[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Cannot connect to OpenLDAP Server remotely
Useful information that you might have included in your post is:
1) OpenLDAP version
2) slapd(8) command line used to start server
3) client tool command line used
4) client output
5) note of what's happening (or not happening) in the server's
slapd (and other) logs, with relevant log entries.
Kurt
At 11:56 AM 3/25/2005, Myles Merrell wrote:
>I have set up an OpenLDAP Server on a box running Fedora Core 3. OpenLDAP
>was installed from the RPMS on the distribution CDs.
>
>I was able to configure the OpenLDAP sever and get it running. On the
>server I could connect to it using the command line as well as perl scripts
>and simple Java Applications. However, when I try to access it from another
>machine, I get a failure to connect error. I tried running it on different
>ports like 9090 and 9909, but the same problem occurred. I ran port scans
>of the server from itself (the LDAP port is open|filtered) and from the
>remote computer (the LDAP port is filtered). The firewall on our network
>doesn't filter internal traffic, so it can't be that. Is there something
>that needs to be configured to allow external access? I'm assuming openldap
>creates the socket and should open the port. Any help would be greatly
>appreciated. Below are copies of my slapd.conf file if that helps.
>
>Thanks.
>myles.
>
>--slapd.conf--
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/nis.schema
>
># Allow LDAPv2 client connections. This is NOT the default.
># allow bind_v2
>
># Do not enable referrals until AFTER you have a working directory
># service AND an understanding of referrals.
>#referral ldap://root.openldap.org
>
>pidfile /var/run/slapd.pid
>argsfile /var/run/slapd.args
>
># Load dynamic backend modules:
># modulepath /usr/sbin/openldap
># moduleload back_bdb.la
># moduleload back_ldap.la
># moduleload back_ldbm.la
># moduleload back_passwd.la
># moduleload back_shell.la
>
># The next three lines allow use of TLS for encrypting connections using a
># dummy test certificate which you can generate by changing to
># /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
># slapd.pem so that the ldap user or group can read it. Your client
>software
># may balk at self-signed certificates, however.
># TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
># TLSCertificateFile /usr/share/ssl/certs/slapd.pem
># TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
>
># Sample security restrictions
># Require integrity protection (prevent hijacking)
># Require 112-bit (3DES or better) encryption for updates
># Require 63-bit encryption for simple bind
># security ssf=1 update_ssf=112 simple_bind=64
>
># Sample access control policy:
># Root DSE: allow anyone to read it
># Subschema (sub)entry DSE: allow anyone to read it
># Other DSEs:
># Allow self write access
># Allow authenticated users read access
># Allow anonymous users to authenticate
># Directives needed to implement policy:
># access to dn.base="" by * read
># access to dn.base="cn=Subschema" by * read
># access to *
># by self write
># by users read
># by anonymous auth
>#
># if no access controls are present, the default policy
># allows anyone and everyone to read anything but restricts
># updates to rootdn. (e.g., "access to * by * read")
>#
># rootdn can always read and write EVERYTHING!
>
>#######################################################################
># ldbm and/or bdb database definitions
>#######################################################################
>
>database bdb
>suffix "dc=cleverex,dc=com"
>rootdn "cn=Manager,dc=cleverex,dc=com"
># Cleartext passwords, especially for the rootdn, should
># be avoided. See slappasswd(8) and slapd.conf(5) for details.
># Use of strong authentication encouraged.
># rootpw secret
>rootpw {SSHA}zWu3MH80mGQ6Crdu3QR5Qe93UXv4a9QG
>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd and slap tools.
># Mode 700 recommended.
>directory /var/lib/ldap
>
># Indices to maintain for this database
>index objectClass eq,pres
>index ou,cn,mail,surname,givenname eq,pres,sub
>index uidNumber,gidNumber,loginShell eq,pres
>index uid,memberUid eq,pres,sub
>index nisMapName,nisMapEntry eq,pres,sub
>
># Replicas of this database
>#replogfile /var/lib/ldap/openldap-master-replog
>#replica host=ldap-1.example.com:389 starttls=critical
># bindmethod=sasl saslmech=GSSAPI
># authcId=host/ldap-master.example.com@EXAMPLE.COM