ldapmodify can’t contact LDAP server for cn=config

I’ve been pulling my hair out for 3 days now trying to configure ldap. I first tried installing from source but then reinstalled using apt-get, which caused some migration errors, but I believe those are all resolved. I am able to execute ldapsearch -x and its cousins when I properly specify a root DN (for some reason the base specified ldap.conf isn’t working), which I assume indicates that the server is functioning properly; I have as well verified that the server is listening below. However, I’m trying to set up SSL, and I understand that with the version i installed through apt-get needs to be configured in cn=config, and therefore must use the -H ldapi:/// -Y EXTERNAL options below, however it is unable to contact the server when I try.

root@aeneas:/tmp/ldap# ldapmodify -H ldapi:/// -Y EXTERNAL -D 'cn=config' -f ./modify.ldif
ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)

root@aeneas:/tmp/ldap# netstat -plane | grep slapd
tcp        0      0   *               LISTEN      0          53158       11280/slapd     
tcp        0      0   *               LISTEN      0          53163       11280/slapd     
tcp6       0      0 :::389                  :::*                    LISTEN      0          53159       11280/slapd     
tcp6       0      0 :::636                  :::*                    LISTEN      0          53164       11280/slapd     
unix  2      [ ACC ]     STREAM     LISTENING     53160    11280/slapd         /var/run/slapd/ldapi
unix  2      [ ]         DGRAM                    53154    11280/slapd 

root@aeneas:/tmp/ldap# cat ./modify.ldif 
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ldap/ssl/cacert.pem
add: olcTLSCertificateFile
olcTLSCertificateFile: /etc/ldap/ssl/servercrt.pem
add: olcTLSCertificateKeyFile
olcTLSCertificateKeyFile: /etc/lda/pssl/serverkey.pem

I later disabled ldaps:/// listening on port 636, suspecting that ldapmodify was contacting the SSL server by default then quitting when not given a certificate, but this had no effect.


Leave a Reply