ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)

On a centos machine ldapsearch was not giving me much love when accessing a Microsoft Global directory server via ldaps and a given port. The error message I got was:


ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

When turning up debug level via -d 1 as in


ldapsearch -d 1 -v -H ldaps://servername:portnumber

I got the bit more revealing error message:


TLS certificate verification: Error, unable to get local issuer certificate
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed (unable to get local issuer certificate).

It turns out that a simple line like


TLS_REQCERT never

in ldap.conf makes things better. In my particular install a simple ‘locate ldap.conf’ was a bit misleading. The true location of your config file can be revealed via:


strace ldapsearch -v -H ldaps://servername:portnumber 2>&1 | grep ldap.conf

9 Responses to “ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)”

  1. al biheiri Says:

    Ah! i lost 1 hour trying to find this…. thanks

  2. dez Says:

    i ‘m configuring ldap , and since a moment i got this error: ldap_sasl_bind(SIMPLE): Can’t contact LDAP server (-1)
    i think slpad is not running , because when i do pgrep slapd i got nothing

    [root@bob openldap]# pgrep slapd
    [root@bob openldap]#

    normaly i must get a pid !!
    thank you for bring me help

  3. Charles Says:

    Very nice, thankyou for help us!

  4. Lawrence Says:

    Great! Very useful.

  5. josef lahmer Says:

    check if server ist listening to port 636:

    netstat -tulanp

    if you have a listening port on 636
    => config needs further config to enable ldaps!

    check ssl with:
    openssl s_client -connect localhost:636 -showcerts -state -CAfile /etc/openldap/cacerts/cacert.pem
    => config needs further config on PKI config…

    also see:
    http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_obsolete.html#6.0

  6. udin Says:

    This is my configuration..

    [root@fedora openldap]# ldapsearch -d 1 -v -H ldaps://ujicoba.com:389
    ldap_url_parse_ext(ldaps://ujicoba.com:389)
    ldap_initialize( ldaps://ujicoba.com:389/??base )
    ldap_create
    ldap_url_parse_ext(ldaps://ujicoba.com:389/??base)
    ldap_pvt_sasl_getmech
    ldap_search
    put_filter: “(objectclass=*)”
    put_filter: simple
    put_simple_filter: “objectclass=*”
    ldap_send_initial_request
    ldap_new_connection 1 1 0
    ldap_int_open_connection
    ldap_connect_to_host: TCP ujicoba.com:389
    ldap_new_socket: 3
    ldap_prepare_socket: 3
    ldap_connect_to_host: Trying 192.168.1.2:389
    ldap_pvt_connect: fd: 3 tm: -1 async: 0
    ldap_close_socket: 3
    ldap_err2string
    ldap_sasl_interactive_bind_s: Can’t contact LDAP server (-1)

    where my fault?

  7. Ahmed Taha Says:

    Hi there I had the same problem and solved :
    just turn on debugging at level 64 in /etc/sysconfig/ldap
    and on SLAPD_OPTIONS=”-d 64 -f /etc/openldap/slapd.conf”
    save the file and restart and you’ll see debugging on your terminal
    and the problem was that I couldn’t open ldap.conf file
    change permissions of the file 777 or what ever you like and restart and you’re done :)

  8. Prathik Rajendran M Says:

    Thanks a ton, works like a charm!

  9. dave kay Says:

    @Ahmed Taha

    there is no problem that file permissions of 777 fixes adequately. never EVER EVER do this on a .conf file. figure out what user needs access to the file and permission it accordingly

Leave a Reply

You must be logged in to post a comment.