]>
Commit | Line | Data |
---|---|---|
56000a3b | 1 | # $OpenLDAP$ |
073232bb | 2 | # Copyright 2007-2024 The OpenLDAP Foundation, All Rights Reserved. |
56000a3b GH |
3 | # COPYING RESTRICTIONS APPLY, see COPYRIGHT. |
4 | ||
5 | H1: Common errors encountered when using OpenLDAP Software | |
6 | ||
7 | The following sections attempt to summarize the most common causes of LDAP errors | |
8 | when using OpenLDAP | |
9 | ||
10 | H2: Common causes of LDAP errors | |
11 | ||
56000a3b GH |
12 | H3: ldap_*: Can't contact LDAP server |
13 | ||
fdb6873b | 14 | The {{B:Can't contact LDAP server}} error is usually returned when the LDAP |
8c3c9ac8 | 15 | server cannot be contacted. This may occur for many reasons: |
56000a3b | 16 | |
8c3c9ac8 | 17 | * the LDAP server is not running; this can be checked by running, for example, |
56000a3b | 18 | |
8c3c9ac8 | 19 | > telnet <host> <port> |
56000a3b | 20 | |
8c3c9ac8 GH |
21 | replacing {{<host>}} and {{<port>}} with the hostname and the port the server |
22 | is supposed to listen on. | |
23 | * the client has not been instructed to contact a running server; with OpenLDAP | |
24 | command-line tools this is accomplished by providing the -H switch, whose | |
e580bd79 GH |
25 | argument is a valid LDAP url corresponding to the interface the server is |
26 | supposed to be listening on. | |
56000a3b | 27 | |
8c3c9ac8 | 28 | H3: ldap_*: No such object |
56000a3b | 29 | |
8c3c9ac8 GH |
30 | The {{B:no such object}} error is generally returned when the target DN of the |
31 | operation cannot be located. This section details reasons common to all | |
32 | operations. You should also look for answers specific to the operation | |
33 | (as indicated in the error message). | |
56000a3b | 34 | |
85784fee | 35 | The most common reason for this error is non-existence of the named object. First, |
8c3c9ac8 GH |
36 | check for typos. |
37 | ||
38 | Also note that, by default, a new directory server holds no objects | |
39 | (except for a few system entries). So, if you are setting up a new directory | |
40 | server and get this message, it may simply be that you have yet to add the | |
41 | object you are trying to locate. | |
42 | ||
e580bd79 GH |
43 | The error commonly occurs because a DN was not specified and a default was not |
44 | properly configured. | |
8c3c9ac8 GH |
45 | |
46 | If you have a suffix specified in slapd.conf eg. | |
47 | ||
48 | > suffix "dc=example,dc=com" | |
49 | ||
50 | You should use | |
51 | ||
ee5715fc | 52 | > ldapsearch -b 'dc=example,dc=com' '(cn=jane*)' |
8c3c9ac8 GH |
53 | |
54 | to tell it where to start the search. | |
56000a3b | 55 | |
e580bd79 GH |
56 | The {{F:-b}} should be specified for all LDAP commands unless you have an |
57 | {{ldap.conf}}(5) default configured. | |
56000a3b | 58 | |
e580bd79 | 59 | See {{ldapsearch}}(1), {{ldapmodify}}(1) |
56000a3b | 60 | |
e580bd79 GH |
61 | Also, {{slapadd}}(8) and its ancillary programs are very strict about the |
62 | syntax of the LDIF file. | |
56000a3b | 63 | |
e580bd79 GH |
64 | Some liberties in the LDIF file may result in an apparently successful creation |
65 | of the database, but accessing some parts of it may be difficult. | |
66 | ||
67 | One known common error in database creation is putting a blank line before the | |
68 | first entry in the LDIF file. {{B:There must be no leading blank lines in the | |
69 | LDIF file.}} | |
70 | ||
71 | It is generally recommended that {{ldapadd}}(1) be used instead of {{slapadd}}(8) | |
72 | when adding new entries your directory. {{slapadd}}(8) should be used to bulk | |
73 | load entries known to be valid. | |
74 | ||
75 | Another cause of this message is a referral | |
76 | ({SECT:Constructing a Distributed Directory Service}}) entry to an unpopulated | |
77 | directory. | |
78 | ||
79 | Either remove the referral, or add a single record with the referral base DN | |
80 | to the empty directory. | |
81 | ||
82 | This error may also occur when slapd is unable to access the contents of its | |
83 | database because of file permission problems. For instance, on a Red Hat Linux | |
84 | system, slapd runs as user 'ldap'. When slapadd is run as root to create a | |
85 | database from scratch, the contents of {{F:/var/lib/ldap}} are created with | |
86 | user and group root and with permission 600, making the contents inaccessible | |
87 | to the slapd server. | |
85784fee GH |
88 | |
89 | H3: ldap_*: Can't chase referral | |
90 | ||
8c3c9ac8 | 91 | This is caused by the line |
56000a3b | 92 | |
ee5715fc | 93 | > referral ldap://root.openldap.org |
56000a3b | 94 | |
e580bd79 GH |
95 | In {{F:slapd.conf}}, it was provided as an example for how to use referrals |
96 | in the original file. However if your machine is not permanently connected to | |
97 | the Internet, it will fail to find the server, and hence produce an error message. | |
98 | ||
99 | To resolve, just place a # in front of line and restart slapd or point it to | |
100 | an available ldap server. | |
56000a3b | 101 | |
e580bd79 | 102 | See also: {{ldapadd}}(1), {{ldapmodify}}(1) and {{slapd.conf}}(5) |
85784fee GH |
103 | |
104 | H3: ldap_*: server is unwilling to perform | |
105 | ||
e580bd79 GH |
106 | slapd will return an unwilling to perform error if the backend holding the |
107 | target entry does not support the given operation. | |
108 | ||
109 | The password backend is only willing to perform searches. It will return an | |
110 | unwilling to perform error for all other operations. | |
111 | ||
85784fee GH |
112 | H3: ldap_*: Insufficient access |
113 | ||
e580bd79 GH |
114 | This error occurs when server denies the operation due to insufficient access. |
115 | This is usually caused by binding to a DN with insufficient privileges | |
116 | (or binding anonymously) to perform the operation. | |
117 | ||
118 | You can bind as the rootdn/rootpw specified in {{slapd.conf}}(5) to gain full | |
119 | access. Otherwise, you must bind to an entry which has been granted the | |
120 | appropriate rights through access controls. | |
121 | ||
85784fee GH |
122 | |
123 | H3: ldap_*: Invalid DN syntax | |
124 | ||
e580bd79 GH |
125 | The target (or other) DN of the operation is invalid. This implies that either |
126 | the string representation of the DN is not in the required form, one of the | |
127 | types in the attribute value assertions is not defined, or one of the values | |
128 | in the attribute value assertions does not conform to the appropriate syntax. | |
85784fee GH |
129 | |
130 | H3: ldap_*: Referral hop limit exceeded | |
131 | ||
e580bd79 GH |
132 | This error generally occurs when the client chases a referral which refers |
133 | itself back to a server it already contacted. The server responds as it did | |
134 | before and the client loops. This loop is detected when the hop limit is exceeded. | |
56000a3b | 135 | |
e580bd79 GH |
136 | This is most often caused through misconfiguration of the server's default |
137 | referral. The default referral should not be itself: | |
56000a3b | 138 | |
e580bd79 GH |
139 | That is, on {{F:ldap://myldap/}} the default referral should not be {{F:ldap://myldap/}} |
140 | (or any hostname/ip which is equivalent to myldap). | |
85784fee GH |
141 | |
142 | H3: ldap_*: operations error | |
143 | ||
e580bd79 | 144 | In some versions of {{slapd}}(8), {{operationsError}} was returned instead of other. |
85784fee GH |
145 | |
146 | H3: ldap_*: other error | |
147 | ||
e580bd79 GH |
148 | The other result code indicates an internal error has occurred. |
149 | While the additional information provided with the result code might provide | |
150 | some hint as to the problem, often one will need to consult the server's log files. | |
85784fee GH |
151 | |
152 | H3: ldap_add/modify: Invalid syntax | |
153 | ||
e580bd79 GH |
154 | This error is reported when a value of an attribute does not conform to syntax |
155 | restrictions. Additional information is commonly provided stating which value | |
156 | of which attribute was found to be invalid. Double check this value and other | |
157 | values (the server will only report the first error it finds). | |
56000a3b | 158 | |
8c3c9ac8 | 159 | Common causes include: |
56000a3b | 160 | |
df5196b7 | 161 | * extraneous whitespace (especially trailing whitespace) |
ee5715fc GH |
162 | * improperly encoded characters (LDAPv3 uses UTF-8 encoded Unicode) |
163 | * empty values (few syntaxes allow empty values) | |
56000a3b | 164 | |
56000a3b | 165 | |
e580bd79 GH |
166 | For certain syntax, like OBJECT IDENTIFIER (OID), this error can indicate that |
167 | the OID descriptor (a "short name") provided is unrecognized. For instance, | |
168 | this error is returned if the {{objectClass}} value provided is unrecognized. | |
85784fee GH |
169 | |
170 | H3: ldap_add/modify: Object class violation | |
171 | ||
e580bd79 GH |
172 | This error is returned with the entry to be added or the entry as modified |
173 | violates the object class schema rules. Normally additional information is | |
174 | returned the error detailing the violation. Some of these are detailed below. | |
56000a3b | 175 | |
8c3c9ac8 | 176 | Violations related to the entry's attributes: |
56000a3b | 177 | |
ee5715fc | 178 | > Attribute not allowed |
e580bd79 GH |
179 | |
180 | A provided attribute is not allowed by the entry's object class(es). | |
181 | ||
ee5715fc | 182 | > Missing required attribute |
e580bd79 GH |
183 | |
184 | An attribute required by the entry's object class(es) was not provided. | |
56000a3b | 185 | |
8c3c9ac8 | 186 | Violations related to the entry's class(es): |
56000a3b | 187 | |
ee5715fc | 188 | > Entry has no objectClass attribute |
e580bd79 GH |
189 | |
190 | The entry did not state which object classes it belonged to. | |
191 | ||
ee5715fc | 192 | > Unrecognized objectClass |
e580bd79 GH |
193 | |
194 | One (or more) of the listed objectClass values is not recognized. | |
195 | ||
ee5715fc | 196 | > No structural object class provided |
e580bd79 GH |
197 | |
198 | None of the listed objectClass values is structural. | |
199 | ||
ee5715fc | 200 | > Invalid structural object class chain |
e580bd79 GH |
201 | |
202 | Two or more structural objectClass values are not in same structural object | |
203 | class chain. | |
204 | ||
ee5715fc | 205 | > Structural object class modification |
e580bd79 GH |
206 | |
207 | Modify operation attempts to change the structural class of the entry. | |
208 | ||
10566c8b | 209 | > Instantiation of abstract objectClass. |
e580bd79 GH |
210 | |
211 | An abstract class is not subordinate to any listed structural or auxiliary class. | |
212 | ||
ee5715fc | 213 | > Invalid structural object class |
e580bd79 GH |
214 | |
215 | Other structural object class problem. | |
216 | ||
ee5715fc | 217 | > No structuralObjectClass operational attribute |
e580bd79 GH |
218 | |
219 | This is commonly returned when a shadow server is provided an entry which does | |
220 | not contain the structuralObjectClass operational attribute. | |
56000a3b | 221 | |
56000a3b | 222 | |
e580bd79 GH |
223 | Note that the above error messages as well as the above answer assumes basic |
224 | knowledge of LDAP/X.500 schema. | |
85784fee GH |
225 | |
226 | H3: ldap_add: No such object | |
227 | ||
e580bd79 GH |
228 | The "ldap_add: No such object" error is commonly returned if parent of the |
229 | entry being added does not exist. Add the parent entry first... | |
8c3c9ac8 GH |
230 | |
231 | For example, if you are adding "cn=bob,dc=domain,dc=com" and you get: | |
232 | ||
ee5715fc | 233 | > ldap_add: No such object |
8c3c9ac8 | 234 | |
e580bd79 GH |
235 | The entry "dc=domain,dc=com" likely doesn't exist. You can use ldapsearch to |
236 | see if does exist: | |
8c3c9ac8 | 237 | |
ee5715fc | 238 | > ldapsearch -b 'dc=domain,dc=com' -s base '(objectclass=*)' |
8c3c9ac8 | 239 | |
e580bd79 | 240 | If it doesn't, add it. See {{SECT:A Quick-Start Guide}} for assistance. |
8c3c9ac8 | 241 | |
e580bd79 GH |
242 | Note: if the entry being added is the same as database suffix, it's parent |
243 | isn't required. i.e.: if your suffix is "dc=domain,dc=com", "dc=com" doesn't | |
244 | need to exist to add "dc=domain,dc=com". | |
8c3c9ac8 | 245 | |
e580bd79 GH |
246 | This error will also occur if you try to add any entry that the server is not |
247 | configured to hold. | |
8c3c9ac8 | 248 | |
e580bd79 GH |
249 | For example, if your database suffix is "dc=domain,dc=com" and you attempt to |
250 | add "dc=domain2,dc=com", "dc=com", "dc=domain,dc=org", "o=domain,c=us", or an | |
251 | other DN in the "dc=domain,dc=com" subtree, the server will return a | |
252 | "No such object" (or referral) error. | |
8c3c9ac8 | 253 | |
e580bd79 GH |
254 | {{slapd}}(8) will generally return "no global superior knowledge" as additional |
255 | information indicating its return noSuchObject instead of a referral as the | |
256 | server is not configured with knowledge of a global superior server. | |
85784fee | 257 | |
85784fee | 258 | |
e580bd79 | 259 | H3: ldap add: invalid structural object class chain |
8c3c9ac8 | 260 | |
e580bd79 GH |
261 | This particular error refers to the rule about STRUCTURAL objectclasses, which |
262 | states that an object is of one STRUCTURAL class, the structural class of the | |
263 | object. The object is said to belong to this class, zero or more auxiliaries | |
264 | classes, and their super classes. | |
265 | ||
266 | While all of these classes are commonly listed in the objectClass attribute of | |
267 | the entry, one of these classes is the structural object class of the entry. | |
268 | Thus, it is OK for an objectClass attribute | |
269 | to contain inetOrgPerson, organizationalPerson, and person because they inherit | |
270 | one from another to form a single super class chain. That is, inetOrgPerson SUPs | |
271 | organizationPerson SUPs person. On the other hand, it is invalid for both inetOrgPerson | |
272 | and account to be listed in objectClass as inetOrgPerson and account are not | |
273 | part of the same super class chain (unless some other class is also listed | |
274 | with is a subclass of both). | |
275 | ||
276 | To resolve this problem, one must determine which class will better serve | |
277 | structural object class for the entry, adding this class to the objectClass | |
278 | attribute (if not already present), and remove any other structural class from | |
279 | the entry's objectClass attribute which is not a super class of the structural | |
280 | object class. | |
281 | ||
282 | Which object class is better depends on the particulars of the situation. | |
283 | One generally should consult the documentation for the applications one is | |
284 | using for help in making the determination. | |
85784fee GH |
285 | |
286 | H3: ldap_add: no structuralObjectClass operational attribute | |
287 | ||
8c3c9ac8 GH |
288 | ldapadd(1) may error: |
289 | ||
ee5715fc GH |
290 | > adding new entry "uid=XXX,ou=People,o=campus,c=ru" |
291 | > ldap_add: Internal (implementation specific) error (80) | |
292 | > additional info: no structuralObjectClass operational attribute | |
8c3c9ac8 | 293 | |
e580bd79 GH |
294 | when slapd(8) cannot determine, based upon the contents of the objectClass |
295 | attribute, what the structural class of the object should be. | |
8c3c9ac8 | 296 | |
85784fee GH |
297 | |
298 | H3: ldap_add/modify/rename: Naming violation | |
299 | ||
e580bd79 GH |
300 | OpenLDAP's slapd checks for naming attributes and distinguished values consistency, |
301 | according to RFC 4512. | |
56000a3b | 302 | |
e580bd79 GH |
303 | Naming attributes are those attributeTypes that appear in an entry's RDN; |
304 | distinguished values are the values of the naming attributes that appear in | |
305 | an entry's RDN, e.g, in | |
56000a3b | 306 | |
ee5715fc | 307 | > cn=Someone+mail=someone@example.com,dc=example,dc=com |
56000a3b | 308 | |
e580bd79 GH |
309 | the naming attributes are cn and mail, and the distinguished values are |
310 | Someone and someone@example.com. | |
56000a3b | 311 | |
8c3c9ac8 | 312 | OpenLDAP's slapd checks for consistency when: |
56000a3b | 313 | |
e580bd79 GH |
314 | * adding an entry |
315 | * modifying an entry, if the values of the naming attributes are changed | |
316 | * renaming an entry, if the RDN of the entry changes | |
56000a3b | 317 | |
8c3c9ac8 | 318 | Possible causes of error are: |
56000a3b | 319 | |
e580bd79 | 320 | * the naming attributes are not present in the entry; for example: |
56000a3b | 321 | |
ee5715fc GH |
322 | > dn: dc=example,dc=com |
323 | > objectClass: organization | |
324 | > o: Example | |
325 | > # note: "dc: example" is missing | |
8c3c9ac8 | 326 | |
e580bd79 GH |
327 | * the naming attributes are present in the entry, but in the attributeType |
328 | definition they are marked as: | |
329 | - collective | |
330 | - operational | |
331 | - obsolete | |
332 | ||
333 | * the naming attributes are present in the entry, but the distinguished values | |
334 | are not; for example: | |
8c3c9ac8 | 335 | |
ee5715fc GH |
336 | > dn: dc=example,dc=com |
337 | > objectClass: domain | |
338 | > dc: foobar | |
339 | > # note: "dc" is present, but the value is not "example" | |
8c3c9ac8 | 340 | |
e580bd79 GH |
341 | * the naming attributes are present in the entry, with the distinguished values, but the naming attributes: |
342 | - do not have an equality field, so equality cannot be asserted | |
343 | - the matching rule is not supported (yet) | |
344 | - the matching rule is not appropriate | |
345 | ||
346 | * the given distinguished values do not comply with their syntax | |
347 | ||
348 | * other errors occurred during the validation/normalization/match process; | |
349 | this is a catchall: look at previous logs for details in case none of the above | |
350 | apply to your case. | |
351 | ||
352 | In any case, make sure that the attributeType definition for the naming attributes | |
353 | contains an appropriate EQUALITY field; or that of the superior, if they are | |
354 | defined based on a superior attributeType (look at the SUP field). See RFC 4512 for details. | |
8c3c9ac8 | 355 | |
85784fee GH |
356 | |
357 | H3: ldap_add/delete/modify/rename: no global superior knowledge | |
358 | ||
e580bd79 GH |
359 | If the target entry name places is not within any of the databases the server |
360 | is configured to hold and the server has no knowledge of a global superior, | |
361 | the server will indicate it is unwilling to perform the operation and provide | |
362 | the text "no global superior knowledge" as additional text. | |
363 | ||
364 | Likely the entry name is incorrect, or the server is not properly configured | |
365 | to hold the named entry, or, in distributed directory environments, a default | |
366 | referral was not configured. | |
8c3c9ac8 | 367 | |
85784fee GH |
368 | |
369 | H3: ldap_bind: Insufficient access | |
370 | ||
e580bd79 GH |
371 | Current versions of slapd(8) requires that clients have authentication |
372 | permission to attribute types used for authentication purposes before accessing | |
373 | them to perform the bind operation. As all bind operations are done anonymously | |
374 | (regardless of previous bind success), the auth access must be granted to anonymous. | |
8c3c9ac8 GH |
375 | |
376 | In the example ACL below grants the following access: | |
377 | ||
e580bd79 GH |
378 | * to anonymous users: |
379 | - permission to authenticate using values of userPassword | |
380 | * to authenticated users: | |
381 | - permission to update (but not read) their userPassword | |
382 | - permission to read any object excepting values of userPassword | |
8c3c9ac8 GH |
383 | |
384 | All other access is denied. | |
385 | ||
ee5715fc GH |
386 | > access to attr=userPassword |
387 | > by self =w | |
388 | > by anonymous auth | |
8c3c9ac8 | 389 | |
ee5715fc GH |
390 | > access * |
391 | > by self write | |
392 | > by users read | |
8c3c9ac8 GH |
393 | |
394 | ||
85784fee GH |
395 | H3: ldap_bind: Invalid credentials |
396 | ||
e580bd79 GH |
397 | The error usually occurs when the credentials (password) provided does not |
398 | match the userPassword held in entry you are binding to. | |
8c3c9ac8 GH |
399 | |
400 | The error can also occur when the bind DN specified is not known to the server. | |
401 | ||
e580bd79 GH |
402 | Check both! In addition to the cases mentioned above you should check if the |
403 | server denied access to userPassword on selected parts of the directory. In | |
404 | fact, slapd always returns "Invalid credentials" in case of failed bind, | |
405 | regardless of the failure reason, since other return codes could reveal the | |
406 | validity of the user's name. | |
8c3c9ac8 GH |
407 | |
408 | To debug access rules defined in slapd.conf, add "ACL" to log level. | |
85784fee GH |
409 | |
410 | H3: ldap_bind: Protocol error | |
411 | ||
e580bd79 GH |
412 | There error is generally occurs when the LDAP version requested by the |
413 | client is not supported by the server. | |
8c3c9ac8 | 414 | |
e580bd79 GH |
415 | The OpenLDAP Software 2.x server, by default, only accepts version 3 LDAP Bind |
416 | requests but can be configured to accept a version 2 LDAP Bind request. | |
8c3c9ac8 | 417 | |
e580bd79 GH |
418 | Note: The 2.x server expects LDAPv3 [RFC4510] to be used when the client |
419 | requests version 3 and expects a limited LDAPv3 variant (basically, LDAPv3 | |
420 | syntax and semantics in an LDAPv2 PDUs) to be used when version 2 is expected. | |
8c3c9ac8 | 421 | |
e580bd79 GH |
422 | This variant is also sometimes referred to as LDAPv2+, but differs from the U-Mich |
423 | LDAP variant in a number of ways. | |
85784fee GH |
424 | |
425 | H3: ldap_modify: cannot modify object class | |
426 | ||
e580bd79 GH |
427 | This message is commonly returned when attempting to modify the objectClass |
428 | attribute in a manner inconsistent with the LDAP/X.500 information model. In | |
429 | particular, it commonly occurs when one tries to change the structure of the | |
430 | object from one class to another, for instance, trying to change an 'apple' | |
431 | into a 'pear' or a 'fruit' into a 'pear'. | |
432 | ||
433 | Such changes are disallowed by the slapd(8) in accordance with LDAP and X.500 restrictions. | |
8c3c9ac8 | 434 | |
85784fee GH |
435 | |
436 | H3: ldap_sasl_interactive_bind_s: ... | |
437 | ||
e580bd79 GH |
438 | If you intended to bind using a DN and password and get an error from |
439 | ldap_sasl_interactive_bind_s, you likely forgot to provide a '-x' option to | |
440 | the command. By default, SASL authentication is used. '-x' is necessary to | |
441 | select "simple" authentication. | |
442 | ||
85784fee GH |
443 | |
444 | H3: ldap_sasl_interactive_bind_s: No such Object | |
445 | ||
e580bd79 GH |
446 | This indicates that LDAP SASL authentication function could not read the |
447 | Root DSE. | |
448 | The error will occur when the server doesn't provide a root DSE. This may be | |
449 | due to access controls. | |
8c3c9ac8 | 450 | |
85784fee GH |
451 | |
452 | H3: ldap_sasl_interactive_bind_s: No such attribute | |
453 | ||
e580bd79 GH |
454 | This indicates that LDAP SASL authentication function could read the Root |
455 | DSE but it contained no supportedSASLMechanism attribute. | |
456 | ||
457 | The supportedSASLmechanism attribute lists mechanisms currently available. | |
458 | The list may be empty because none of the supported mechanisms are currently | |
459 | available. For example, EXTERNAL is listed only if the client has established | |
460 | its identity by authenticating at a lower level (e.g. TLS). | |
461 | ||
8c3c9ac8 | 462 | Note: the attribute may not be visible due to access controls |
e580bd79 | 463 | |
8c3c9ac8 | 464 | Note: SASL bind is the default for all OpenLDAP tools, e.g. ldapsearch(1), ldapmodify(1). To force use of "simple" bind, use the "-x" option. Use of "simple" bind is not recommended unless one has adequate confidentiality protection in place (e.g. TLS/SSL, IPSEC). |
85784fee GH |
465 | |
466 | H3: ldap_sasl_interactive_bind_s: Unknown authentication method | |
467 | ||
e580bd79 GH |
468 | This indicates that none of the SASL authentication supported by the server |
469 | are supported by the client, or that they are too weak or otherwise inappropriate | |
470 | for use by the client. Note that the default security options disallows the use | |
471 | of certain mechanisms such as ANONYMOUS and PLAIN (without TLS). | |
472 | ||
8c3c9ac8 | 473 | Note: SASL bind is the default for all OpenLDAP tools. To force use of "simple" bind, use the "-x" option. Use of "simple" bind is not recommended unless one has adequate confidentiality protection in place (e.g. TLS/SSL, IPSEC). |
85784fee GH |
474 | |
475 | H3: ldap_sasl_interactive_bind_s: Local error (82) | |
476 | ||
8c3c9ac8 GH |
477 | Apparently not having forward and reverse DNS entries for the LDAP server can result in this error. |
478 | ||
85784fee GH |
479 | |
480 | H3: ldap_search: Partial results and referral received | |
481 | ||
e580bd79 GH |
482 | This error is returned with the server responses to an LDAPv2 search query |
483 | with both results (zero or more matched entries) and references (referrals to other servers). | |
8c3c9ac8 | 484 | See also: ldapsearch(1). |
e580bd79 GH |
485 | |
486 | If the updatedn on the replica does not exist, a referral will be returned. | |
487 | It may do this as well if the ACL needs tweaking. | |
85784fee GH |
488 | |
489 | H3: ldap_start_tls: Operations error | |
490 | ||
8c3c9ac8 GH |
491 | ldapsearch(1) and other tools will return |
492 | ||
ee5715fc GH |
493 | > ldap_start_tls: Operations error (1) |
494 | > additional info: TLS already started | |
8c3c9ac8 | 495 | |
e580bd79 GH |
496 | When the user (though command line options and/or ldap.conf(5)) has requested |
497 | TLS (SSL) be started twice. For instance, when specifying both "-H ldaps://server.do.main" and "-ZZ". | |
85784fee GH |
498 | |
499 | H2: Other Errors | |
500 | ||
501 | H3: ber_get_next on fd X failed errno=34 (Numerical result out of range) | |
502 | ||
e580bd79 GH |
503 | This slapd error generally indicates that the client sent a message that |
504 | exceeded an administrative limit. See sockbuf_max_incoming and sockbuf_max_incoming_auth | |
505 | configuration directives in slapd.conf(5). | |
85784fee GH |
506 | |
507 | H3: ber_get_next on fd X failed errno=11 (Resource temporarily unavailable) | |
508 | ||
e580bd79 GH |
509 | This message is not indicative of abnormal behavior or error. It simply means |
510 | that expected data is not yet available from the resource, in this context, a | |
511 | network socket. slapd(8) will process the data once it does becomes available. | |
85784fee GH |
512 | |
513 | H3: daemon: socket() failed errno=97 (Address family not supported) | |
514 | ||
e580bd79 GH |
515 | This message indicates that the operating system does not support one of the |
516 | (protocol) address families which slapd(8) was configured to support. Most | |
517 | commonly, this occurs when slapd(8) was configured to support IPv6 yet the | |
518 | operating system kernel wasn't. In such cases, the message can be ignored. | |
85784fee GH |
519 | |
520 | H3: GSSAPI: gss_acquire_cred: Miscellaneous failure; Permission denied; | |
521 | ||
e580bd79 GH |
522 | This message means that slapd is not running as root and, thus, it cannot get |
523 | its Kerberos 5 key from the keytab, usually file /etc/krb5.keytab. | |
8c3c9ac8 | 524 | |
e580bd79 GH |
525 | A keytab file is used to store keys that are to be used by services or daemons |
526 | that are started at boot time. It is very important that these secrets are kept | |
527 | beyond reach of intruders. | |
8c3c9ac8 | 528 | |
e580bd79 GH |
529 | That's why the default keytab file is owned by root and protected from being |
530 | read by others. Do not mess with these permissions, build a different keytab | |
38d9e22b HC |
531 | file for slapd instead, and make sure it is owned by the user that slapd |
532 | runs as. | |
8c3c9ac8 GH |
533 | |
534 | To do this, start kadmin, and enter the following commands: | |
535 | ||
e580bd79 GH |
536 | > addprinc -randkey ldap/ldap.example.com@EXAMPLE.COM |
537 | > ktadd -k /etc/openldap/ldap.keytab ldap/ldap.example.com@EXAMPLE.COM | |
8c3c9ac8 GH |
538 | |
539 | Then, on the shell, do: | |
540 | ||
38d9e22b | 541 | > chown ldap:ldap /etc/openldap/ldap.keytab |
e580bd79 GH |
542 | > chmod 600 /etc/openldap/ldap.keytab |
543 | ||
544 | Now you have to tell slapd (well, actually tell the gssapi library in Kerberos 5 | |
545 | that is invoked by Cyrus SASL) where to find the new keytab. You do this by | |
546 | setting the environment variable KRB5_KTNAME like this: | |
547 | ||
548 | > export KRB5_KTNAME="FILE:/etc/openldap/ldap.keytab" | |
8c3c9ac8 | 549 | |
e580bd79 GH |
550 | Set that environment variable on the slapd start script (Red Hat users might |
551 | find /etc/sysconfig/ldap a perfect place). | |
8c3c9ac8 | 552 | |
e580bd79 GH |
553 | This only works if you are using MIT kerberos. It doesn't work with Heimdal, |
554 | for instance. | |
8c3c9ac8 | 555 | |
8c3c9ac8 | 556 | |
e580bd79 GH |
557 | In Heimdal there is a function gsskrb5_register_acceptor_identity() that sets |
558 | the path of the keytab file you want to use. In Cyrus SASL 2 you can add | |
559 | ||
560 | > keytab: /path/to/file | |
8c3c9ac8 GH |
561 | |
562 | to your application's SASL config file to use this feature. This only works with Heimdal. | |
e580bd79 | 563 | |
85784fee GH |
564 | |
565 | H3: access from unknown denied | |
566 | ||
8c3c9ac8 | 567 | This related to TCP wrappers. See hosts_access(5) for more information. |
e580bd79 GH |
568 | in the log file: "access from unknown denied" This related to TCP wrappers. |
569 | See hosts_access(5) for more information. | |
570 | for example: add the line "slapd: .hosts.you.want.to.allow" in /etc/hosts.allow | |
571 | to get rid of the error. | |
85784fee GH |
572 | |
573 | H3: ldap_read: want=# error=Resource temporarily unavailable | |
574 | ||
e580bd79 GH |
575 | This message occurs normally. It means that pending data is not yet available |
576 | from the resource, a network socket. slapd(8) will process the data once it | |
577 | becomes available. | |
85784fee GH |
578 | |
579 | H3: `make test' fails | |
580 | ||
8c3c9ac8 GH |
581 | Some times, `make test' fails at the very first test with an obscure message like |
582 | ||
e580bd79 | 583 | > make test |
af5b31b2 QGM |
584 | > make[1]: Entering directory `/ldap_files/openldap-2.5.0/tests' |
585 | > make[2]: Entering directory `/ldap_files/openldap-2.5.0/tests' | |
49ae28a2 | 586 | > Initiating LDAP tests for MDB... |
e580bd79 GH |
587 | > Cleaning up test run directory leftover from previous run. |
588 | > Running ./scripts/all... | |
49ae28a2 | 589 | > >>>>> Executing all LDAP tests for mdb |
e580bd79 GH |
590 | > >>>>> Starting test000-rootdse ... |
591 | > running defines.sh | |
592 | > Starting slapd on TCP/IP port 9011... | |
593 | > Using ldapsearch to retrieve the root DSE... | |
594 | > Waiting 5 seconds for slapd to start... | |
595 | > ./scripts/test000-rootdse: line 40: 10607 Segmentation fault $SLAPD -f $CONF1 -h $URI1 -d $LVL $TIMING >$LOG1 2>&1 | |
596 | > Waiting 5 seconds for slapd to start... | |
597 | > Waiting 5 seconds for slapd to start... | |
598 | > Waiting 5 seconds for slapd to start... | |
599 | > Waiting 5 seconds for slapd to start... | |
600 | > Waiting 5 seconds for slapd to start... | |
601 | > ./scripts/test000-rootdse: kill: (10607) - No such pid | |
602 | > ldap_sasl_bind_s: Can't contact LDAP server (-1) | |
603 | > >>>>> Test failed | |
604 | > >>>>> ./scripts/test000-rootdse failed (exit 1) | |
49ae28a2 | 605 | > make[2]: *** [mdb-yes] Error 1 |
af5b31b2 | 606 | > make[2]: Leaving directory `/ldap_files/openldap-2.5.0/tests' |
e580bd79 | 607 | > make[1]: *** [test] Error 2 |
af5b31b2 | 608 | > make[1]: Leaving directory `/ldap_files/openldap-2.5.0/tests' |
e580bd79 | 609 | > make: *** [test] Error 2 |
8c3c9ac8 GH |
610 | |
611 | or so. Usually, the five lines | |
612 | ||
613 | Waiting 5 seconds for slapd to start... | |
614 | ||
615 | indicate that slapd didn't start at all. | |
616 | ||
e580bd79 GH |
617 | In tests/testrun/slapd.1.log there is a full log of what slapd wrote while |
618 | trying to start. The log level can be increased by setting the environment | |
619 | variable SLAPD_DEBUG to the corresponding value; see loglevel in slapd.conf(5) | |
620 | for the meaning of log levels. | |
8c3c9ac8 | 621 | |
e580bd79 GH |
622 | A typical reason for this behavior is a runtime link problem, i.e. slapd cannot |
623 | find some dynamic libraries it was linked against. Try running ldd(1) on slapd | |
624 | (for those architectures that support runtime linking). | |
8c3c9ac8 | 625 | |
e580bd79 GH |
626 | There might well be other reasons; the contents of the log file should help |
627 | clarifying them. | |
8c3c9ac8 | 628 | |
e580bd79 GH |
629 | Tests that fire up multiple instances of slapd typically log to tests/testrun/slapd.<n>.log, |
630 | with a distinct <n> for each instance of slapd; list tests/testrun/ for possible | |
631 | values of <n>. | |
85784fee GH |
632 | |
633 | H3: ldap_*: Internal (implementation specific) error (80) - additional info: entry index delete failed | |
634 | ||
ec2cb12e | 635 | This seems to be related with wrong ownership of the MDB's dir (/var/lib/ldap) |
38d9e22b | 636 | and files. The files must be owned by the user that slapd runs as. |
e580bd79 | 637 | |
38d9e22b | 638 | > chown -R ldap:ldap /var/lib/ldap |
e580bd79 GH |
639 | |
640 | fixes it in Debian | |
641 | ||
85784fee | 642 | |
85784fee GH |
643 | H3: ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) |
644 | ||
e580bd79 GH |
645 | Using SASL, when a client contacts LDAP server, the slapd service dies |
646 | immediately and client gets an error : | |
647 | ||
648 | > SASL/GSSAPI authentication started ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) | |
649 | ||
85784fee | 650 | Then check the slapd service, it stopped. |