MDS 2.4 Bind Error Troubleshooting
This page describes what to check and what actions to take to resolve problems in your MDS environment that can generate the following error messages:
- ldap_bind: Can’t contact LDAP server
- No such object
- ldap_sasl_interactive_bind_s: Can’t contact LDAP server
- ldap_sasl_interactive_bind_s: local error
- ldap_sasl_interactive_bind_s: Unknown error – unable to access certificates
- ldap_sasl_interactive_bind_s: Unknown error – user certificate not found
Before starting to troubleshoot, make sure of the following in your MDS environment:
- Set GLOBUS_LOCATION on both client and server machines.
- Source your environment for the type of shell you are using, on both client and server.
- For authenticated access to MDS:
- Obtain a user certificate for yourself.
- Obtain an LDAP certificate for your server.
- Create a proxy on the client. - Start MDS on the server, with the
globus-mds start(formerlySXXgris start) command.
These configuration procedures are described in detail in the MDS 2.4 User’s Guide.
ldap_bind: Can’t contact LDAP server
This message means that the client can’t contact the server.
The first thing to check is that the slapd
process is running on the designated server and is listening on the
designated port. You can use the
ps command to do this.
The server’s port number is specified in
the grid-info.conf file on the server. Either the port number (-p
option) specified on the
grid-info-search command
issued from the client does not match the server’s port number, or the port
number specified in the grid-info.conf file on the client does not match the
server’s port number.
Changing the port number from the client to match that set for the server should solve the problem.
This message is produced as the result of an anonymous query; certificates don’t matter in this case.
Also check that the host name is correctly
specified with the
FQHN on the
grid-info-search command
issued from the client.
If you are using a firewall, make sure that your server will accept inbound connections on port 2135. For more information on using the Globus Toolkit with firewalls, refer to Globus Toolkit Firewall Requirements.
This message appears as in the following
example, as a result of a
grid-info-search query:
# search result search: 2 result: 32 No such object
This means the client is not connecting to
the GIIS inside the slapd server; the
grid-info-search command
is insufficiently specified to know where to start the search.
If the
-b basedn option is not
specified on the on the
grid-info-search command
from the client, the command supplies a default like
mds-vo-name=local,o=grid,
but that may be incorrect if there is no corresponding
vo on the server (if, for
example, it has been removed from the server's grid-info.conf file).
The query may need a more specific
-b
parameter that the server can identify.
Also, make sure that the value of
mds-vo-name is specified
correctly on the command line.
ldap_sasl_interactive_bind_s: Can’t contact LDAP server
This message may mean that there is some problem in your certification/security configuration that is preventing your query from accessing the LDAP server.
If you get this message as a result of an
authenticated query, the first thing to try is an anonymous query (-x
option on
grid-info-search). If the
anonymous query produces the "ldap_bind: Can’t contact LDAP server" message
described above, this indicates a server connection problem. Follow the
suggestions described under that message to resolve the problem.
If the anonymous query works, then you need to check the following in your certification/security configuration:
- That you have a user certificate for yourself, as described in the Globus Toolkit 2.4 Installation Instructions, and that it is installed correctly in ~/.globus.
- That you have an LDAP certificate for the server, as described in the MDS 2.4 User’s Guide, and that it is installed correctly in /etc/grid-security/ldap.
- That you have a valid proxy, created on the client as described in the MDS 2.4 User’s Guide.
ldap_sasl_interactive_bind_s: local error
This message is typically produced as the result of an authenticated query, the typical scenario being that anonymous queries work, while authenticated queries do not.
This message means that you either do not have a valid proxy, or that your proxy is not set up correctly. (For example, your proxy may have expired.)
You obtain a certificate as described in the
Globus Toolkit 2.4
Installation Instructions and in the
MDS 2.4 User’s
Guide.
You can check the status of existing proxies with the
grid-proxy-info command. A
file name like X509up_u<uid> (in the /tmp directory) shows you that
a proxy is valid. The X509_USER_PROXY environment variable (in the
/etc/grid-info-server-env.conf file) should point to a valid proxy, by
default the file in /tmp.
If your proxy appears to be current and correct, then make sure that the /etc/hosts file is set up correctly, with a fully qualified host name and that name entered before the shortened host name on each line. Refer to the MDS FAQ on this topic for more details.
A message like this means that your Grid Security Infrastructure (GSI) environment has not been properly set up on the server. The setup-gsi script has either not been run or not run properly. Refer to the Globus Toolkit 2.4 Download Page and the Globus Toolkit 2.4 Installation Instructions for more information.
A message like this means that there is an error on the server. The LDAP server certificate was not found. Refer to the MDS 2.4 User’s Guide for information on requesting and verifying a server certificate.