Welcome to the Linux Foundation Forum!

Lab 29.2. Centralized Authentication Using LDAP and TLS...?

austrianadmin
austrianadmin Posts: 37
in LFS207 Class Forum

Hi Luis,
i have installed the LDAP-server on a VM and it is running...

then i followed the instrcutions but this sentence i would love to be explained in detail:

It is assumed that the
ready-for.sh
script has been run, the solutions and resource files loaded and extracted to a directory

...however i went on with installing openldap-clients packages, then i wanted to...

ldapsearch -x -H ldap://10.0.2.15.-b "dc=example,dc=com" -s sub"objectclass=*"

but the bash responded:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

i would love go on with the exercise...maybe you have a hint for a solution?

Thanks!

regards

berni

Best Answer

  • luisviveropena
    luisviveropena Posts: 1,338
    edited May 5 Answer ✓

    Hi Berni,

    It looks like a networking issue. So let's take a look from that point of view:

    1.- See what's the client IP. In my case:

    luis@debiansrv:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host noprefixroute 
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 08:00:27:e4:93:87 brd ff:ff:ff:ff:ff:ff
    altname enx080027e49387
    inet 192.168.1.27/24 brd 192.168.1.255 scope global dynamic noprefixroute enp0s3
       valid_lft 2520sec preferred_lft 2520sec

It's 192.168.1.27.

    2.- The IP of the LDAP Server in my case is 192.168.1.246 (so both systems are in the same network), and both ports 389 and 636 should be listening.

    3.- Let's ping the LDAP Server -if your setup permits it:

    luis@debiansrv:~$ ping 192.168.1.246
PING 192.168.1.246 (192.168.1.246) 56(84) bytes of data.
64 bytes from 192.168.1.246: icmp_seq=1 ttl=64 time=0.901 ms
64 bytes from 192.168.1.246: icmp_seq=2 ttl=64 time=0.951 ms
^C

    That's ok.

    4.- Let's try the ldapsearch command:

    luis@debiansrv:~$ ldapsearch -x -H ldap://192.168.1.246 -b "dc=example,dc=com" -s sub"objectclass=*"
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# example.com
dn: dc=example,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: example.com
dc: example
[...]

    That works :)

    So check the network on your side and let me know.

    Regards,
    Luis.

Answers

  • austrianadmin
    austrianadmin Posts: 37

    Hi Luis,
    ip a worked fine

    lfstudent@localhost:~$ ping 10.0.2.15
    PING 10.0.2.15 (10.0.2.15) 56(84) Bytes an Daten.
    64 Bytes von 10.0.2.15: icmp_seq=1 ttl=64 Zeit=0.079 ms
    64 Bytes von 10.0.2.15: icmp_seq=2 ttl=64 Zeit=0.106 ms
    64 Bytes von 10.0.2.15: icmp_seq=3 ttl=64 Zeit=0.102 ms
    64 Bytes von 10.0.2.15: icmp_seq=4 ttl=64 Zeit=0.068 ms

    ...also worked fine but ...

    lfstudent@localhost:~$ ldapsearch -x -H ldap:// 10.0.2.15 -b "dc=example,dc=com" -s sub"objectclass=*"
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

    thank you for the support!

    regards

    berni

  • luisviveropena
    luisviveropena Posts: 1,338
    edited May 5

    Hi Berni,

    1.- Let's try with nc to the LDAP IP and port. You need to do the following from the client:

    nc -zv $IP 389

    Replace $IP with your LDAP server's IP.

    If the command succeed, you should see something like this:

    Connected to 10.0.2.15:389.

    Note: I can't put the command because some strings are filtered by the forum software.

    2.- You also can connect to the LDAP server by ssh and use the 'ss' tool to see if the port is listening, as here. Important note: never connect by ssh with the root account. This is only for testing and debugging purposes.

    ssh -l root 192.168.1.246
The authenticity of host '192.168.1.246 (192.168.1.246)' can't be established.
ED25519 key fingerprint is SHA256:SidQWZgtHvM/IUtwDZf+Nc7FDsJBAFnNI1XFAK2YsdU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.246' (ED25519) to the list of known hosts.

root@192.168.1.246's password: 
Welcome to Openldap, TurnKey GNU/Linux 14.1 / Debian 8.4 Jessie

  System information (as of Tue May 05 22:06:47 2026)

    System load:  0.11              Memory usage:  17%
    Processes:    87                Swap usage:    0%
    Usage of /:   4.0% of 16.61GB   IP address for eth0:  192.168.1.246

  TKLBAM (Backup and Migration):  NOT INITIALIZED

    To initialize TKLBAM, run the "tklbam-init" command to link this
    system to your TurnKey Hub account. For details see the man page or
    go to:

        http://www.turnkeylinux.org/tklbam

    root@openldap ~# ss -tln
State      Recv-Q Send-Q                                                 Local Address:Port                                                   Peer Address:Port 
LISTEN     0      100                                                        127.0.0.1:25                                                                *:*     
LISTEN     0      128                                                                *:443                                                               *:*     
LISTEN     0      128                                                                *:636                                                               *:*     
LISTEN     0      128                                                        127.0.0.1:12319                                                             *:*     
LISTEN     0      128                                                                *:12320                                                             *:*     
LISTEN     0      128                                                                *:12321                                                             *:*     
LISTEN     0      128                                                                *:389                                                               *:*     
LISTEN     0      128                                                        127.0.0.1:10000                                                             *:*     
LISTEN     0      128                                                                *:80                                                                *:*     
LISTEN     0      128                                                                *:22                                                                *:*     
LISTEN     0      128                                                               :::636                                                              :::*     
LISTEN     0      128                                                               :::389                                                              :::*     
LISTEN     0      128                                                               :::80                                                               :::*     
LISTEN     0      128                                                               :::22                                                               :::*

    On this case we can see that ports 380 and 636 are listening and we should be good to go.

    Regards,
    Luis.

Categories

Upcoming Training