# LDAP server in jail problem



## rainbowwarrior (Dec 15, 2010)

Hey,

I've got an FreeBSD server in the internet and running 2 jails. 

A Jail -> ldap server
B Jail -> Apache2 

Both have got public IP's. I can reach the ldap server from all over the internet, but not in the jail i need, in Jail B. 

So my ldapsearch from Jail B failed with "Can't contact LDAP server (-1)". 

Any idea?


----------



## SirDice (Dec 15, 2010)

How are you connecting to the LDAP server? What IP address do you use for it? It should be the public IP address.


----------



## rainbowwarrior (Dec 15, 2010)

Yes, i use the public IP address and the ldapserver is listen on it. 



```
ldapsearch -x -h ldaps://public-ip -b "dc=company,dc=de" -p 636 -d3 
ldap_create
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP localhost:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
```

Same on any other maschine works without any problems.


----------



## SirDice (Dec 15, 2010)

You're connecting to localhost (127.0.0.1) not the public IP address.

If I read ldapsearch(1) correctly you should use *-H* not *-h*.


----------



## rainbowwarrior (Dec 15, 2010)

Okay, with URI its -H and for an host its -h. My mistake. 

Now it runs with Port 389, but not with 636 for tls. I get this error: 

```
ldapsearch -x -h ip -b "dc=for-sale-online-marketing,dc=de" -Z
ldap_start_tls: Connect error (-11)
	additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (self signed certificate)
ldap_result: Can't contact LDAP server (-1)
```

Now I put 
	
	



```
TLS_CACERT  /root/ssl/ca.cert
```
 in the ldap.conf without any changes..and the apache said internal server error when I start authentication due ldap with tls.


----------



## SirDice (Dec 15, 2010)

Have you tried with the URI? Both the -p and -h options are deprecated.


----------



## olav (Dec 15, 2010)

have you configured the /usr/local/etc/openldap/ldap.conf in jail B like this?

```
base dc=company,dc=de
uri ldap://jail-B
ssl start_tls
tls_cacert /root/ssl/ca.cert
```


----------



## rainbowwarrior (Dec 16, 2010)

Yes, now it's in the ldap.conf. But on other server the ldap.conf is empty and the authentification via ldap tls and Apache is running perfectly.


----------

