[Freeipa-users] Need LDAP access for host not in IPA domain
Rob Crittenden
rcritten at redhat.com
Fri May 5 13:22:18 UTC 2017
Detlev Habicht wrote:
> Hello,
>
> i need a simple, plain LDAP bind for authentication for a host,
> which is not part of my IPA domain.
>
> Something like this is working in the domain:
>
> ldapsearch -vx -H ldaps://xxx.yyy.intern -b "cn=accounts,dc=yyy,dc=intern"
>
> My problem is, it is only working with the hostname xxx.yyy.intern which
> is part of my domain yyy.intern. But outside of the domain i have to
> use the IP address or something like xxx.yyy.zzz.de
> <http://xxx.yyy.zzz.de> .
>
> But than i have this error message:
>
> ldap_initialize( ldaps://xxx.yyy.zzz.de:636/??base )
> ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
>
> Any idea what i can do?
>
> Thank you!
>
> Detlev
>
> P.S.: I have the same problem in the domain, when i am not using
> xxx.yyy.intern. IP address for example is also not working.
I'd slap a -d 255 onto that command. It will give you a lot more
information on what is going on. It could be rejecting the request
because the requested name (IP address) doesn't match anything in the cert.
The 389-ds access log will also confirm whether you are making a
connection or not (to rule out firewall, etc). Note that this log is
buffered so you need to be patient, tail -f won't show connections
immediately.
rob
More information about the Freeipa-users
mailing list