Re: Client says Can't contact LDAP server, but it can!

[Howard Chu <hyc@symas.com>]

Sean Burford wrote:
> On Mon, Jul 21, 2008 at 8:30 AM, John Oliver<joliver@john-oliver.net>  wrote:
> > What can I do to troubleshoot this?  OpenLDAP client says
> > ldap_simple_bind Can't contact LDAP server but it can resolve the name,
> > ping the server, connect to port 636... and I have no details as to why
> > it thinks it cannot contact the server.  Many other clients authenticate
> > to the same server, and I'm using the same ldap.conf, nsswitch.conf, and
> > pam.d/system-auth files.
>
> Apart from seeing configurations and command lines, I have found the
> full output of the openssl client to be useful for diagnosing my own
> ldaps issues:
> echo | openssl s_client -debug -showcerts -connect SERVER:636 2>&1 |
> tee /tmp/ssl.log
>
> The openssl client connects to the server and negotiates SSL.  Along
> the way it verifies the certificate path.  If it encounters an error,
> it usually gives a useful error message.
Just use -d1 on ldapsearch and you'll get the OpenSSL diagnostic messages.

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/