]>
Commit | Line | Data |
---|---|---|
56000a3b | 1 | # $OpenLDAP$ |
b45a6a7d | 2 | # Copyright 2007-2019 The OpenLDAP Foundation, All Rights Reserved. |
56000a3b GH |
3 | # COPYING RESTRICTIONS APPLY, see COPYRIGHT. |
4 | ||
5 | H1: Common errors encountered when using OpenLDAP Software | |
6 | ||
7 | The following sections attempt to summarize the most common causes of LDAP errors | |
8 | when using OpenLDAP | |
9 | ||
10 | H2: Common causes of LDAP errors | |
11 | ||
56000a3b GH |
12 | H3: ldap_*: Can't contact LDAP server |
13 | ||
fdb6873b | 14 | The {{B:Can't contact LDAP server}} error is usually returned when the LDAP |
8c3c9ac8 | 15 | server cannot be contacted. This may occur for many reasons: |
56000a3b | 16 | |
8c3c9ac8 | 17 | * the LDAP server is not running; this can be checked by running, for example, |
56000a3b | 18 | |
8c3c9ac8 | 19 | > telnet <host> <port> |
56000a3b | 20 | |
8c3c9ac8 GH |
21 | replacing {{<host>}} and {{<port>}} with the hostname and the port the server |
22 | is supposed to listen on. | |
23 | * the client has not been instructed to contact a running server; with OpenLDAP | |
24 | command-line tools this is accomplished by providing the -H switch, whose | |
e580bd79 GH |
25 | argument is a valid LDAP url corresponding to the interface the server is |
26 | supposed to be listening on. | |
56000a3b | 27 | |
8c3c9ac8 | 28 | H3: ldap_*: No such object |
56000a3b | 29 | |
8c3c9ac8 GH |
30 | The {{B:no such object}} error is generally returned when the target DN of the |
31 | operation cannot be located. This section details reasons common to all | |
32 | operations. You should also look for answers specific to the operation | |
33 | (as indicated in the error message). | |
56000a3b | 34 | |
85784fee | 35 | The most common reason for this error is non-existence of the named object. First, |
8c3c9ac8 GH |
36 | check for typos. |
37 | ||
38 | Also note that, by default, a new directory server holds no objects | |
39 | (except for a few system entries). So, if you are setting up a new directory | |
40 | server and get this message, it may simply be that you have yet to add the | |
41 | object you are trying to locate. | |
42 | ||
e580bd79 GH |
43 | The error commonly occurs because a DN was not specified and a default was not |
44 | properly configured. | |
8c3c9ac8 GH |
45 | |
46 | If you have a suffix specified in slapd.conf eg. | |
47 | ||
48 | > suffix "dc=example,dc=com" | |
49 | ||
50 | You should use | |
51 | ||
ee5715fc | 52 | > ldapsearch -b 'dc=example,dc=com' '(cn=jane*)' |
8c3c9ac8 GH |
53 | |
54 | to tell it where to start the search. | |
56000a3b | 55 | |
e580bd79 GH |
56 | The {{F:-b}} should be specified for all LDAP commands unless you have an |
57 | {{ldap.conf}}(5) default configured. | |
56000a3b | 58 | |
e580bd79 | 59 | See {{ldapsearch}}(1), {{ldapmodify}}(1) |
56000a3b | 60 | |
e580bd79 GH |
61 | Also, {{slapadd}}(8) and its ancillary programs are very strict about the |
62 | syntax of the LDIF file. | |
56000a3b | 63 | |
e580bd79 GH |
64 | Some liberties in the LDIF file may result in an apparently successful creation |
65 | of the database, but accessing some parts of it may be difficult. | |
66 | ||
67 | One known common error in database creation is putting a blank line before the | |
68 | first entry in the LDIF file. {{B:There must be no leading blank lines in the | |
69 | LDIF file.}} | |
70 | ||
71 | It is generally recommended that {{ldapadd}}(1) be used instead of {{slapadd}}(8) | |
72 | when adding new entries your directory. {{slapadd}}(8) should be used to bulk | |
73 | load entries known to be valid. | |
74 | ||
75 | Another cause of this message is a referral | |
76 | ({SECT:Constructing a Distributed Directory Service}}) entry to an unpopulated | |
77 | directory. | |
78 | ||
79 | Either remove the referral, or add a single record with the referral base DN | |
80 | to the empty directory. | |
81 | ||
82 | This error may also occur when slapd is unable to access the contents of its | |
83 | database because of file permission problems. For instance, on a Red Hat Linux | |
84 | system, slapd runs as user 'ldap'. When slapadd is run as root to create a | |
85 | database from scratch, the contents of {{F:/var/lib/ldap}} are created with | |
86 | user and group root and with permission 600, making the contents inaccessible | |
87 | to the slapd server. | |
85784fee GH |
88 | |
89 | H3: ldap_*: Can't chase referral | |
90 | ||
8c3c9ac8 | 91 | This is caused by the line |
56000a3b | 92 | |
ee5715fc | 93 | > referral ldap://root.openldap.org |
56000a3b | 94 | |
e580bd79 GH |
95 | In {{F:slapd.conf}}, it was provided as an example for how to use referrals |
96 | in the original file. However if your machine is not permanently connected to | |
97 | the Internet, it will fail to find the server, and hence produce an error message. | |
98 | ||
99 | To resolve, just place a # in front of line and restart slapd or point it to | |
100 | an available ldap server. | |
56000a3b | 101 | |
e580bd79 | 102 | See also: {{ldapadd}}(1), {{ldapmodify}}(1) and {{slapd.conf}}(5) |
85784fee GH |
103 | |
104 | H3: ldap_*: server is unwilling to perform | |
105 | ||
e580bd79 GH |
106 | slapd will return an unwilling to perform error if the backend holding the |
107 | target entry does not support the given operation. | |
108 | ||
109 | The password backend is only willing to perform searches. It will return an | |
110 | unwilling to perform error for all other operations. | |
111 | ||
8c3c9ac8 | 112 | The shell backend is configurable and may support a limited subset of operations. |
e580bd79 GH |
113 | Check for other errors indicating a shortage of resources required by the |
114 | directory server. i.e. you may have a full disk etc | |
85784fee GH |
115 | |
116 | H3: ldap_*: Insufficient access | |
117 | ||
e580bd79 GH |
118 | This error occurs when server denies the operation due to insufficient access. |
119 | This is usually caused by binding to a DN with insufficient privileges | |
120 | (or binding anonymously) to perform the operation. | |
121 | ||
122 | You can bind as the rootdn/rootpw specified in {{slapd.conf}}(5) to gain full | |
123 | access. Otherwise, you must bind to an entry which has been granted the | |
124 | appropriate rights through access controls. | |
125 | ||
85784fee GH |
126 | |
127 | H3: ldap_*: Invalid DN syntax | |
128 | ||
e580bd79 GH |
129 | The target (or other) DN of the operation is invalid. This implies that either |
130 | the string representation of the DN is not in the required form, one of the | |
131 | types in the attribute value assertions is not defined, or one of the values | |
132 | in the attribute value assertions does not conform to the appropriate syntax. | |
85784fee GH |
133 | |
134 | H3: ldap_*: Referral hop limit exceeded | |
135 | ||
e580bd79 GH |
136 | This error generally occurs when the client chases a referral which refers |
137 | itself back to a server it already contacted. The server responds as it did | |
138 | before and the client loops. This loop is detected when the hop limit is exceeded. | |
56000a3b | 139 | |
e580bd79 GH |
140 | This is most often caused through misconfiguration of the server's default |
141 | referral. The default referral should not be itself: | |
56000a3b | 142 | |
e580bd79 GH |
143 | That is, on {{F:ldap://myldap/}} the default referral should not be {{F:ldap://myldap/}} |
144 | (or any hostname/ip which is equivalent to myldap). | |
85784fee GH |
145 | |
146 | H3: ldap_*: operations error | |
147 | ||
e580bd79 | 148 | In some versions of {{slapd}}(8), {{operationsError}} was returned instead of other. |
85784fee GH |
149 | |
150 | H3: ldap_*: other error | |
151 | ||
e580bd79 GH |
152 | The other result code indicates an internal error has occurred. |
153 | While the additional information provided with the result code might provide | |
154 | some hint as to the problem, often one will need to consult the server's log files. | |
85784fee GH |
155 | |
156 | H3: ldap_add/modify: Invalid syntax | |
157 | ||
e580bd79 GH |
158 | This error is reported when a value of an attribute does not conform to syntax |
159 | restrictions. Additional information is commonly provided stating which value | |
160 | of which attribute was found to be invalid. Double check this value and other | |
161 | values (the server will only report the first error it finds). | |
56000a3b | 162 | |
8c3c9ac8 | 163 | Common causes include: |
56000a3b | 164 | |
df5196b7 | 165 | * extraneous whitespace (especially trailing whitespace) |
ee5715fc GH |
166 | * improperly encoded characters (LDAPv3 uses UTF-8 encoded Unicode) |
167 | * empty values (few syntaxes allow empty values) | |
56000a3b | 168 | |
56000a3b | 169 | |
e580bd79 GH |
170 | For certain syntax, like OBJECT IDENTIFIER (OID), this error can indicate that |
171 | the OID descriptor (a "short name") provided is unrecognized. For instance, | |
172 | this error is returned if the {{objectClass}} value provided is unrecognized. | |
85784fee GH |
173 | |
174 | H3: ldap_add/modify: Object class violation | |
175 | ||
e580bd79 GH |
176 | This error is returned with the entry to be added or the entry as modified |
177 | violates the object class schema rules. Normally additional information is | |
178 | returned the error detailing the violation. Some of these are detailed below. | |
56000a3b | 179 | |
8c3c9ac8 | 180 | Violations related to the entry's attributes: |
56000a3b | 181 | |
ee5715fc | 182 | > Attribute not allowed |
e580bd79 GH |
183 | |
184 | A provided attribute is not allowed by the entry's object class(es). | |
185 | ||
ee5715fc | 186 | > Missing required attribute |
e580bd79 GH |
187 | |
188 | An attribute required by the entry's object class(es) was not provided. | |
56000a3b | 189 | |
8c3c9ac8 | 190 | Violations related to the entry's class(es): |
56000a3b | 191 | |
ee5715fc | 192 | > Entry has no objectClass attribute |
e580bd79 GH |
193 | |
194 | The entry did not state which object classes it belonged to. | |
195 | ||
ee5715fc | 196 | > Unrecognized objectClass |
e580bd79 GH |
197 | |
198 | One (or more) of the listed objectClass values is not recognized. | |
199 | ||
ee5715fc | 200 | > No structural object class provided |
e580bd79 GH |
201 | |
202 | None of the listed objectClass values is structural. | |
203 | ||
ee5715fc | 204 | > Invalid structural object class chain |
e580bd79 GH |
205 | |
206 | Two or more structural objectClass values are not in same structural object | |
207 | class chain. | |
208 | ||
ee5715fc | 209 | > Structural object class modification |
e580bd79 GH |
210 | |
211 | Modify operation attempts to change the structural class of the entry. | |
212 | ||
10566c8b | 213 | > Instantiation of abstract objectClass. |
e580bd79 GH |
214 | |
215 | An abstract class is not subordinate to any listed structural or auxiliary class. | |
216 | ||
ee5715fc | 217 | > Invalid structural object class |
e580bd79 GH |
218 | |
219 | Other structural object class problem. | |
220 | ||
ee5715fc | 221 | > No structuralObjectClass operational attribute |
e580bd79 GH |
222 | |
223 | This is commonly returned when a shadow server is provided an entry which does | |
224 | not contain the structuralObjectClass operational attribute. | |
56000a3b | 225 | |
56000a3b | 226 | |
e580bd79 GH |
227 | Note that the above error messages as well as the above answer assumes basic |
228 | knowledge of LDAP/X.500 schema. | |
85784fee GH |
229 | |
230 | H3: ldap_add: No such object | |
231 | ||
e580bd79 GH |
232 | The "ldap_add: No such object" error is commonly returned if parent of the |
233 | entry being added does not exist. Add the parent entry first... | |
8c3c9ac8 GH |
234 | |
235 | For example, if you are adding "cn=bob,dc=domain,dc=com" and you get: | |
236 | ||
ee5715fc | 237 | > ldap_add: No such object |
8c3c9ac8 | 238 | |
e580bd79 GH |
239 | The entry "dc=domain,dc=com" likely doesn't exist. You can use ldapsearch to |
240 | see if does exist: | |
8c3c9ac8 | 241 | |
ee5715fc | 242 | > ldapsearch -b 'dc=domain,dc=com' -s base '(objectclass=*)' |
8c3c9ac8 | 243 | |
e580bd79 | 244 | If it doesn't, add it. See {{SECT:A Quick-Start Guide}} for assistance. |
8c3c9ac8 | 245 | |
e580bd79 GH |
246 | Note: if the entry being added is the same as database suffix, it's parent |
247 | isn't required. i.e.: if your suffix is "dc=domain,dc=com", "dc=com" doesn't | |
248 | need to exist to add "dc=domain,dc=com". | |
8c3c9ac8 | 249 | |
e580bd79 GH |
250 | This error will also occur if you try to add any entry that the server is not |
251 | configured to hold. | |
8c3c9ac8 | 252 | |
e580bd79 GH |
253 | For example, if your database suffix is "dc=domain,dc=com" and you attempt to |
254 | add "dc=domain2,dc=com", "dc=com", "dc=domain,dc=org", "o=domain,c=us", or an | |
255 | other DN in the "dc=domain,dc=com" subtree, the server will return a | |
256 | "No such object" (or referral) error. | |
8c3c9ac8 | 257 | |
e580bd79 GH |
258 | {{slapd}}(8) will generally return "no global superior knowledge" as additional |
259 | information indicating its return noSuchObject instead of a referral as the | |
260 | server is not configured with knowledge of a global superior server. | |
85784fee | 261 | |
85784fee | 262 | |
e580bd79 | 263 | H3: ldap add: invalid structural object class chain |
8c3c9ac8 | 264 | |
e580bd79 GH |
265 | This particular error refers to the rule about STRUCTURAL objectclasses, which |
266 | states that an object is of one STRUCTURAL class, the structural class of the | |
267 | object. The object is said to belong to this class, zero or more auxiliaries | |
268 | classes, and their super classes. | |
269 | ||
270 | While all of these classes are commonly listed in the objectClass attribute of | |
271 | the entry, one of these classes is the structural object class of the entry. | |
272 | Thus, it is OK for an objectClass attribute | |
273 | to contain inetOrgPerson, organizationalPerson, and person because they inherit | |
274 | one from another to form a single super class chain. That is, inetOrgPerson SUPs | |
275 | organizationPerson SUPs person. On the other hand, it is invalid for both inetOrgPerson | |
276 | and account to be listed in objectClass as inetOrgPerson and account are not | |
277 | part of the same super class chain (unless some other class is also listed | |
278 | with is a subclass of both). | |
279 | ||
280 | To resolve this problem, one must determine which class will better serve | |
281 | structural object class for the entry, adding this class to the objectClass | |
282 | attribute (if not already present), and remove any other structural class from | |
283 | the entry's objectClass attribute which is not a super class of the structural | |
284 | object class. | |
285 | ||
286 | Which object class is better depends on the particulars of the situation. | |
287 | One generally should consult the documentation for the applications one is | |
288 | using for help in making the determination. | |
85784fee GH |
289 | |
290 | H3: ldap_add: no structuralObjectClass operational attribute | |
291 | ||
8c3c9ac8 GH |
292 | ldapadd(1) may error: |
293 | ||
ee5715fc GH |
294 | > adding new entry "uid=XXX,ou=People,o=campus,c=ru" |
295 | > ldap_add: Internal (implementation specific) error (80) | |
296 | > additional info: no structuralObjectClass operational attribute | |
8c3c9ac8 | 297 | |
e580bd79 GH |
298 | when slapd(8) cannot determine, based upon the contents of the objectClass |
299 | attribute, what the structural class of the object should be. | |
8c3c9ac8 | 300 | |
85784fee GH |
301 | |
302 | H3: ldap_add/modify/rename: Naming violation | |
303 | ||
e580bd79 GH |
304 | OpenLDAP's slapd checks for naming attributes and distinguished values consistency, |
305 | according to RFC 4512. | |
56000a3b | 306 | |
e580bd79 GH |
307 | Naming attributes are those attributeTypes that appear in an entry's RDN; |
308 | distinguished values are the values of the naming attributes that appear in | |
309 | an entry's RDN, e.g, in | |
56000a3b | 310 | |
ee5715fc | 311 | > cn=Someone+mail=someone@example.com,dc=example,dc=com |
56000a3b | 312 | |
e580bd79 GH |
313 | the naming attributes are cn and mail, and the distinguished values are |
314 | Someone and someone@example.com. | |
56000a3b | 315 | |
8c3c9ac8 | 316 | OpenLDAP's slapd checks for consistency when: |
56000a3b | 317 | |
e580bd79 GH |
318 | * adding an entry |
319 | * modifying an entry, if the values of the naming attributes are changed | |
320 | * renaming an entry, if the RDN of the entry changes | |
56000a3b | 321 | |
8c3c9ac8 | 322 | Possible causes of error are: |
56000a3b | 323 | |
e580bd79 | 324 | * the naming attributes are not present in the entry; for example: |
56000a3b | 325 | |
ee5715fc GH |
326 | > dn: dc=example,dc=com |
327 | > objectClass: organization | |
328 | > o: Example | |
329 | > # note: "dc: example" is missing | |
8c3c9ac8 | 330 | |
e580bd79 GH |
331 | * the naming attributes are present in the entry, but in the attributeType |
332 | definition they are marked as: | |
333 | - collective | |
334 | - operational | |
335 | - obsolete | |
336 | ||
337 | * the naming attributes are present in the entry, but the distinguished values | |
338 | are not; for example: | |
8c3c9ac8 | 339 | |
ee5715fc GH |
340 | > dn: dc=example,dc=com |
341 | > objectClass: domain | |
342 | > dc: foobar | |
343 | > # note: "dc" is present, but the value is not "example" | |
8c3c9ac8 | 344 | |
e580bd79 GH |
345 | * the naming attributes are present in the entry, with the distinguished values, but the naming attributes: |
346 | - do not have an equality field, so equality cannot be asserted | |
347 | - the matching rule is not supported (yet) | |
348 | - the matching rule is not appropriate | |
349 | ||
350 | * the given distinguished values do not comply with their syntax | |
351 | ||
352 | * other errors occurred during the validation/normalization/match process; | |
353 | this is a catchall: look at previous logs for details in case none of the above | |
354 | apply to your case. | |
355 | ||
356 | In any case, make sure that the attributeType definition for the naming attributes | |
357 | contains an appropriate EQUALITY field; or that of the superior, if they are | |
358 | defined based on a superior attributeType (look at the SUP field). See RFC 4512 for details. | |
8c3c9ac8 | 359 | |
85784fee GH |
360 | |
361 | H3: ldap_add/delete/modify/rename: no global superior knowledge | |
362 | ||
e580bd79 GH |
363 | If the target entry name places is not within any of the databases the server |
364 | is configured to hold and the server has no knowledge of a global superior, | |
365 | the server will indicate it is unwilling to perform the operation and provide | |
366 | the text "no global superior knowledge" as additional text. | |
367 | ||
368 | Likely the entry name is incorrect, or the server is not properly configured | |
369 | to hold the named entry, or, in distributed directory environments, a default | |
370 | referral was not configured. | |
8c3c9ac8 | 371 | |
85784fee GH |
372 | |
373 | H3: ldap_bind: Insufficient access | |
374 | ||
e580bd79 GH |
375 | Current versions of slapd(8) requires that clients have authentication |
376 | permission to attribute types used for authentication purposes before accessing | |
377 | them to perform the bind operation. As all bind operations are done anonymously | |
378 | (regardless of previous bind success), the auth access must be granted to anonymous. | |
8c3c9ac8 GH |
379 | |
380 | In the example ACL below grants the following access: | |
381 | ||
e580bd79 GH |
382 | * to anonymous users: |
383 | - permission to authenticate using values of userPassword | |
384 | * to authenticated users: | |
385 | - permission to update (but not read) their userPassword | |
386 | - permission to read any object excepting values of userPassword | |
8c3c9ac8 GH |
387 | |
388 | All other access is denied. | |
389 | ||
ee5715fc GH |
390 | > access to attr=userPassword |
391 | > by self =w | |
392 | > by anonymous auth | |
8c3c9ac8 | 393 | |
ee5715fc GH |
394 | > access * |
395 | > by self write | |
396 | > by users read | |
8c3c9ac8 GH |
397 | |
398 | ||
85784fee GH |
399 | H3: ldap_bind: Invalid credentials |
400 | ||
e580bd79 GH |
401 | The error usually occurs when the credentials (password) provided does not |
402 | match the userPassword held in entry you are binding to. | |
8c3c9ac8 GH |
403 | |
404 | The error can also occur when the bind DN specified is not known to the server. | |
405 | ||
e580bd79 GH |
406 | Check both! In addition to the cases mentioned above you should check if the |
407 | server denied access to userPassword on selected parts of the directory. In | |
408 | fact, slapd always returns "Invalid credentials" in case of failed bind, | |
409 | regardless of the failure reason, since other return codes could reveal the | |
410 | validity of the user's name. | |
8c3c9ac8 GH |
411 | |
412 | To debug access rules defined in slapd.conf, add "ACL" to log level. | |
85784fee GH |
413 | |
414 | H3: ldap_bind: Protocol error | |
415 | ||
e580bd79 GH |
416 | There error is generally occurs when the LDAP version requested by the |
417 | client is not supported by the server. | |
8c3c9ac8 | 418 | |
e580bd79 GH |
419 | The OpenLDAP Software 2.x server, by default, only accepts version 3 LDAP Bind |
420 | requests but can be configured to accept a version 2 LDAP Bind request. | |
8c3c9ac8 | 421 | |
e580bd79 GH |
422 | Note: The 2.x server expects LDAPv3 [RFC4510] to be used when the client |
423 | requests version 3 and expects a limited LDAPv3 variant (basically, LDAPv3 | |
424 | syntax and semantics in an LDAPv2 PDUs) to be used when version 2 is expected. | |
8c3c9ac8 | 425 | |
e580bd79 GH |
426 | This variant is also sometimes referred to as LDAPv2+, but differs from the U-Mich |
427 | LDAP variant in a number of ways. | |
85784fee GH |
428 | |
429 | H3: ldap_modify: cannot modify object class | |
430 | ||
e580bd79 GH |
431 | This message is commonly returned when attempting to modify the objectClass |
432 | attribute in a manner inconsistent with the LDAP/X.500 information model. In | |
433 | particular, it commonly occurs when one tries to change the structure of the | |
434 | object from one class to another, for instance, trying to change an 'apple' | |
435 | into a 'pear' or a 'fruit' into a 'pear'. | |
436 | ||
437 | Such changes are disallowed by the slapd(8) in accordance with LDAP and X.500 restrictions. | |
8c3c9ac8 | 438 | |
85784fee GH |
439 | |
440 | H3: ldap_sasl_interactive_bind_s: ... | |
441 | ||
e580bd79 GH |
442 | If you intended to bind using a DN and password and get an error from |
443 | ldap_sasl_interactive_bind_s, you likely forgot to provide a '-x' option to | |
444 | the command. By default, SASL authentication is used. '-x' is necessary to | |
445 | select "simple" authentication. | |
446 | ||
85784fee GH |
447 | |
448 | H3: ldap_sasl_interactive_bind_s: No such Object | |
449 | ||
e580bd79 GH |
450 | This indicates that LDAP SASL authentication function could not read the |
451 | Root DSE. | |
452 | The error will occur when the server doesn't provide a root DSE. This may be | |
453 | due to access controls. | |
8c3c9ac8 | 454 | |
85784fee GH |
455 | |
456 | H3: ldap_sasl_interactive_bind_s: No such attribute | |
457 | ||
e580bd79 GH |
458 | This indicates that LDAP SASL authentication function could read the Root |
459 | DSE but it contained no supportedSASLMechanism attribute. | |
460 | ||
461 | The supportedSASLmechanism attribute lists mechanisms currently available. | |
462 | The list may be empty because none of the supported mechanisms are currently | |
463 | available. For example, EXTERNAL is listed only if the client has established | |
464 | its identity by authenticating at a lower level (e.g. TLS). | |
465 | ||
8c3c9ac8 | 466 | Note: the attribute may not be visible due to access controls |
e580bd79 | 467 | |
8c3c9ac8 | 468 | Note: SASL bind is the default for all OpenLDAP tools, e.g. ldapsearch(1), ldapmodify(1). To force use of "simple" bind, use the "-x" option. Use of "simple" bind is not recommended unless one has adequate confidentiality protection in place (e.g. TLS/SSL, IPSEC). |
85784fee GH |
469 | |
470 | H3: ldap_sasl_interactive_bind_s: Unknown authentication method | |
471 | ||
e580bd79 GH |
472 | This indicates that none of the SASL authentication supported by the server |
473 | are supported by the client, or that they are too weak or otherwise inappropriate | |
474 | for use by the client. Note that the default security options disallows the use | |
475 | of certain mechanisms such as ANONYMOUS and PLAIN (without TLS). | |
476 | ||
8c3c9ac8 | 477 | Note: SASL bind is the default for all OpenLDAP tools. To force use of "simple" bind, use the "-x" option. Use of "simple" bind is not recommended unless one has adequate confidentiality protection in place (e.g. TLS/SSL, IPSEC). |
85784fee GH |
478 | |
479 | H3: ldap_sasl_interactive_bind_s: Local error (82) | |
480 | ||
8c3c9ac8 GH |
481 | Apparently not having forward and reverse DNS entries for the LDAP server can result in this error. |
482 | ||
85784fee GH |
483 | |
484 | H3: ldap_search: Partial results and referral received | |
485 | ||
e580bd79 GH |
486 | This error is returned with the server responses to an LDAPv2 search query |
487 | with both results (zero or more matched entries) and references (referrals to other servers). | |
8c3c9ac8 | 488 | See also: ldapsearch(1). |
e580bd79 GH |
489 | |
490 | If the updatedn on the replica does not exist, a referral will be returned. | |
491 | It may do this as well if the ACL needs tweaking. | |
85784fee GH |
492 | |
493 | H3: ldap_start_tls: Operations error | |
494 | ||
8c3c9ac8 GH |
495 | ldapsearch(1) and other tools will return |
496 | ||
ee5715fc GH |
497 | > ldap_start_tls: Operations error (1) |
498 | > additional info: TLS already started | |
8c3c9ac8 | 499 | |
e580bd79 GH |
500 | When the user (though command line options and/or ldap.conf(5)) has requested |
501 | TLS (SSL) be started twice. For instance, when specifying both "-H ldaps://server.do.main" and "-ZZ". | |
85784fee GH |
502 | |
503 | H2: Other Errors | |
504 | ||
505 | H3: ber_get_next on fd X failed errno=34 (Numerical result out of range) | |
506 | ||
e580bd79 GH |
507 | This slapd error generally indicates that the client sent a message that |
508 | exceeded an administrative limit. See sockbuf_max_incoming and sockbuf_max_incoming_auth | |
509 | configuration directives in slapd.conf(5). | |
85784fee GH |
510 | |
511 | H3: ber_get_next on fd X failed errno=11 (Resource temporarily unavailable) | |
512 | ||
e580bd79 GH |
513 | This message is not indicative of abnormal behavior or error. It simply means |
514 | that expected data is not yet available from the resource, in this context, a | |
515 | network socket. slapd(8) will process the data once it does becomes available. | |
85784fee GH |
516 | |
517 | H3: daemon: socket() failed errno=97 (Address family not supported) | |
518 | ||
e580bd79 GH |
519 | This message indicates that the operating system does not support one of the |
520 | (protocol) address families which slapd(8) was configured to support. Most | |
521 | commonly, this occurs when slapd(8) was configured to support IPv6 yet the | |
522 | operating system kernel wasn't. In such cases, the message can be ignored. | |
85784fee GH |
523 | |
524 | H3: GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied; | |
525 | ||
e580bd79 GH |
526 | This message means that slapd is not running as root and, thus, it cannot get |
527 | its Kerberos 5 key from the keytab, usually file /etc/krb5.keytab. | |
8c3c9ac8 | 528 | |
e580bd79 GH |
529 | A keytab file is used to store keys that are to be used by services or daemons |
530 | that are started at boot time. It is very important that these secrets are kept | |
531 | beyond reach of intruders. | |
8c3c9ac8 | 532 | |
e580bd79 GH |
533 | That's why the default keytab file is owned by root and protected from being |
534 | read by others. Do not mess with these permissions, build a different keytab | |
38d9e22b HC |
535 | file for slapd instead, and make sure it is owned by the user that slapd |
536 | runs as. | |
8c3c9ac8 GH |
537 | |
538 | To do this, start kadmin, and enter the following commands: | |
539 | ||
e580bd79 GH |
540 | > addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM |
541 | > ktadd -k /etc/openldap/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM | |
8c3c9ac8 GH |
542 | |
543 | Then, on the shell, do: | |
544 | ||
38d9e22b | 545 | > chown ldap:ldap /etc/openldap/ldap.keytab |
e580bd79 GH |
546 | > chmod 600 /etc/openldap/ldap.keytab |
547 | ||
548 | Now you have to tell slapd (well, actually tell the gssapi library in Kerberos 5 | |
549 | that is invoked by Cyrus SASL) where to find the new keytab. You do this by | |
550 | setting the environment variable KRB5_KTNAME like this: | |
551 | ||
552 | > export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" | |
8c3c9ac8 | 553 | |
e580bd79 GH |
554 | Set that environment variable on the slapd start script (Red Hat users might |
555 | find /etc/sysconfig/ldap a perfect place). | |
8c3c9ac8 | 556 | |
e580bd79 GH |
557 | This only works if you are using MIT kerberos. It doesn't work with Heimdal, |
558 | for instance. | |
8c3c9ac8 | 559 | |
8c3c9ac8 | 560 | |
e580bd79 GH |
561 | In Heimdal there is a function gsskrb5_register_acceptor_identity() that sets |
562 | the path of the keytab file you want to use. In Cyrus SASL 2 you can add | |
563 | ||
564 | > keytab: /path/to/file | |
8c3c9ac8 GH |
565 | |
566 | to your application's SASL config file to use this feature. This only works with Heimdal. | |
e580bd79 | 567 | |
85784fee GH |
568 | |
569 | H3: access from unknown denied | |
570 | ||
8c3c9ac8 | 571 | This related to TCP wrappers. See hosts_access(5) for more information. |
e580bd79 GH |
572 | in the log file: "access from unknown denied" This related to TCP wrappers. |
573 | See hosts_access(5) for more information. | |
574 | for example: add the line "slapd: .hosts.you.want.to.allow" in /etc/hosts.allow | |
575 | to get rid of the error. | |
85784fee GH |
576 | |
577 | H3: ldap_read: want=# error=Resource temporarily unavailable | |
578 | ||
e580bd79 GH |
579 | This message occurs normally. It means that pending data is not yet available |
580 | from the resource, a network socket. slapd(8) will process the data once it | |
581 | becomes available. | |
85784fee GH |
582 | |
583 | H3: `make test' fails | |
584 | ||
8c3c9ac8 GH |
585 | Some times, `make test' fails at the very first test with an obscure message like |
586 | ||
e580bd79 GH |
587 | > make test |
588 | > make[1]: Entering directory `/ldap_files/openldap-2.4.6/tests' | |
589 | > make[2]: Entering directory `/ldap_files/openldap-2.4.6/tests' | |
49ae28a2 | 590 | > Initiating LDAP tests for MDB... |
e580bd79 GH |
591 | > Cleaning up test run directory leftover from previous run. |
592 | > Running ./scripts/all... | |
49ae28a2 | 593 | > >>>>> Executing all LDAP tests for mdb |
e580bd79 GH |
594 | > >>>>> Starting test000-rootdse ... |
595 | > running defines.sh | |
596 | > Starting slapd on TCP/IP port 9011... | |
597 | > Using ldapsearch to retrieve the root DSE... | |
598 | > Waiting 5 seconds for slapd to start... | |
599 | > ./scripts/test000-rootdse: line 40: 10607 Segmentation fault $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING >$LOG1 2>&1 | |
600 | > Waiting 5 seconds for slapd to start... | |
601 | > Waiting 5 seconds for slapd to start... | |
602 | > Waiting 5 seconds for slapd to start... | |
603 | > Waiting 5 seconds for slapd to start... | |
604 | > Waiting 5 seconds for slapd to start... | |
605 | > ./scripts/test000-rootdse: kill: (10607) - No such pid | |
606 | > ldap_sasl_bind_s: Can't contact LDAP server (-1) | |
607 | > >>>>> Test failed | |
608 | > >>>>> ./scripts/test000-rootdse failed (exit 1) | |
49ae28a2 | 609 | > make[2]: *** [mdb-yes] Error 1 |
e580bd79 GH |
610 | > make[2]: Leaving directory `/ldap_files/openldap-2.4.6/tests' |
611 | > make[1]: *** [test] Error 2 | |
612 | > make[1]: Leaving directory `/ldap_files/openldap-2.4.6/tests' | |
613 | > make: *** [test] Error 2 | |
8c3c9ac8 GH |
614 | |
615 | or so. Usually, the five lines | |
616 | ||
617 | Waiting 5 seconds for slapd to start... | |
618 | ||
619 | indicate that slapd didn't start at all. | |
620 | ||
e580bd79 GH |
621 | In tests/testrun/slapd.1.log there is a full log of what slapd wrote while |
622 | trying to start. The log level can be increased by setting the environment | |
623 | variable SLAPD_DEBUG to the corresponding value; see loglevel in slapd.conf(5) | |
624 | for the meaning of log levels. | |
8c3c9ac8 | 625 | |
e580bd79 GH |
626 | A typical reason for this behavior is a runtime link problem, i.e. slapd cannot |
627 | find some dynamic libraries it was linked against. Try running ldd(1) on slapd | |
628 | (for those architectures that support runtime linking). | |
8c3c9ac8 | 629 | |
e580bd79 GH |
630 | There might well be other reasons; the contents of the log file should help |
631 | clarifying them. | |
8c3c9ac8 | 632 | |
e580bd79 GH |
633 | Tests that fire up multiple instances of slapd typically log to tests/testrun/slapd.<n>.log, |
634 | with a distinct <n> for each instance of slapd; list tests/testrun/ for possible | |
635 | values of <n>. | |
85784fee GH |
636 | |
637 | H3: ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed | |
638 | ||
e580bd79 | 639 | This seems to be related with wrong ownership of the BDB's dir (/var/lib/ldap) |
38d9e22b | 640 | and files. The files must be owned by the user that slapd runs as. |
e580bd79 | 641 | |
38d9e22b | 642 | > chown -R ldap:ldap /var/lib/ldap |
e580bd79 GH |
643 | |
644 | fixes it in Debian | |
645 | ||
85784fee | 646 | |
85784fee GH |
647 | H3: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) |
648 | ||
e580bd79 GH |
649 | Using SASL, when a client contacts LDAP server, the slapd service dies |
650 | immediately and client gets an error : | |
651 | ||
652 | > SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) | |
653 | ||
85784fee | 654 | Then check the slapd service, it stopped. |
e580bd79 GH |
655 | |
656 | This may come from incompatible of using different versions of BerkeleyDB for | |
657 | installing of SASL and installing of OpenLDAP. The problem arises in case of | |
658 | using multiple version of BerkeleyDB. Solution: - Check which version of | |
659 | BerkeleyDB when install Cyrus SASL. | |
660 | ||
661 | Reinstall OpenLDAP with the version of BerkeleyDB above. | |
56000a3b | 662 |