[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: listen-on-ip-address issue



On Fri, Dec 06, 2002 at 04:05:32PM +0100, Tony Earnshaw wrote:
>fre, 2002-12-06 kl. 11:12 skrev Arjen van Drie:
>
>> My question: why is there no traffic over this interface (172.16.3.1) over port 389,
>> but connects through e.g. ssh do not work if I don't let slapd bind on port 389 on
>> this interface?
>
>I'm trying hard to understand what you are asking. I speak and write
>fluent Dutch (have done so for 25 years), but even translating what you
>write back into Dutch doesn't make sense (in English that's called
>double Dutch).


When i put in my LDAP startup script
  daemon ${slapd} -u ldap -h '"ldap://127.0.0.1/ ldaps:///"'

in other words, when I let it listen on the loopback interface unencrypted, and on
all interfaces for encrypted binds, an ssh attempt to the host running slapd (the
local sshd does ldap requests over 127.0.0.1) fails.

when i put
  daemon ${slapd} -u ldap -h '"ldap://127.0.0.1/ ldap://172.16.3.1/ ldaps:///"'
(which in my case is identical to setting '"ldap:/// ldaps:///"')

the ssh attempt succeeds, but tcpdump doesn't show any traffic on port 389, so
i wonder why I need to have ldap listening on 172.16.3.1 unencrypted... I
want to exclude the possibility to have clients do unencrypted simple binds
over the network.

But, in the meantime i resolved the problem, and it was pretty trivial. In 
/etc/ldap.conf (for nsswitch) i had "host 172.16.3.1" and "ssl no", so if
nothing is running on this IP, then... tsk tsk tsk.

Dank, overigens, om zo ver te gaan om zelfs het door mij gebruikte IP adres 
aan je interface te hangen. Je wordt toch niet nationalistisch na 25 jaar
Nederland, of is de broederlijke liefde toch wat internationaler? Misschien
ben ik wel een Belg...

Dank voor de geinvesteerde tijd.

Grtz,
Arjen.


>
>I have the following in Red Hat /etc/rc.d/init.d/ldap:
>
>daemon ${slapd} -u ldap -h '"ldap:/// ldaps:///"'
>
>It works for unencrypted TCP bind on 127.0.0.1 port 389, SSL encrypted
>bind on port 636 and TLS encrypted bind on port 389.
>
>I don't use ssh to Openldap.
>
>Obviously I couldn't run my local daemon on another machine in the
>network. If I had to run the daemon locally on a second interface, let's
>say I had eth0 configured as your 172.16.3.1, that would work too. I
>just tried it, and it worked. Don't say that's not brotherly love :-)
>
>Best,
>
>Tonni
>
>Openldap 2.1.8, Sleepycat BDB 4.1.24
>
>-- 
>
>Tony Earnshaw
>
>When all's said and done ...
>there's nothing left to say or do.
>
>e-post:		tonni@billy.demon.nl
>www:		http://www.billy.demon.nl
>
>
>

-- 

Grtz, 

Arjen.