[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap client configuration to connect to AD

Sankhadip Sengupta wrote:
> Quoting Michael Ströder <michael@stroeder.com>:
>> Sankhadip Sengupta wrote:
>>> Michael Ströder wrote:
>>>> Santosh Kumar wrote:
>>>>> ./ldapsearch -x -W -h -b
>>>>> "CN=testuser,OU=Users,OU=KeyPairIN,OU=KeyPair,DC=keypair,DC=internal"
>>>>> -S sub
>>>>> Enter LDAP Password:  ***
>>>>> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>>>> This means the server is not reachable at TCP level. Make sure your
>>>> AD is reachable on the IP address given with -h.
>>> I have encountered this issue before.This I fixed by allowing
>>> permissions(anonymous read) on the ADS.By default anonymous read on ADS
>>> is not allowed by windows.To do this you need to select a dc from the
>>> ADS and right click on it and  add "ANONYMOUS LOGON" user to it.Then
>>> change the permission to "list all contents".This will work then.
>> 1. The error message "Can't contact LDAP server (-1)" clearly indicates
>> that the server wasn't reachable at TCP level. You definitely won't
>> solve that by allowing anonymous access in AD. Santosh has to solve that
>> issue at network level.
>> 2. Changing the AD configuration to allow anonymous access might give
>> you some issues with people auditing your system (e.g. in the banking
>> business).

> What I meant was that the server refuses to accept connections.Which 
> means a TCP level RST bit set.
> Now can't contact LDAP server message is very generic and it doesnt
> show deep info on what actually happened.

It clearly indicates that the LDAP connection could not be established
at all. Another case where this error message is shown if something's
going wrong with establishing a SSL connection (which seems not relevant

If you hit the famous AD-not-allowing-anon-access issue the message is
definitely different.

> I would imagine no body would have errors setting up an LDAP server ip
> address.

There could be a firewall in between or any other IP networking problem.
The original poster has to check this.

Ciao, Michael.