get any of the berkeley tools to behave or apparently do anything constructive, so I just wiped the /var/lib/openldap-data folder, re-emerged openldap (just for good measure), and used slapadd to do a full repopulation of the ldap db from a nightly slapcat dump (ldif file).

Had this been a higher traffic production system, I'd probably be pissed.  Though I now officially hate ldap.  This is like the 4th or 5th time I've wasted hours recovering from some arcane breakage of what is proving to be an annoyingly fragile tool.

Oh well.  Sally forth.

----------

## ianw1974

Try using ldbm instead.  I use this as I also had some problems with bdb from time to time.  Similar to yours in fact, I had an installation go corrupt.

----------

## dahoste

This from the openldap FAQ:

 *Quote:*   

> back-ldbm is obsolete and should not be used.

 

http://www.openldap.org/faq/data/cache/756.html

back-hdb seems to have more traction than back-bdb.  Maybe that's the way to go.

----------

