After upgrading openssl, unable to bind to server: Can't contact LDAP server

Question

It was working like this, in /etc/openldap/ldap.conf

URI ldap://127.0.0.1/
BASE dc=example,dc=com
TLS_REQUEST never
TLS_CACERTDIR /etc/pki/tls/certs

I was able to connect our secured ldap server.

Because the heartbleed issue, I install openssl to 0.9.8e-fips-rhel5. Now I have "unable to bind to server: Can't contact LDAP server".

Update

Thanks alxgomz for picking up the typo. The typo means my server is always using certificate to verify secured ldap servers. The message "unable to bind to server: Can't contact LDAP server" is not helpful in this case, because it doesn't tell you why I am not connecting. I actually get a useful message by doing ./path/to/ldapsearch -H "ldaps://xxx.com"

The lesson is to use different ways to get a better diagnosed message.

We need more info. Try connecting which ldapsearch -v for more debug output. — alxgomz, Apr 15 '14 at 05:58

score 0 · Accepted Answer · answered Apr 15 '14 at 06:03

First of all, your LDAP.conf doesn't uses a TLS_REQUEST option that is unknown to openldap. You probably meant TLS_REQCERT which allow you to use insecure server certificates. Possibly, due to this typo, ldap client is trying to validate the server certificate and fails miserably. Hence the refused connection. Something you easily find trying ldapsearch in verbose mode.

After upgrading openssl, unable to bind to server: Can't contact LDAP server

1 Answers1