[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Cannot connect to OpenLDAP Server remotely

To: Myles Merrell <mmerrell@cleverex.com>
Subject: Re: Cannot connect to OpenLDAP Server remotely
From: Eric Irrgang <erici@motown.cc.utexas.edu>
Date: Sat, 26 Mar 2005 09:58:39 -0600 (CST)
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <BJECJJHHBKEEKIGNLALMOEBKCAAA.mmerrell@cleverex.com>
References: <BJECJJHHBKEEKIGNLALMOEBKCAAA.mmerrell@cleverex.com>

What does '/bin/netstat -at' say your ldap server is bound to?

I'm inclined to believe the port scan that said your LDAP port was
filtered.  I'm no FC3 expert, but I seem to recall that they use an
iptables configuration that is set to filter pretty much everything out of
the box.  Run /sbin/iptables to see if your ldap port is explicitly
punched through.

On Fri, 25 Mar 2005, Myles Merrell wrote:

>
>I have set up an OpenLDAP Server on a box running Fedora Core 3.  OpenLDAP
>was installed from the RPMS on the distribution CDs.
>
>I was able to configure the OpenLDAP sever and get it running.  On the
>server I could connect to it using the command line as well as perl scripts
>and simple Java Applications.  However, when I try to access it from another
>machine, I get a failure to connect error.  I tried running it on different
>ports like 9090 and 9909, but the same problem occurred.  I ran port scans
>of the server from itself (the LDAP port is open|filtered) and from the
>remote computer (the LDAP port is filtered).  The firewall on our network
>doesn't filter internal traffic, so it can't be that.  Is there something
>that needs to be configured to allow external access?  I'm assuming openldap
>creates the socket and should open the port.  Any help would be greatly
>appreciated.  Below are copies of my slapd.conf file if that helps.
>
>Thanks.
>myles.
>
>--slapd.conf--
>#
># See slapd.conf(5) for details on configuration options.
># This file should NOT be world readable.
>#
>include		/etc/openldap/schema/core.schema
>include		/etc/openldap/schema/cosine.schema
>include		/etc/openldap/schema/inetorgperson.schema
>include		/etc/openldap/schema/nis.schema
>
># Allow LDAPv2 client connections.  This is NOT the default.
># allow bind_v2
>
># Do not enable referrals until AFTER you have a working directory
># service AND an understanding of referrals.
>#referral	ldap://root.openldap.org
>
>pidfile		/var/run/slapd.pid
>argsfile	/var/run/slapd.args
>
># Load dynamic backend modules:
># modulepath	/usr/sbin/openldap
># moduleload	back_bdb.la
># moduleload	back_ldap.la
># moduleload	back_ldbm.la
># moduleload	back_passwd.la
># moduleload	back_shell.la
>
># The next three lines allow use of TLS for encrypting connections using a
># dummy test certificate which you can generate by changing to
># /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on
># slapd.pem so that the ldap user or group can read it.  Your client
>software
># may balk at self-signed certificates, however.
># TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt
># TLSCertificateFile /usr/share/ssl/certs/slapd.pem
># TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
>
># Sample security restrictions
>#	Require integrity protection (prevent hijacking)
>#	Require 112-bit (3DES or better) encryption for updates
>#	Require 63-bit encryption for simple bind
># security ssf=1 update_ssf=112 simple_bind=64
>
># Sample access control policy:
>#	Root DSE: allow anyone to read it
>#	Subschema (sub)entry DSE: allow anyone to read it
>#	Other DSEs:
>#		Allow self write access
>#		Allow authenticated users read access
>#		Allow anonymous users to authenticate
>#	Directives needed to implement policy:
># access to dn.base="" by * read
># access to dn.base="cn=Subschema" by * read
># access to *
>#	by self write
>#	by users read
>#	by anonymous auth
>#
># if no access controls are present, the default policy
># allows anyone and everyone to read anything but restricts
># updates to rootdn.  (e.g., "access to * by * read")
>#
># rootdn can always read and write EVERYTHING!
>
>#######################################################################
># ldbm and/or bdb database definitions
>#######################################################################
>
>database	bdb
>suffix		"dc=cleverex,dc=com"
>rootdn		"cn=Manager,dc=cleverex,dc=com"
># Cleartext passwords, especially for the rootdn, should
># be avoided.  See slappasswd(8) and slapd.conf(5) for details.
># Use of strong authentication encouraged.
># rootpw		secret
>rootpw 		{SSHA}zWu3MH80mGQ6Crdu3QR5Qe93UXv4a9QG
>
># The database directory MUST exist prior to running slapd AND
># should only be accessible by the slapd and slap tools.
># Mode 700 recommended.
>directory	/var/lib/ldap
>
># Indices to maintain for this database
>index objectClass                       eq,pres
>index ou,cn,mail,surname,givenname      eq,pres,sub
>index uidNumber,gidNumber,loginShell    eq,pres
>index uid,memberUid                     eq,pres,sub
>index nisMapName,nisMapEntry            eq,pres,sub
>
># Replicas of this database
>#replogfile /var/lib/ldap/openldap-master-replog
>#replica host=ldap-1.example.com:389 starttls=critical
>#     bindmethod=sasl saslmech=GSSAPI
>#     authcId=host/ldap-master.example.com@EXAMPLE.COM
>

-- 
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342

Follow-Ups:
- Re: Cannot connect to OpenLDAP Server remotely
  - From: James Wilson <james.wilson77@gmail.com>
- RE: Cannot connect to OpenLDAP Server remotely
  - From: "Myles Merrell" <mmerrell@cleverex.com>

References:
- Cannot connect to OpenLDAP Server remotely
  - From: "Myles Merrell" <mmerrell@cleverex.com>

Prev by Date: Re: why not support refresh config file?
Next by Date: ldapsearch ASN.1 problem
Index(es):
- Chronological
- Thread