Ldap
ldap_sasl_interactive_bind_s:CentOS 上的 ldapi:/// 無法聯繫 LDAP 伺服器 (-1)
(這是ldap_modify的後續:在更改密碼時訪問不足 (50),因為我們在診斷期間發現了一個單獨的問題。)
在修改 cn=config LDAP 數據庫之前,我正在嘗試訪問它。但是,我遇到了一個
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
錯誤。# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1 ldap_url_parse_ext(ldapi:///) ldap_create ldap_url_parse_ext(ldapi:///??base) ldap_sasl_interactive_bind: user selected: EXTERNAL ldap_int_sasl_bind: EXTERNAL ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_path ldap_new_socket: 3 ldap_connect_to_path: Trying /var/run/ldapi ldap_connect_timeout: fd: 3 tm: -1 async: 0 ldap_ndelay_on: 3 ldap_close_socket: 3 ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
ldapi://
(但不是ldapi:///
?)看起來定義在/etc/openldap/ldap.conf
:# # LDAP Defaults # # See ldap.conf(5) for details # This file should be world readable but not world writable. BASE dc=my_domain,dc=com #URI ldap://ldap.example.com ldap://ldap-master.example.com:666 URI ldap:// ldapi:// ldaps:// #SIZELIMIT 12 #TIMELIMIT 15 #DEREF never TLS_CACERTDIR /etc/openldap/certs
在停止防火牆
service iptables stop
(ldapi 的套接字文件看起來沒有定義:
ls -la/var/執行/ldapi
ls: 無法訪問 /var/run/ldapi: 沒有這樣的文件或目錄
以下是 /var/run 中的其他文件:
[root@my_hostname ~]# ls -la /var/run/ total 128 drwxr-xr-x. 19 root root 4096 Oct 30 13:13 . drwxr-xr-x. 20 root root 4096 Oct 20 09:23 .. drwxr-xr-x. 2 root root 4096 Oct 23 23:11 abrt -rw-r--r-- 1 root root 5 Oct 23 23:11 abrtd.pid -rw-r--r-- 1 root root 5 Oct 23 23:11 atd.pid -rw-r--r-- 1 root root 4 Oct 23 23:11 auditd.pid drwxr-xr-x. 2 root root 4096 Aug 18 09:26 console drwxr-xr-x. 2 root root 4096 Nov 10 2010 ConsoleKit -rw-r--r-- 1 root root 5 Oct 23 23:11 crond.pid ---------- 1 root root 0 Oct 23 23:11 cron.reboot drwxr-xr-x. 2 root root 4096 Oct 23 23:11 dbus drwxr-xr-x 2 root root 4096 Oct 23 23:11 fail2ban drwxr-xr-x. 2 root root 4096 Aug 18 09:26 faillock drwx------. 2 haldaemon haldaemon 4096 Oct 15 2014 hald -rw-r--r-- 1 root root 5 Oct 23 23:11 haldaemon.pid -rw-r--r-- 1 root root 5 Oct 23 23:11 irqbalance.pid drwx------. 2 root root 4096 Sep 22 09:15 lvm drwx------. 2 root root 4096 Jul 24 03:23 mdadm -rw-r--r-- 1 root root 5 Oct 23 23:11 messagebus.pid drwxrwxr-x. 2 root root 4096 Sep 22 11:47 netreport drwxr-xr-x 2 ldap ldap 4096 Oct 30 13:13 openldap drwxr-xr-x. 2 root root 4096 Aug 11 2014 plymouth drwxr-xr-x. 4 root root 4096 Oct 15 2014 pm-utils drwxr-xr-x 2 root root 4096 Oct 23 23:11 portreserve drwxr-xr-x. 2 root root 4096 Mar 25 2015 saslauthd drwxr-xr-x. 2 root root 4096 Aug 18 09:26 sepermit drwxr-xr-x. 2 root root 4096 Oct 15 2014 setrans -rw-r--r-- 2 ldap ldap 6 Oct 30 13:13 slapd.pid -rw-r--r-- 1 root root 5 Oct 23 23:11 sshd.pid -rw------- 1 root root 5 Oct 23 23:11 syslogd.pid -rw-rw-r-- 1 root utmp 5376 Nov 3 11:16 utmp -rw-r--r-- 1 root root 5 Oct 23 23:11 xe-daemon.pid [root@my_hostname ~]# ls -la /var/run/openldap/ total 16 drwxr-xr-x 2 ldap ldap 4096 Oct 30 13:13 . drwxr-xr-x. 19 root root 4096 Oct 30 13:13 .. -rw-r--r-- 1 ldap ldap 39 Oct 30 13:13 slapd.args -rw-r--r-- 2 ldap ldap 6 Oct 30 13:13 slapd.pid
slapd
看起來它是從 ldaps 而不是 ldapi 開始的:# ps auxf | grep slapd root 28776 0.0 0.0 103308 836 pts/0 S+ 11:23 0:00 \_ grep slapd ldap 29398 0.0 1.0 370152 20348 ? Ssl Oct30 0:00 /usr/sbin/slapd -h ldaps:/// -u ldap
唯一提到 ldaps:在 /etc/openldap 中也提到了 ldapi:
# grep -R 'ldaps:' /etc/openldap/ /etc/openldap/ldap.conf:URI ldap:// ldapi:// ldaps://
如何確保
ldapi:///
可用?
根據@84104 的評論,
/etc/openldap/ldap.conf
是客戶端配置。CentOS6 上的伺服器配置在
/etc/sysconfig/ldap
(不是slapd
)中。我確保它包含以下行:# Run slapd with -h "... ldapi:/// ..." # yes/no, default: yes SLAPD_LDAPI=yes
並重新啟動 LDAP 伺服器:
service slapd restart
在此之後,
ldapi:///
可用並ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'
成功。