[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
How to enable LDAP ports in iptables for OpenLDAP client node
- To: openldap-technical@openldap.org
- Subject: How to enable LDAP ports in iptables for OpenLDAP client node
- From: Qian Zhang <zhq527725@gmail.com>
- Date: Mon, 13 Aug 2012 13:47:00 +0800
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=rq3sEfNyHu3ZEjL8ypJeIzo6FQXw/zY+icQSYDQZh7o=; b=vy0isXOQZRdU9ItLGyibaNAu9a98dLU9R5D8PQaM5EsO+/ajmLWW0KV/R0c5zxunIR Ez7EqgWQ0ZM9dMi7iHxIwbqAYLD9fOCr7YB/wmCSPqICiP5vGbtAZs3udzbCoRMhdrG0 0O9O8GS8PLv/15ylhc3oZs5ncZNwMle4JZGAaeYZLmVZ5yEYOOA4Rb7ClwEp7bp0NGuw LQvhDt2NzzRob5PEeUzcJaW6UrgEjZE5JVuu+vPyCznS/iTIwD50yNepD+od5eCnH8wm yV859ZBeeoUKHghg7uETOIHaILBOv+v7mjkU7xl9w+4FxkD7H2qpTOUT0byrFhtTWeKC NN5w==
Hi All,
I have a RHEL 6.2 machine which is set up as an OpenLDAP client, and I
can log into it with LDAP user.
Now for security concern, I need to prohibit any not-root user to
access the network:
# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 REJECT all -- 0.0.0.0/0 0.0.0.0/0 !
owner UID match 0 reject-with icmp-port-unreachable
But if I did this in iptables, LDAP has problems, "getent passwd" can
not get any LDAP users, and I can no longer log into this machine with
LDAP user. So I think I need to open LDAP ports in iptables, what I
did is:
# /etc/init.d/iptables status
Table: filter
Chain INPUT (policy ACCEPT)
num target prot opt source destination
Chain FORWARD (policy ACCEPT)
num target prot opt source destination
Chain OUTPUT (policy ACCEPT)
num target prot opt source destination
1 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp
spt:389 dpt:389
2 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp
spt:389 dpt:389
3 REJECT all -- 0.0.0.0/0 0.0.0.0/0 !
owner UID match 0 reject-with icmp-port-unreachable
But it did not work, any ports I missed? Or what I set up in iptables
are not correct? My /etc/openldap/ldap.conf:
URI ldap://172.17.27.159:389
BASE dc=base,dc=com
TLS_CACERTDIR /etc/openldap/cacerts
Regards,
Qian