Keyserver not reachable, ldapsearch returns no results - error code 32

book

Article ID: 159070

calendar_today

Updated On:

Products

Encryption Management Server Gateway Email Encryption

Issue/Introduction

The keyserver service on Symantec Encryption Management Server does not return any results.
Testing with a LDAP browser or "ldapsearch" (a builtin commandline tool on the Encryption Server or most other Linux based operating systems) throws an error code "32, no such object".

The error "No such object (32) " is issued after running a ldapsearch command:

# ldapsearch -h keys.mydomain.com -b "o=Searchable PGP keys" -x -v -LLL "pgpUserID=*e*"
ldap_initialize( ldap://keys.mydomain.com )
filter: pgpUserID=*user1*
requesting: All userApplication attributes
No such object (32)

The expected output however would include keys and information about the internal users that include the term "user1", such as Testuser1, testuser12 or user123.

Cause

Another service is listening on TCP port 389, the default port for the LDAP server.

Resolution

While you are at the commandline, run the following command and verify if the output looks similar to the example below:
# netstat | head -2 ; netstat -tulpen | grep 389
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0 192.168.0.1:389             0.0.0.0:*                   LISTEN      2591/http

This means that the httpd service (Apache web server) is bound to the default LDAP port 389.

On this port the service "pgptcpwrapper" should run to process ldap requests, example below:

# netstat | head -2 ; netstat -tulpen | grep ':389 '
Proto Recv-Q Send-Q Local Address               Foreign Address             State
tcp        0      0
192.168.0.1:389             0.0.0.0:*                   LISTEN      0          7187231    30676/pgptcpwrapper

To solve the problem check which network service has been configured to listen on that socket in the "Services" tab and correct the port.
The listed services, like Web Email Protection (port 443), Verified Directory (port 80) or Certificate Revocation (port 80) would be possible candidates. For example check the Certificate Revocation Service and you may see that someone configured it to listen on port 389, which will make the web server listen on port 389 additionally to the default ports.

Please reconfigure this service to listen on another port, save the changes and the network services will be restarted.

Afterwards you might have to restart the Symantec Encryption Management Server or restart the pgptcpwrapper service on the commandline:

# pgpsysconf --restart pgptcpwrapper
# netstat -tulpen | grep 389

...
tcp        0      0 192.168.0.1:389            0.0.0.0:*                   LISTEN      2600/pgptcpwrapper

Now your keyserver should respond to the LDAP requests again. The functionality can be verified with command "ldapsearch".


Applies To

Symantec Encryption Management Server