#183 custom uri ldaps://ldap.local:8443/ not working?
Opened 4 years ago by f1outsourcing. Modified 4 years ago

I have a problem getting a connection with the slapd server. I wonder if it is something specific to the dyndb configuration, because doing an ldapsearch from the same environment is not a problem. I can also think of the custom ca I am using, but that would mean that bind-dyndb-ldap is not correctly using the os bundle ca's

ldapsearch -LLL -D "cn=named,cn=ns,ou=xxxx,dc=xxxx,dc=xxxx,dc=local" -y /tmp/testnamed -H ldaps://ldap.local:8443/ -b "idnsName=domain.con,ou=xxxx,ou=xxxx,dc=xxxx,dc=xxxx,dc=local" idnsZoneActive

Errors named -d 11 -4 -c /tmp/named.conf -g
18-Aug-2019 11:22:17.708 trying to establish LDAP connection to ldaps://ldap.local:8443/
18-Aug-2019 11:22:17.897 LDAP error: Can't contact LDAP server: bind to LDAP server failed
18-Aug-2019 11:22:17.897 trying to establish LDAP connection to ldaps://ldap.local:8443/
18-Aug-2019 11:22:20.908 LDAP error: Can't contact LDAP server: bind to LDAP server failed
18-Aug-2019 11:22:20.909 res 0x7fe721cf9198: create
18-Aug-2019 11:22:20.910 Entering ldap_syncrepl_watcher
18-Aug-2019 11:22:20.911 sctx state 0 reached (reset)
18-Aug-2019 11:22:20.911 adding task 0x7fe72792d010 to syncrepl list; 2 tasks in list
18-Aug-2019 11:22:20.911 ldap_sync_prepare() failed, retrying in 1 second: socket is not connected

Errors on the slapd server
Aug 18 13:22:17 xxx slapd[498002]: 12r
Aug 18 13:22:17 xxx slapd[498002]: 12r
Aug 18 13:22:17 xxx slapd[498002]: daemon: read active on 12
Aug 18 13:22:17 xxx slapd[498002]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Aug 18 13:22:17 xxx slapd[498002]: connection_get(12): got connid=1241
Aug 18 13:22:17 xxx slapd[498002]: connection_read(12): checking for input on id=1241
Aug 18 13:22:17 xxx slapd[498002]: connection_read(12): TLS accept failure error=-1 id=1241, closing
Aug 18 13:22:17 xxx slapd[498002]: connection_closing: readying conn=1241 sd=12 for close
Aug 18 13:22:17 xxx slapd[498002]: connection_close: conn=1241 sd=12
Aug 18 13:22:17 xxx slapd[498002]: daemon: removing 12
Aug 18 13:22:17 xxx slapd[498002]: daemon: activity on 1 descriptor
Aug 18 13:22:17 xxx slapd[498002]: daemon: activity on:
Aug 18 13:22:17 xxx slapd[498002]: on:
Aug 18 13:22:17 xxx slapd[498002]: daemon: epoll: listen=7 active_threads=0 tvp=NULL
Aug 18 13:22:20 xxx slapd[498002]: daemon: activity on 1 descriptor
Aug 18 13:22:20 xxx slapd[498002]: daemon: activity on:
Aug 18 13:22:20 xxx slapd[498002]: on:
Aug 18 13:22:20 xxx slapd[498002]: slap_listener_activate(7):
Aug 18 13:22:20 xxx slapd[498002]: daemon: epoll: listen=7 busy
Aug 18 13:22:20 xxx slapd[498002]: >>> slap_listener(ldaps://0.0.0.0:8443/)
Aug 18 13:22:20 xxx slapd[498002]: daemon: listen=7, new connection on 12
Aug 18 13:22:20 xxx slapd[498002]: daemon: activity on 1 descriptor
Aug 18 13:22:20 xxx slapd[498002]: daemon: activity on:

named.conf
view "external-view" {

    empty-zones-enable false;

    dyndb "bla" "/usr/lib64/bind/ldap.so" {
    uri "ldaps://ldap.local:8443/";
    base "ou=xxxx,ou=xxxx,dc=xxxx,dc=xxxx,dc=local";
    bind_dn "cn=named,cn=ns,ou=xxxx,dc=xxxx,dc=xxxx,dc=local";
    password "xxxx";
    auth_method "simple";
    };

};

centos7 versions:
bind-libs-9.9.4-74.el7_6.2.x86_64
bind-9.9.4-74.el7_6.2.x86_64
bind-license-9.9.4-74.el7_6.2.noarch
bind-dyndb-ldap-11.1-4.el7.x86_64


Only LDAPI connections are supported by bind-dyndb-ldap at the moment.

Why? Do you have a patch that gets this to work?

Because bind-dyndb-ldap is part of FreeIPA where it is only running on IPA masters and has no need to communicate with other servers.

We have plans to extend it to cover LDAPS too, but had no time to work on that: https://bugzilla.redhat.com/show_bug.cgi?id=1644227

I found this work around

socat -s -d -d UNIX-LISTEN:/var/run/ldapi,unlink-early,fork OPENSSL:ldap.local:8443,cafile=/etc/pki/ca-trust/source/anchors/ca.crt,verify=1,keepalive,reuseaddr

But maybe write this in your docs and examples

Login to comment on this ticket.

Metadata