Bug #332
Cannot access to LDAP directory
| Status: | Closed | Start: | 19/08/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: |  Clément OUDOT |
% Done: | 100% |
|
| Category: | Self Service Password | |||
| Target version: | - |
Description
SSP in general work fine, but periodically our stuff get the error: Cannot access to LDAP directory
debug=true
Warning: ldap_bind() [function.ldap-bind]: Unable to bind to server: Can't contact LDAP server in /home/ssp/0.6/pages/change.php on line 84
php.log
[19-Aug-2011 21:03:06] LDAP - Bind error -1 (Can't contact LDAP server)
pages/change.php
sed '84q;d' /home/ssp/0.6/pages/change.php
$bind = ldap_bind($ldap, $ldap_binddn, $ldap_bindpw);
Why this might happen ? How I can debug this ?
Maybe a chache or php sessions or somethings else.
Thank you.
History
Updated by Clément OUDOT 9 months ago
I think this is not a PHP error.
Maybe your LDAP server does not respond to some requests, or the TCP/IP stack of your server is overloaded.
Do you have a monitoring for your LDAP server? Does it detects connection faliures?
Updated by WMI Admin 8 months ago
This is not high loaded server - simple Domain Controller - Windows Based(2003 Server EE x86 sp2).
I tried to sniff traffic between AD and SSP.
I get the same error:
Cannot access to LDAP directory
But I can see session between this servers. I will try simple insecure ldap to view session content.
Updated by WMI Admin 8 months ago
But this not working without encryption :( :
Warning: preg_match_all() [function.preg-match-all]: Compilation failed: missing terminating ] for character class at offset 2 in /home/ssp/0.6/lib/functions.inc.php on line 153
Warning: ldap_mod_replace() [function.ldap-mod-replace]: Modify: Server is unwilling to perform in /home/ssp/0.6/lib/functions.inc.php on line 246
Shiffer
SvcErr: DSID-031A0FC0, problem 5003 (WILL_NOT_PERFORM), data 0
Updated by Clément OUDOT 8 months ago
Hi,
the last message is saying that you need SSL to change the password, which is normal. This also tell us that the LDAP is reached by SSP. So the initial problem must be a SSL problem. You should try to configure your LDAP client library in your system to accept the AD certificate.
See TLS_REQCERT option explained here: http://ltb-project.org/wiki/documentation/self-service-password/latest/config_ldap
Updated by WMI Admin 8 months ago
Hello,
Tried to test AD connection with ldapsearch - and it isn't working.
After I changed SSL settings as described in your instruction and ldapsearch has started to work.
After I tested SSP and it works!
It is very strange because early it worked and sometime not.
I will monitor what my users say.
Thank you for help.
nano /etc/ldap/ldap.conf
TLS_REQCERT allow
Updated by Clément OUDOT 8 months ago
- Status changed from New to Closed
- % Done changed from 0 to 100
So I close this issue. Thanks for the feedback.
Updated by WMI Admin 8 months ago
I can see modification in my SVN repository:
/servers/debian/etc/ldap/ldap.conf - Automated commit of debian/etc at 2011-07-05 17:37:08(#TLS_REQCERT allow) /servers/debian/etc/ldap/ldap.conf - First full commit of debian/etc at 2011-05-27 23:19:51
Maybe this is my mistake :(
Sorry for the trouble, and thank you again.