[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap client configuration to connect to AD

To: Sankhadip Sengupta <sdsgupta@cs.utah.edu>
Subject: Re: openldap client configuration to connect to AD
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 06 Mar 2009 21:06:11 +0100
Cc: Santosh Kumar <santosh.kb@rediffmail.com>, openldap-technical@openldap.org
In-reply-to: <20090306124544.azszsb2eas4ko0gw@webmail.cs.utah.edu>
References: <20090306053607.53778.qmail@f4mail-235-143.rediffmail.com> <49B11E45.20507@stroeder.com> <0F75FC99B2B144D685B038196AA2BBE3@puppetmasterPC> <49B162C4.4010503@stroeder.com> <20090306124544.azszsb2eas4ko0gw@webmail.cs.utah.edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.21) Gecko/20090303 SeaMonkey/1.1.15

Sankhadip Sengupta wrote:
> Quoting Michael Ströder <michael@stroeder.com>:
>> Sankhadip Sengupta wrote:
>>> Michael Ströder wrote:
>>>> Santosh Kumar wrote:
>>>>> ./ldapsearch -x -W -h 10.10.10.10 -b
>>>>> "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal"
>>>>> -S sub
>>>>> Enter LDAP Password:  ***
>>>>>
>>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>>
>>>> This means the server is not reachable at TCP level. Make sure your
>>>> AD is reachable on the IP address given with -h.
>>>
>>> I have encountered this issue before.This I fixed by allowing
>>> permissions(anonymous read) on the ADS.By default anonymous read on ADS
>>> is not allowed by windows.To do this you need to select a dc from the
>>> ADS and right click on it and  add "ANONYMOUS LOGON" user to it.Then
>>> change the permission to "list all contents".This will work then.
>>
>> 1. The error message "Can't contact LDAP server (-1)" clearly indicates
>> that the server wasn't reachable at TCP level. You definitely won't
>> solve that by allowing anonymous access in AD. Santosh has to solve that
>> issue at network level.
>>
>> 2. Changing the AD configuration to allow anonymous access might give
>> you some issues with people auditing your system (e.g. in the banking
>> business).

> What I meant was that the server refuses to accept connections.Which 
> means a TCP level RST bit set.
> 
> Now can't contact LDAP server message is very generic and it doesnt
> show deep info on what actually happened.

It clearly indicates that the LDAP connection could not be established
at all. Another case where this error message is shown if something's
going wrong with establishing a SSL connection (which seems not relevant
here).

If you hit the famous AD-not-allowing-anon-access issue the message is
definitely different.

> I would imagine no body would have errors setting up an LDAP server ip
> address.

There could be a firewall in between or any other IP networking problem.
The original poster has to check this.

Ciao, Michael.

References:
- openldap client configuration to connect to AD
  - From: "Santosh Kumar" <santosh.kb@rediffmail.com>
- Re: openldap client configuration to connect to AD
  - From: Michael Ströder <michael@stroeder.com>
- Re: openldap client configuration to connect to AD
  - From: "Sankhadip Sengupta" <sdsgupta@cs.utah.edu>
- Re: openldap client configuration to connect to AD
  - From: Michael Ströder <michael@stroeder.com>
- Re: openldap client configuration to connect to AD
  - From: Sankhadip Sengupta <sdsgupta@cs.utah.edu>

Prev by Date: Re: openldap client configuration to connect to AD
Next by Date: Re: TLSVerifyClient => no login possible
Index(es):
- Chronological
- Thread