Ldap

ldap_sasl_interactive_bind_s:CentOS 上的 ldapi:/// 無法聯繫 LDAP 伺服器 (-1)

  • November 3, 2015

(這是ldap_modify的後續:在更改密碼時訪問不足 (50),因為我們在診斷期間發現了一個單獨的問題。)

在修改 cn=config LDAP 數據庫之前,我正在嘗試訪問它。但是,我遇到了一個ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)錯誤。

# ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config' -d1
ldap_url_parse_ext(ldapi:///)
ldap_create
ldap_url_parse_ext(ldapi:///??base)
ldap_sasl_interactive_bind: user selected: EXTERNAL
ldap_int_sasl_bind: EXTERNAL
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_path
ldap_new_socket: 3
ldap_connect_to_path: Trying /var/run/ldapi
ldap_connect_timeout: fd: 3 tm: -1 async: 0
ldap_ndelay_on: 3
ldap_close_socket: 3
ldap_msgfree
ldap_err2string
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

ldapi://(但不是ldapi:///?)看起來定義在/etc/openldap/ldap.conf

#
# LDAP Defaults
#

# See ldap.conf(5) for details
# This file should be world readable but not world writable.

BASE    dc=my_domain,dc=com
#URI    ldap://ldap.example.com ldap://ldap-master.example.com:666
URI     ldap:// ldapi:// ldaps://

#SIZELIMIT  12
#TIMELIMIT  15
#DEREF          never

TLS_CACERTDIR /etc/openldap/certs

在停止防火牆service iptables stop

ldapi 的套接字文件看起來沒有定義:

ls -la/var/執行/ldapi

ls: 無法訪問 /var/run/ldapi: 沒有這樣的文件或目錄

以下是 /var/run 中的其他文件:

[root@my_hostname ~]# ls -la /var/run/
total 128
drwxr-xr-x. 19 root      root      4096 Oct 30 13:13 .
drwxr-xr-x. 20 root      root      4096 Oct 20 09:23 ..
drwxr-xr-x.  2 root      root      4096 Oct 23 23:11 abrt
-rw-r--r--   1 root      root         5 Oct 23 23:11 abrtd.pid
-rw-r--r--   1 root      root         5 Oct 23 23:11 atd.pid
-rw-r--r--   1 root      root         4 Oct 23 23:11 auditd.pid
drwxr-xr-x.  2 root      root      4096 Aug 18 09:26 console
drwxr-xr-x.  2 root      root      4096 Nov 10  2010 ConsoleKit
-rw-r--r--   1 root      root         5 Oct 23 23:11 crond.pid
----------   1 root      root         0 Oct 23 23:11 cron.reboot
drwxr-xr-x.  2 root      root      4096 Oct 23 23:11 dbus
drwxr-xr-x   2 root      root      4096 Oct 23 23:11 fail2ban
drwxr-xr-x.  2 root      root      4096 Aug 18 09:26 faillock
drwx------.  2 haldaemon haldaemon 4096 Oct 15  2014 hald
-rw-r--r--   1 root      root         5 Oct 23 23:11 haldaemon.pid
-rw-r--r--   1 root      root         5 Oct 23 23:11 irqbalance.pid
drwx------.  2 root      root      4096 Sep 22 09:15 lvm
drwx------.  2 root      root      4096 Jul 24 03:23 mdadm
-rw-r--r--   1 root      root         5 Oct 23 23:11 messagebus.pid
drwxrwxr-x.  2 root      root      4096 Sep 22 11:47 netreport
drwxr-xr-x   2 ldap      ldap      4096 Oct 30 13:13 openldap
drwxr-xr-x.  2 root      root      4096 Aug 11  2014 plymouth
drwxr-xr-x.  4 root      root      4096 Oct 15  2014 pm-utils
drwxr-xr-x   2 root      root      4096 Oct 23 23:11 portreserve
drwxr-xr-x.  2 root      root      4096 Mar 25  2015 saslauthd
drwxr-xr-x.  2 root      root      4096 Aug 18 09:26 sepermit
drwxr-xr-x.  2 root      root      4096 Oct 15  2014 setrans
-rw-r--r--   2 ldap      ldap         6 Oct 30 13:13 slapd.pid
-rw-r--r--   1 root      root         5 Oct 23 23:11 sshd.pid
-rw-------   1 root      root         5 Oct 23 23:11 syslogd.pid
-rw-rw-r--   1 root      utmp      5376 Nov  3 11:16 utmp
-rw-r--r--   1 root      root         5 Oct 23 23:11 xe-daemon.pid

[root@my_hostname ~]# ls -la /var/run/openldap/
total 16
drwxr-xr-x   2 ldap ldap 4096 Oct 30 13:13 .
drwxr-xr-x. 19 root root 4096 Oct 30 13:13 ..
-rw-r--r--   1 ldap ldap   39 Oct 30 13:13 slapd.args
-rw-r--r--   2 ldap ldap    6 Oct 30 13:13 slapd.pid

slapd看起來它是從 ldaps 而不是 ldapi 開始的:

# ps auxf | grep slapd
root     28776  0.0  0.0 103308   836 pts/0    S+   11:23   0:00          \_ grep slapd
ldap     29398  0.0  1.0 370152 20348 ?        Ssl  Oct30   0:00 /usr/sbin/slapd -h  ldaps:/// -u ldap

唯一提到 ldaps:在 /etc/openldap 中也提到了 ldapi:

# grep -R 'ldaps:' /etc/openldap/
/etc/openldap/ldap.conf:URI ldap:// ldapi:// ldaps://

如何確保ldapi:///可用?

根據@84104 的評論,/etc/openldap/ldap.conf是客戶端配置。

CentOS6 上的伺服器配置在/etc/sysconfig/ldap(不是slapd)中。我確保它包含以下行:

# Run slapd with -h "... ldapi:/// ..."
#   yes/no, default: yes
SLAPD_LDAPI=yes

並重新啟動 LDAP 伺服器:

service slapd restart

在此之後,ldapi:///可用並ldapsearch -H ldapi:/// -Y EXTERNAL -b 'cn=config'成功。

引用自:https://serverfault.com/questions/733637