0

On my client on pam authentication (libnss-ldap and libpam-ldap packages and configuration) there is a configuration which leads me to 

nss_ldap: failed to bind to LDAP server ldapi://172.16.10.174/: Can't contact LDAP server

My server is started as followings (seems ldapi is available):

● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
Loaded: loaded (/etc/init.d/slapd; generated; vendor preset: enabled)
Active: active (running) since Thu 2018-10-04 09:40:14 -03; 8min ago
    Docs: man:systemd-sysv-generator(8)
Process: 1026 ExecStart=/etc/init.d/slapd start (code=exited, status=0/SUCCESS)
    Tasks: 3 (limit: 4915)
CGroup: /system.slice/slapd.service
        └─1180 /usr/sbin/slapd -h ldap:/// ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d

with ldap it works

ldapsearch -H ldap://172.16.10.174/ -b dc=myDomain,dc=local -x

but with ldapi no either on localhost or with a machine within the LAN: 

ldapsearch -H ldapi://localhost:389 -b dc=solarity,dc=local -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)`

Shall I change the server's configuration to be able to connect with client as ldapi:// or change the client to authenticate with ldap://??

  1. Client: Where is the configuration file in debian 9 of nssd so that I can change the protocol to ldap instead of ldapi?
  2. Server: If there is any sense of staying with ldapi protocol, how can I test it and configure the server to do what expects my client which seems to be (ldapsearch -H ldapi://172.16.10.174/ -b dc=solarity,dc=local -x doesn't work)
Philippe Gachoud
  • 1,687
  • 16
  • 21
  • It's not entirely clear what you want to achieve (ldapi:// vs. ldap://IP) and which software you've installed. E.g. there is no such thing like *nssd*. I know traditional nss_ldap, nslcd (aka nss-pam-ldapd usually used together with nscd), sssd... – Michael Ströder Oct 04 '18 at 13:20
  • @MichaelStröder Added some infos, thx for your feed-back hope its more clear for you as its really foggy to me ;-) – Philippe Gachoud Oct 04 '18 at 13:35
  • 1
    You may also wish to consider switching to `sssd`. – 84104 Oct 06 '18 at 05:27

1 Answers1

2

The ldapi:// protocol is used to access the LDAP server through a filesystem socket, such as /var/run/ldapi (this may be different for Debian, that's the default location on CentOS). As such, it only works if you're on the same host as the LDAP server itself.

If you need to access the LDAP server from other machines, it's best to use either ldap:// or ldaps://.

According to wiki.debian.org/LDAP/NSS & wiki.debian.org/LDAP/PAM it should be /etc/libnss-ldap.conf and /etc/pam_ldap.conf respectively

Philippe Gachoud
  • 1,687
  • 16
  • 21
bodgit
  • 4,751
  • 16
  • 27
  • Thx, so how do I change my libpam-ldap or libnss-ldap package configuration to do that? – Philippe Gachoud Oct 04 '18 at 13:36
  • 1
    According to https://wiki.debian.org/LDAP/NSS & https://wiki.debian.org/LDAP/PAM it should be `/etc/libnss-ldap.conf` and `/etc/pam_ldap.conf` respectively. – bodgit Oct 04 '18 at 13:59
  • would worth it add it to your answer, I edited it Thx a lot! The /etc/libnss-ldap.conf ldapi:// -> ldap:// made it! – Philippe Gachoud Oct 04 '18 at 14:55