SSH connections attempts fail with "Can't contact LDAP Server."

  • 3078774
  • 02-May-2007
  • 26-Apr-2012


Novell NetWare 6.5


Can't login through SSH or SFTP, and sys:etc\ssh\logs\sshd.log shows:
error: Search for user in context O= failed with error Can't contact LDAP server, continuing search.

Other tests of LDAP services were functioning correctly.
Problem might only exist on one server. Other servers could form successful SSH connections.


The "Can't contact LDAP server" message can have more than one cause.  The steps in this TID are designed to cover multiple aspects to cover all the bases.
In a default setup, SSHD.NLM wants to find a local LDAP server (i.e. running on the same machine).   For this, NLDAP.NLM must be loaded on the server where SSHD.NLM is running.  For information on the option of configuring SSHD to use a remote LDAP server, search at for document 3783350.
If NLDAP is already loaded and functioning for other LDAP processes, then the file sys:\public\rootcert.der likely has a problem. This could be due to damage to that file itself, or the certificate it was generated from could be expired or have another problem.

Delete or rename the sys:public\rootcert.der and export a new one with the following steps:

1. Open ConsoleOne on a workstation (some of these steps aren't possible when running ConsoleOne on the NetWare server itself).
2. Open the "Properties" of the LDAP Server object for the server which is running SSHD.
3. Go to the SSL/TLS configuration tab, and note which Server Certificate object is being used. It is usually SSL CertificateDNS.
4. Close the LDAP Server Properties and open the Properties of the Server Certificate object identified in step 3. Make sure you get the right certificate, as each server may have one, similarly named. I.E. "SSL CertificateDNS - ServerName"
5. Go to the Certificates > Trusted Root tab.
6. Check the expiration date. If the certificate has expired, it will need to be replaced.  Proceed with the next step.
7. Click the "validate" button. If the certificate is not valid, it may need to be repaired or replaced.  Proceed with the next step.
8.  Even if steps 6 and 7 showed no problems, it would be best to run PKIDIAG to check for problems as well.  Any problems found in steps 6-8 can typically be resolved through PKIDIAG, though you need to switch it from "Diagnostic Mode" to "Fix mode" to have it actually make the changes.

Once steps 6 - 8 show no problems, proceed with the remaining steps.

9. From the Trusted Root tab, Click "Export."
10. Newer versions of ConsoleOne snapin will ask whether you want to export the private key. Select No.
11. Select the binary DER format.
12. Save the certificate. Move and/or rename it to sys:public\rootcert.der
13. Check the SYS:SYSTEM directory for an older copy of rootcert.der. If there is one there, either delete it or copy the new one there as well.
14. At the server console prompt, unload SSHD.NLM.  NOTE:  It is best to unload SSHD when no SSH or SFTP connections are active. If an attempt to unload is made while connections are active, SSHD will issue a warning and the action can be safely aborted.  There is a chance of abend when unloadiong SSHD.NLM with active connections, unless the SSH modules are from NetWare 6.5 SP8 or above.
15.  Unload NLDAP, then load NLDAP.  Load SSHD.  At this point, the new certificates should be read and ready to be used.

Additional Information

Formerly known as TID# 10094682