[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Cannot connect to OpenLDAP Server remotely
What does '/bin/netstat -at' say your ldap server is bound to?
I'm inclined to believe the port scan that said your LDAP port was
filtered. I'm no FC3 expert, but I seem to recall that they use an
iptables configuration that is set to filter pretty much everything out of
the box. Run /sbin/iptables to see if your ldap port is explicitly
punched through.
On Fri, 25 Mar 2005, Myles Merrell wrote:
>
>I have set up an OpenLDAP Server on a box running Fedora Core 3. OpenLDAP
>was installed from the RPMS on the distribution CDs.
>
>I was able to configure the OpenLDAP sever and get it running. On the
>server I could connect to it using the command line as well as perl scripts
>and simple Java Applications. However, when I try to access it from another
>machine, I get a failure to connect error. I tried running it on different
>ports like 9090 and 9909, but the same problem occurred. I ran port scans
>of the server from itself (the LDAP port is open|filtered) and from the
>remote computer (the LDAP port is filtered). The firewall on our network
>doesn't filter internal traffic, so it can't be that. Is there something
>that needs to be configured to allow external access? I'm assuming openldap
>creates the socket and should open the port. Any help would be greatly
>appreciated. Below are copies of my slapd.conf file if that helps.
>
>Thanks.
>myles.
>
>--slapd.conf--
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include /etc/openldap/schema/core.schema
>include /etc/openldap/schema/cosine.schema
>include /etc/openldap/schema/inetorgperson.schema
>include /etc/openldap/schema/nis.schema
>
># Allow LDAPv2 client connections. This is NOT the default.
># allow bind_v2
>
># Do not enable referrals until AFTER you have a working directory
># service AND an understanding of referrals.
>#referral ldap://root.openldap.org
>
>pidfile /var/run/slapd.pid
>argsfile /var/run/slapd.args
>
># Load dynamic backend modules:
># modulepath /usr/sbin/openldap
># moduleload back_bdb.la
># moduleload back_ldap.la
># moduleload back_ldbm.la
># moduleload back_passwd.la
># moduleload back_shell.la
>
># The next three lines allow use of TLS for encrypting connections using a
># dummy test certificate which you can generate by changing to
># /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
># slapd.pem so that the ldap user or group can read it. Your client
>software
># may balk at self-signed certificates, however.
># TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
># TLSCertificateFile /usr/share/ssl/certs/slapd.pem
># TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
>
># Sample security restrictions
># Require integrity protection (prevent hijacking)
># Require 112-bit (3DES or better) encryption for updates
># Require 63-bit encryption for simple bind
># security ssf=1 update_ssf=112 simple_bind=64
>
># Sample access control policy:
># Root DSE: allow anyone to read it
># Subschema (sub)entry DSE: allow anyone to read it
># Other DSEs:
># Allow self write access
># Allow authenticated users read access
># Allow anonymous users to authenticate
># Directives needed to implement policy:
># access to dn.base="" by * read
># access to dn.base="cn=Subschema" by * read
># access to *
># by self write
># by users read
># by anonymous auth
>#
># if no access controls are present, the default policy
># allows anyone and everyone to read anything but restricts
># updates to rootdn. (e.g., "access to * by * read")
>#
># rootdn can always read and write EVERYTHING!
>
>#######################################################################
># ldbm and/or bdb database definitions
>#######################################################################
>
>database bdb
>suffix "dc=cleverex,dc=com"
>rootdn "cn=Manager,dc=cleverex,dc=com"
># Cleartext passwords, especially for the rootdn, should
># be avoided. See slappasswd(8) and slapd.conf(5) for details.
># Use of strong authentication encouraged.
># rootpw secret
>rootpw {SSHA}zWu3MH80mGQ6Crdu3QR5Qe93UXv4a9QG
>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd and slap tools.
># Mode 700 recommended.
>directory /var/lib/ldap
>
># Indices to maintain for this database
>index objectClass eq,pres
>index ou,cn,mail,surname,givenname eq,pres,sub
>index uidNumber,gidNumber,loginShell eq,pres
>index uid,memberUid eq,pres,sub
>index nisMapName,nisMapEntry eq,pres,sub
>
># Replicas of this database
>#replogfile /var/lib/ldap/openldap-master-replog
>#replica host=ldap-1.example.com:389 starttls=critical
># bindmethod=sasl saslmech=GSSAPI
># authcId=host/ldap-master.example.com@EXAMPLE.COM
>
--
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342