Can't contact LDAP server

Broken certificate.. I don't think it even should contact that server, ever.

The certificate is not broken. It's the same we are using in every other
single machine, from desktop computers with Ubuntu 7.04 and 7.10 to all the
servers with Debian, Fedora...

I know it looks like a broken certificate problem, but I think it's not. At
first I thought it couldn't be found by the LDAP client but from the
ldapsearch messages I understand it does.

On Fri, Apr 25, 2008 at 9:37 PM, trollord <email address hidden> wrote:

> Broken certificate.. I don't think it even should contact that server,
> ever.
>
> --
> Can't contact LDAP server
> https://bugs.launchpad.net/bugs/222003
> You received this bug notification because you are a direct subscriber
> of the bug.
>
> Status in Ubuntu: New
>
> Bug description:
> I'm trying to set up ldap authentication in a fresh 8.04 installation. I've
> done exactly as we have in working 7.10 machines but it doesn't work.
>
> This is what I get in auth.log:
>
> Apr 25 18:02:23 labclient login[9311]: PAM unable to
> dlopen(/lib/security/pam_smbpass.so)
> Apr 25 18:02:23 labclient login[9311]: PAM [error:
> /lib/security/pam_smbpass.so: cannot open shared object file: No such file
> or directory]
> Apr 25 18:02:23 labclient login[9311]: PAM adding faulty module:
> /lib/security/pam_smbpass.so
> Apr 25 18:02:27 labclient login[9311]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Apr 25 18:02:27 labclient login[9311]: pam_ldap: reconnecting to LDAP
> server...
> Apr 25 18:02:27 labclient login[9311]: pam_ldap: ldap_simple_bind Can't
> contact LDAP server
> Apr 25 18:02:27 labclient login[9311]: pam_unix(login:auth): check pass;
> user unknown
> Apr 25 18:02:27 labclient login[9311]: pam_unix(login:auth): authentication
> failure; logname=LOGIN uid=0 euid=0 tty=tty4 ruser= rhost=
> Apr 25 18:02:30 labclient login[9311]: FAILED LOGIN (1) on 'tty4' FOR
> `UNKNOWN', User not known to the underlying authentication module
>
> And this is from ldapsearch -d 1:
>
> ldap_create
> ldap_pvt_sasl_getmech
> ldap_search
> put_filter: "(objectclass=*)"
> put_filter: simple
> put_simple_filter: "objectclass=*"
> ldap_send_initial_request
> ldap_new_connection 1 1 0
> ldap_int_open_connection
> ldap_connect_to_host: TCP 172.19.66.6:636
> ldap_new_socket: 4
> ldap_prepare_socket: 4
> ldap_connect_to_host: Trying 172.19.66.6:636
> ldap_pvt_connect: fd: 4 tm: -1 async: 0
> TLS: hostname (172.19.66.6) does not match common name in certificate (
> 172.19.66.6).
> ldap_err2string
> ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
>
> I guess it has something to do with the "TLS: hostname (172.19.66.6) does
> not match common name in certificate (172.19.66.6)." line. Weird.
>

Just to say that I'm getting the same errors after upgrading. They all seem to be triggered by cron jobs.

I was having the same problem, and I found out that /lib/security/pam_smbpass.so wasn't on my system.
apt-get install libpam-smbpass
will fix the trouble.

Just to clarify. I don't think the pam_smbpass.so messages have anything to
do with the LDAP connection. Did you have the LDAP problem too and did this
solve it?

For those interested, just ask me for the details you need about my LDAP set
up or about any test I should do.

i have the same problem with ldap authentication on kubuntu 8.04 desktop adm64
i had the same ldap.conf configuration made on kubuntu 7.10 working good.
My ldap authentication works with ssl/tls below my ldap.conf

# @(#)$Id: ldap.conf,v 2.37 2004/09/09 06:31:07 lukeh Exp $
#
# This is the configuration file for the LDAP nameservice
# switch library and the LDAP PAM module.
#
# PADL Software
# http://www.padl.com
#

# Your LDAP server. Must be resolvable without using LDAP.
# Multiple hosts may be specified, each separated by a
# space. How long nss_ldap takes to failover depends on
# whether your LDAP client library supports configurable
# network or connect timeouts (see bind_timelimit).
# These are old settings, use uri
#host myldapserver
#host 127.0.0.1
#host 192.168.1.224

# The distinguished name of the search base.
base dc=mydomain,dc=com

# Another way to specify your LDAP server is to provide an
# uri with the server name. This allows to use
# Unix Domain Sockets to connect to a local LDAP Server.
#uri ldap://127.0.0.1/
#uri ldaps://127.0.0.1/
#uri ldapi://%2fvar%2frun%2fldapi_sock/
# Note: %2f encodes the '/' used as directory separator
uri ldaps://myldapserver
#uri ldaps://192.168.1.224

# The LDAP version to use (defaults to 3
# if supported by client library)
ldap_version 3

# The distinguished name to bind to the server with.
# Optional: default is to bind anonymously.
#binddn cn=xxxx,dc=mydomain,dc=com

# The credentials to bind with.
# Optional: default is no credential.
#bindpw your_password

# The distinguished name to bind to the server with
# if the effective user ID is root. Password is
# stored in /etc/ldap.secret (mode 600)
#rootbinddn cn=xxxx,dc=mydomain,dc=com

# The port.
# Optional: default is 389.
#port 389

# The search scope.
#scope sub
#scope one
#scope base

# Search timelimit
timelimit 2

# Bind/connect timelimit
bind_timelimit 2

# Reconnect policy: hard (default) will retry connecting to
# the software with exponential backoff, soft will fail
# immediately.
#bind_policy hard
bind_policy soft
# Idle timelimit; client will close connections
# (nss_ldap only) if the server has not been contacted
# for the number of seconds specified below.
#idle_timelimit 3600

# Filter to AND with uid=%s
#pam_filter objectclass=posixAccount

# The user ID attribute (defaults to uid)
#pam_login_attribute uid

# Search the root DSE for the password policy (works
# with Netscape Directory Server)
#pam_lookup_policy yes

# Check the 'host' attribute for access control
# Default is no; if set to yes, and user has no
# value for the host attribute, and pam_ldap is
# configured for account management (authorization)
# then the user will not be allowed to login.
#pam_check_host_attr yes

# Check the 'authorizedService' attribute for access
# control
# Default is no; if set to yes, and the user has no
# value for the authorizedService attribute, and
# pam_ldap is configured for account management
# (authorization) then the user will not be allowed
# to login.
#pam_check_service_attr yes

# Group to enforce membership of
#pam_groupdn cn=PAM,ou=Groups,dc=padl,dc=com

# Group member attribute
#pam_member_attribute uniquemember

...

I have the same problem. In my case, I upgraded from 7.10 to 8.04 and then I've been following the howto (*) and got stuck at authentication of ldap user.

Let me know if I can provide further info.

(*) http://www.rrcomputerconsulting.com/view.php?article_id=3

Regarding my situation, I found out it really was a bug of mine, i.e., ldap.conf was not well configured. I had uri ldapi://127.0.0.1/ instead of uri ldap://127.0.0.1/

Sorry for the noise.

I've followed the same guide (but only for clients, my server is running Debian with openldap). The Ubuntu client that I'm using is Intrepid (although it seems this is a rather common error no matter distribution).

I've tried every combination of settings on the client, and it seems to work as

    finger ldapuser

returns nice information. ldapsearch -x also returns the user database... So it's only PAM that can't connect:

Oct 15 14:06:52 stavanger login[4135]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Oct 15 14:06:52 stavanger login[4135]: pam_ldap: reconnecting to LDAP server...
Oct 15 14:06:52 stavanger login[4135]: pam_ldap: ldap_simple_bind Can't contact LDAP server
Oct 15 14:06:54 stavanger login[4135]: FAILED LOGIN (2) on 'tty4' FOR `ldapuser', Authentication failure

Actually I fixed it by using

     auth-client-config -a -p ldap_example

and thus using Ubuntu's provided ldap pam-configuration and *not* the one used in that big often-followed tutorial[1]. Sorry for the noise. Although I don't know the difference, why the provided ldap_example works and the one in the tutorial doesn't.

1. http://ubuntuforums.org/showthread.php?t=640760

Are you using a self-signed certificate?

Please note that starting from hardy (8.04) openldap is using gnutls instead of openssl, which is much more strict about certificates. Make sure that you're *not* using self certificates and that *all* the CA certificates are available on the client system.

Well, no of course. I think it a bit far fetched to not be able to use a self-signedd cert as *I'M* the one setting up the clients, and I should be perfectly aware which certificate is mine. I don't think that it is a good user friendly (or admin friendly) way to require to fork out useless money for something we don't need :-)

I'm rather surprised that you REQUIRE CA signed certificates.

Anyway, as I said, the config worked when I used ldap_example on the clients. And everything is working perfectly fine here now, a mixed Windows/Ubuntu environment with Debian server using self-signed certificates and all.

Ah, but I actually think I don't have any TLS enabled at all, seemed overkill and I didn't want to set it up. :-)

if I understood correctly, this was a configuration error, right? closing as invalid
please change back if I'm wrong...