[CentOS] LDAP/iptables
Thomas E Dukes
edukes at alltel.net
Mon Sep 5 12:06:36 UTC 2005
> -----Original Message-----
> From: centos-bounces at centos.org
> [mailto:centos-bounces at centos.org] On Behalf Of Sean O'Connell
> Sent: Sunday, September 04, 2005 10:43 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] LDAP/iptables
>
> On Sun, 2005-09-04 at 20:39 -0400, Thomas E Dukes wrote:
> >
> > > -----Original Message-----
> > > From: centos-bounces at centos.org
> > > [mailto:centos-bounces at centos.org] On Behalf Of Johnny Hughes
> > > Sent: Sunday, September 04, 2005 11:16 AM
> > > To: CentOS ML
> > > Subject: Re: [CentOS] LDAP/iptables
> > >
> > > On Sun, 2005-09-04 at 09:10 -0400, Thomas E Dukes wrote:
> > > > Hello,
> > > >
> > > > I am trying to get LDAP running. So far, the server is
> > > running but I
> > > > cannot connect to port 389 or the server using webmin or
> > > phpldapadmin.
> > > > It could be my ISP has blocked this port but I'm not
> sure. I have
> > > > tried to telnet to port 389 but it is refused. All other
> > > services run fine.
> > > >
> > > > I user the iptables ruleset found in the IP-Masquerade
> > > HowTo. Below
> > > > is the ruleset I follow for opening ports for external access.
> > > > For some reason it won't open 389.
> > > >
> > > > $IPTABLES -A INPUT -i $EXTIF -m state --state
> > > NEW,ESTABLISHED,RELATED
> > > > \ -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
> > > >
> > > > Where $EXTIF = eth0 and $EXTIP = my ipaddress
> > > >
> > > > Does anyone know what I may be doing wrong?
> > > >
> > > > TIA
> > > >
> > > >
> > >
> > > If you are trying to connect from the outside from another PC ...
> > > and if the firewall and ldap are installed on the same PC, that
> > > should work to allow connection to port 389.
> > >
> > > If you are trying to connect directly to port 389 from
> and internal
> > > IP, that probably won't work. (you will need to do something to
> > > PREROUTING chain to get the packets routed to the EXTIF)
> > >
> > > BUT ... you shouldn't need to do either of those if you are also
> > > running webmin or phpmyadmin also on that machine ... if
> you listen
> > > on the internal IP at port 389 and not the external IP.
> > >
> > > Does netstat -aptn show you listening on the internal /
> external /
> > > or loopback ip on port 389 (or more than one of them).
> >
> > Hello,
> >
> > Running netstat -aptn shows nothing for port 389. This
> doesn't make sense.
>
> Is slapd (assuming you are using openldap) running?
>
> ps -ef |grep slapd
>
> (for example here is hte output from one of the centos boxes
> running ldap).
>
> ldap 9032 1 0 04:04 ? 00:00:00
> /usr/sbin/slapd -u ldap
> -h ldap:/// ldaps:///
Hello Sean,
Here's the output for ps -ef | grep slapd:
ldap 1928 1 0 00:03 ? 00:00:00 /usr/sbin/slapd -u ldap -h
ldap:///
root 15066 15003 0 07:29 tty1 00:00:00 grep slapd
>
> (or pgrep -l slapd). You can also use service slapd status
> (though, this isn't always 100% reliable).
>
> The openldap server, outputs to syslog on local4 by default.
> It's possible that there are errors or issues with your
> /etc/openldap/slapd.conf that are causing slapd to fail to start.
> You can edit /etc/syslog.conf and add a few lines like
>
> local4.* /var/log/ldap.log
>
> Then run service syslog restart (or HUP syslogd) to pickup
> the changes.
Here's the output to ldap.log after adding the above to syslog:
Sep 5 07:43:43 palmettodomains slapd[15571]: @(#) $OpenLDAP: slapd 2.2.13
(Apr 28 2005 19:30:08) $
buildsys at bob:/home/buildsys/rpmbuild/BUILD/openldap-2.2.13/openldap-2.2.13/b
uild-servers/servers/slapd
Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat
Software: Berkeley DB 4.2.52: (December 3, 2003)
Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat
Software: Berkeley DB 4.2.52: (December 3, 2003)
Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_db_init: Initializing BDB
database
I think everthing is running but I can't connect to port 389.
Can you think of anything els?
Thanks!!
Eddie
> Then try starting the ldap service and see what's being
> output to the log file. You can also use the -d (debug) flag
> to run slapd in the foreground with a fairly verbose output
>
> slapd -d 5 -u ldap -h ldap:/// ldaps://// 2>&1 | tee >/tmp/ldap.out
>
> To see what might be happening. I'd also recommend setting up
> the syslog anyway to be able to see what's going on.
>
> Sean
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
More information about the CentOS
mailing list