Highlighted
Honored Contributor.
Honored Contributor.
761 views

ldap connection refused

Jump to solution

One of my dev servers has stopped responding to LDAP bind requests. The client says "connection refused" and the host doesn't register the connection attempt at all in ndstrace. I verified that 389 and 636 are open on the host firewall.

 OS is RHEL 7, eDir version is 9.2.1

Thanks

Labels (2)
1 Solution

Accepted Solutions
Highlighted
Knowledge Partner
Knowledge Partner

5997 IIRC means "invalid parameter", this might happen if you e.g. miss a colon in the interface config such as

ldaps://636

instead of

ldaps://:636

If you like it: like it.

View solution in original post

16 Replies
Highlighted
Knowledge Partner
Knowledge Partner

Do you have the corresponding listeners running at all? Can you connect with e.g. ldapsearch on the server itself?

 

If you like it: like it.
Highlighted
Honored Contributor.
Honored Contributor.
How do I tell if the listeners are listening?
Running LDAPSEARCH on the host, whether I specify port 389 or 636, returns:
"ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)"
Highlighted
Knowledge Partner
Knowledge Partner

netstat -lnp |grep 636

and

netstat -lnp |grep 389

should show something like

tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 1550/ndsd

and

tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 1550/ndsd

The "1550" may vary, of course.

Assuming the nds daemon is running you can un-/reload the ldap portion with

nldap -u

nldap -l

 

If you like it: like it.
Highlighted
Honored Contributor.
Honored Contributor.

netstat -lnp returns nothing whether I grep for 636 or 389.  I tried unloading and reloading nldap and saw no errors in ndsd.log, but netstat -lnp is still blank. 

 

 

Highlighted
Knowledge Partner
Knowledge Partner

But you have something similiar to this

Jul 16 18:28:03 SPM DClient closed
Jul 16 18:28:03 Unloading SSLDP...
Jul 16 18:28:03 SecretStore LDAP Plugin Unloaded Successfully
Jul 16 18:28:03 SecretStore LDAP Extension Handler Unloaded
Jul 16 18:28:03 LDAP Agent for NetIQ eDirectory 9.2.1 (40202.00) stopped
Jul 16 18:28:07 SPM DClient Version: 9.2.1.0 Build: 20200128 started
Jul 16 18:28:07 Loading SecretStore LDAP Transport Plugin...
Jul 16 18:28:07 NetIQ SecretStore LDAP Plugin Version 9.2.1.0 Loaded Successfully.
Jul 16 18:28:07 SecretStore LDAP Extension Handler Loaded Successfully
Jul 16 18:28:07 LDAP Agent for NetIQ eDirectory 9.2.1 (40202.00) started

in the log?

What does

ndsmanage -a

show you?

 

 

If you like it: like it.
Highlighted
Knowledge Partner
Knowledge Partner

Also, run ndstrace

then enable LDAP trace, as set ndstrace=+LDAP  (Maybe start with 'set ndstrace=NODEBUG' to turn off eveerything off and tehn turn on LDAP)

Then do:

unload nldap

load nldap

and see if you get any errors.

 

Highlighted
Honored Contributor.
Honored Contributor.

Bingo.  Here's the ndstrace output from nldap -l:

Unable to create listener for URL ldap://389, err = -5
997 (0xffffe893)
[2020/07/16 13:58:13.663] Listener setting up TLS port 636
[2020/07/16 13:58:13.663] Unable to create listener for URL ldaps://636, err = -
5997 (0xffffe893)

Now to see what error number -5997 means...

 

 

Highlighted
Knowledge Partner
Knowledge Partner

In iManager -> LDAP -> LDAP Options -> View LDAP Servers -> yourserver -> Connections -> LDAP interfaces

what do you see there? Without further configuration you should see

ldap://:389

and

ldaps://:636

 

If you like it: like it.
Highlighted
Honored Contributor.
Honored Contributor.

That is exactly what I see. The other two servers in this tree look the same.

Highlighted
Knowledge Partner
Knowledge Partner

5997 IIRC means "invalid parameter", this might happen if you e.g. miss a colon in the interface config such as

ldaps://636

instead of

ldaps://:636

If you like it: like it.

View solution in original post

Highlighted
Knowledge Partner
Knowledge Partner

I've duped this with a missing colon and catched the same error as you. So it's likely just a typo.

 

If you like it: like it.
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.