1 Topic by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 19

Topic: Cannot connect to ldaps

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
iRedMail Enterprise v1.3.1
- Deployed with iRedMail Easy or the downloadable installer?
iRedMail Enterprise
- Linux/BSD distribution name and version:
Ubuntu 24.04
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
LDAP
- Web server (Apache or Nginx):
Apache
- Manage mail accounts with iRedAdmin-Pro?
iRedmail Enterprise
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

I have been able to integrate some other servers with the LDAP server running on my iRedMail Enterprise server using unencrypted ldap.

I wish to switch to ldaps on an integration, but I keep getting an error, from either the remote or local machine running an ldapsearch.

ldapsearch -x -b "dc=mydomain,dc=com" -H ldaps://127.0.0.0 -D "cn=vmail,dc=mydomain,dc=com" -W "(&(objectclass=mailUser)(enabledService=nextcloud))"
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

I have a valid certificate in slapd.conf.

I have ldaps:/// in the SLAPD_SERVICES line of /etc/default/slapd.

TCP ports 389 and 636 are open in the machine firewall.

lsof -i:636 shows that slapd is listening to port 636.

Any other troubleshooting steps I might try to get the iRedMail LDAP server to allow connections via ldaps://?

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,538

Re: Cannot connect to ldaps

Did you try "-H ldaps://127.0.0.0:636"?

3 Reply by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 19

Re: Cannot connect to ldaps

ZhangHuangbin wrote:

Did you try "-H ldaps://127.0.0.0:636"?

Just now, I did, with the same error resulting.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,538

Re: Cannot connect to ldaps

Did you toggle on the option "Enable LDAP over TLS (port 389) and SSL (636)" in `Server Settings` -> `LDAP Service`?

Post's attachments

Screenshot 2025-11-09 at 09.50.13.png 353.14 kb, file has never been downloaded. 

You don't have the permssions to download the attachments of this post.

5 Reply by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 19

Re: Cannot connect to ldaps

ZhangHuangbin wrote:

Did you toggle on the option "Enable LDAP over TLS (port 389) and SSL (636)" in `Server Settings` -> `LDAP Service`?

Yes, this was already on.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,538

Re: Cannot connect to ldaps

- Is openldap service listening on port 636?
- Try to turn off firewall service (nftables) temporarily and try again.

7 Reply by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 19

Re: Cannot connect to ldaps

root@mail:~# lsof -i:636
COMMAND     PID     USER   FD   TYPE     DEVICE SIZE/OFF NODE NAME
slapd   4170517 openldap   11u  IPv4 1267723477      0t0  TCP *:ldaps (LISTEN)
slapd   4170517 openldap   12u  IPv6 1267723478      0t0  TCP *:ldaps (LISTEN)
root@mail:~# systemctl stop nftables
root@mail:~# ldapsearch -v -LL -x -z5 -H ldaps://127.0.0.1:636 -D 'cn=vmail,dc=mydomain,dc=com' -w "vmailldappassword" -b 'dc=mydomain,dc=com' -s sub '(&(objectclass=mailUser)(enabledService=nextcloud))'
ldap_initialize( ldaps://127.0.0.1:636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

OpenLDAP is listening on 636. With NFTables turned off, the result is the same.

8 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,538

Re: Cannot connect to ldaps

Does it work if you replace the 127.0.0.1 by server hostname?

ldapsearch ... -H ldaps://<hostname>:636 ...

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 31,538

Re: Cannot connect to ldaps

FYI interesting article:
https://blog.oholics.net/ldapsearch-syn … and-sldap/

10 Reply by tomierna

  • tomierna
  • Member
  • Offline
  • Registered: 2018-02-18
  • Posts: 19

Re: Cannot connect to ldaps

ZhangHuangbin wrote:

Does it work if you replace the 127.0.0.1 by server hostname?

I tried with FQDN, no change. Still says Can't contact LDAP server (-1).

ZhangHuangbin wrote:

FYI interesting article:
https://blog.oholics.net/ldapsearch-syn … and-sldap/

It appears that the -h option has been removed from ldapsearch, so I can't try the non-URI option this article shows to see if I get the same error.