1 Topic by jsmith (edited by jsmith 2018-03-06 15:59:42)

  • jsmith
  • Member
  • Offline
  • Registered: 2015-04-11
  • Posts: 32

Topic: iredadmin Error: {'desc': "Can't contact LDAP server"}

==== Required information ====
- iRedMail version (check /etc/iredmail-release): 0.9.7
- Linux/BSD distribution name and version: Debian Stretch
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? no
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====


Good morning,

I have set up a new server and had it working to a point. I can no longer access the iredadmin page, when I try to log in I get:

Error: {'desc': "Can't contact LDAP server"}

I'm not sure where I've gone wrong on this, the only thing I can think of is that I set up letsencrypt and used the suggestion in the nginx conf:


# To use your own ssl cert (e.g. LetsEncrypt), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
#


Is it possible this is the issue or should I look elsewhere?




Ah I also cannot log in to the webmail or add an existing account on devices, all with their various default cannot login, check your password messages. I've rebooted the server twice to ensure all services are restarted.

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: iredadmin Error: {'desc': "Can't contact LDAP server"}

jsmith wrote:

Error: {'desc': "Can't contact LDAP server"}

LDAP service is not running. Please check its log file and fix the issue.

3 Reply by jsmith (edited by jsmith 2018-03-11 12:53:29)

  • jsmith
  • Member
  • Offline
  • Registered: 2015-04-11
  • Posts: 32

Re: iredadmin Error: {'desc': "Can't contact LDAP server"}

Thank you, this is what I found:


/var/log/openldap.log

Feb 10 17:36:14 mail slapd[33837]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Feb 10 17:39:23 mail slapd[624]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Mar 11 02:52:28 mail slapd[529]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Mar 11 02:59:14 mail slapd[568]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Mar 11 03:13:19 mail slapd[537]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Mar 11 03:40:46 mail slapd[504]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Mar 11 03:49:05 mail slapd[518]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $#012#011Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>


root@mail:/home/user# /etc/init.d/slapd start
[....] Starting slapd (via systemctl): slapd.serviceJob for slapd.service failed because the control process exited with error code.
See "systemctl status slapd.service" and "journalctl -xe" for details.
 failed!
root@mail:/home/user# systemctl status slapd.service
● slapd.service - LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)
   Loaded: loaded (/etc/init.d/slapd; generated; vendor preset: enabled)
   Active: failed (Result: exit-code) since Sun 2018-03-11 04:11:44 GMT; 18s ago
     Docs: man:systemd-sysv-generator(8)
  Process: 4402 ExecStart=/etc/init.d/slapd start (code=exited, status=1/FAILURE)

Mar 11 04:11:44 mail systemd[1]: Starting LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol)...
Mar 11 04:11:44 mail slapd[4406]: @(#) $OpenLDAP: slapd  (Aug 10 2017 19:12:46) $
                                          Debian OpenLDAP Maintainers <pkg-openldap-devel@lists.alioth.debian.org>
Mar 11 04:11:44 mail slapd[4406]: DIGEST-MD5 common mech free
Mar 11 04:11:44 mail slapd[4406]: DIGEST-MD5 common mech free
Mar 11 04:11:44 mail slapd[4402]: Starting OpenLDAP: slapd failed!
Mar 11 04:11:44 mail systemd[1]: slapd.service: Control process exited, code=exited status=1
Mar 11 04:11:44 mail systemd[1]: Failed to start LSB: OpenLDAP standalone server (Lightweight Directory Access Protocol).
Mar 11 04:11:44 mail systemd[1]: slapd.service: Unit entered failed state.
Mar 11 04:11:44 mail systemd[1]: slapd.service: Failed with result 'exit-code'.
root@mail:/home/user# journalctl -xe
-- Subject: Time change
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The system clock has been changed to REALTIME microseconds after January 1st, 1970.
Mar 11 04:12:10 mail systemd[3278]: Time has been changed
-- Subject: Time change
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The system clock has been changed to REALTIME microseconds after January 1st, 1970.
Mar 11 04:12:10 mail systemd[1]: Time has been changed
-- Subject: Time change
-- Defined-By: systemd
-- Support: https://www.debian.org/support
--
-- The system clock has been changed to REALTIME microseconds after January 1st, 1970.
Mar 11 04:12:10 mail systemd[1]: apt-daily-upgrade.timer: Adding 35min 50.128763s random time.
Mar 11 04:12:10 mail systemd[1]: certbot.timer: Adding 32min 58.308816s random time.
Mar 11 04:12:10 mail systemd[1]: apt-daily.timer: Adding 4h 19min 5.771952s random time.
Mar 11 04:12:10 mail postfix/pickup[1137]: D3E1B40829: uid=0 from=<root>
Mar 11 04:12:10 mail postfix/proxymap[2912]: warning: dict_ldap_connect: Unable to bind to server ldap://127.0.0.1:389 with dn cn=vmail,dc=<MYDOMAIN>,dc=co,dc=uk: -1 (Can't contact LDAP server)
Mar 11 04:12:10 mail postfix/cleanup[2911]: warning: proxy:ldap:/etc/postfix/ldap/sender_bcc_maps_user.cf lookup error for "root@mail.<MYDOMAIN>.co.uk"
Mar 11 04:12:10 mail postfix/cleanup[2911]: warning: D3E1B40829: sender_bcc_maps map lookup problem -- message not accepted, try again later
Mar 11 04:12:10 mail postfix/pickup[1137]: warning: maildrop/92CED40827: error writing D3E1B40829: queue file write error
Mar 11 04:12:15 mail systemd[1]: Time has been changed
-- Subject: Time change
-- Defined-By: systemd
-- Support: https://www.debian.org/support


edit- It's also definitely the commands suggested in the nginx file that causes this:

# To use your own ssl cert (e.g. LetsEncrypt), please create symbol link to
# ssl cert/key used below, so that we can manage this config file with Ansible.
#
# For example:
#
# rm -f /etc/ssl/private/iRedMail.key
# rm -f /etc/ssl/certs/iRedMail.crt
# ln -s /etc/letsencrypt/live/<domain>/privkey.pem /etc/ssl/private/iRedMail.key
# ln -s /etc/letsencrypt/live/<domain>/fullchain.pem /etc/ssl/certs/iRedMail.crt
#


I luckily had a VM snapshot so I can repeat this, I have set up my server with LE as I have done with previous servers by ignoring the above advice and editing /etc/nginx/templates/ssl.tmpl as I used to. I have rebooted, logged off the iredadmin page several times and all works as expected. When I run those commands it continues to work until the next reboot.

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: iredadmin Error: {'desc': "Can't contact LDAP server"}

*) Does your OpenLDAP config file use correct SSL cert/key?
*) Please check ALL parent directories of the ssl cert/key, it's likely that OpenLDAP cannot access one of them. (/etc/letsencrypt/{archive,live})

5 Reply by sayso (edited by sayso 2018-03-30 11:53:06)

  • sayso
  • Member
  • Offline
  • Registered: 2018-03-03
  • Posts: 43

Re: iredadmin Error: {'desc': "Can't contact LDAP server"}

I just experienced this problem and found the directory /etc/letsencrypt/archive was set to 700. The fix is as follows:

chmod 750 /etc/letsencrypt/{live,archive}
chgrp ssl-cert /etc/letsencrypt/{live,archive}

any program having problems accessing the certs can now be added to the ssl-cert group (openldap was already a member on my installation). Hope this helps someone.

6 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,788

Re: iredadmin Error: {'desc': "Can't contact LDAP server"}

@sayso, Thanks for sharing.  smile