Hello,
I am trying to get LDAP running. So far, the server is running but I cannot connect to port 389 or the server using webmin or phpldapadmin. It could be my ISP has blocked this port but I'm not sure. I have tried to telnet to port 389 but it is refused. All other services run fine.
I user the iptables ruleset found in the IP-Masquerade HowTo. Below is the ruleset I follow for opening ports for external access. For some reason it won't open 389.
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
Where $EXTIF = eth0 and $EXTIP = my ipaddress
Does anyone know what I may be doing wrong?
TIA
On Sun, 2005-09-04 at 09:10 -0400, Thomas E Dukes wrote:
Hello,
I am trying to get LDAP running. So far, the server is running but I cannot connect to port 389 or the server using webmin or phpldapadmin. It could be my ISP has blocked this port but I'm not sure. I have tried to telnet to port 389 but it is refused. All other services run fine.
I user the iptables ruleset found in the IP-Masquerade HowTo. Below is the ruleset I follow for opening ports for external access. For some reason it won't open 389.
$IPTABLES -A INPUT -i $EXTIF -m state --state NEW,ESTABLISHED,RELATED \ -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
Where $EXTIF = eth0 and $EXTIP = my ipaddress
Does anyone know what I may be doing wrong?
TIA
If you are trying to connect from the outside from another PC ... and if the firewall and ldap are installed on the same PC, that should work to allow connection to port 389.
If you are trying to connect directly to port 389 from and internal IP, that probably won't work. (you will need to do something to PREROUTING chain to get the packets routed to the EXTIF)
BUT ... you shouldn't need to do either of those if you are also running webmin or phpmyadmin also on that machine ... if you listen on the internal IP at port 389 and not the external IP.
Does netstat -aptn show you listening on the internal / external / or loopback ip on port 389 (or more than one of them).
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Sunday, September 04, 2005 11:16 AM To: CentOS ML Subject: Re: [CentOS] LDAP/iptables
On Sun, 2005-09-04 at 09:10 -0400, Thomas E Dukes wrote:
Hello,
I am trying to get LDAP running. So far, the server is
running but I
cannot connect to port 389 or the server using webmin or
phpldapadmin.
It could be my ISP has blocked this port but I'm not sure. I have tried to telnet to port 389 but it is refused. All other
services run fine.
I user the iptables ruleset found in the IP-Masquerade
HowTo. Below
is the ruleset I follow for opening ports for external access. For some reason it won't open 389.
$IPTABLES -A INPUT -i $EXTIF -m state --state
NEW,ESTABLISHED,RELATED
\ -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
Where $EXTIF = eth0 and $EXTIP = my ipaddress
Does anyone know what I may be doing wrong?
TIA
If you are trying to connect from the outside from another PC ... and if the firewall and ldap are installed on the same PC, that should work to allow connection to port 389.
If you are trying to connect directly to port 389 from and internal IP, that probably won't work. (you will need to do something to PREROUTING chain to get the packets routed to the EXTIF)
BUT ... you shouldn't need to do either of those if you are also running webmin or phpmyadmin also on that machine ... if you listen on the internal IP at port 389 and not the external IP.
Does netstat -aptn show you listening on the internal / external / or loopback ip on port 389 (or more than one of them).
Hello,
Running netstat -aptn shows nothing for port 389. This doesn't make sense.
Thanks!!
On Sun, 2005-09-04 at 20:39 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Sunday, September 04, 2005 11:16 AM To: CentOS ML Subject: Re: [CentOS] LDAP/iptables
On Sun, 2005-09-04 at 09:10 -0400, Thomas E Dukes wrote:
Hello,
I am trying to get LDAP running. So far, the server is
running but I
cannot connect to port 389 or the server using webmin or
phpldapadmin.
It could be my ISP has blocked this port but I'm not sure. I have tried to telnet to port 389 but it is refused. All other
services run fine.
I user the iptables ruleset found in the IP-Masquerade
HowTo. Below
is the ruleset I follow for opening ports for external access. For some reason it won't open 389.
$IPTABLES -A INPUT -i $EXTIF -m state --state
NEW,ESTABLISHED,RELATED
\ -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
Where $EXTIF = eth0 and $EXTIP = my ipaddress
Does anyone know what I may be doing wrong?
TIA
If you are trying to connect from the outside from another PC ... and if the firewall and ldap are installed on the same PC, that should work to allow connection to port 389.
If you are trying to connect directly to port 389 from and internal IP, that probably won't work. (you will need to do something to PREROUTING chain to get the packets routed to the EXTIF)
BUT ... you shouldn't need to do either of those if you are also running webmin or phpmyadmin also on that machine ... if you listen on the internal IP at port 389 and not the external IP.
Does netstat -aptn show you listening on the internal / external / or loopback ip on port 389 (or more than one of them).
Hello,
Running netstat -aptn shows nothing for port 389. This doesn't make sense.
Is slapd (assuming you are using openldap) running?
ps -ef |grep slapd
(for example here is hte output from one of the centos boxes running ldap).
ldap 9032 1 0 04:04 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldap:/// ldaps:///
(or pgrep -l slapd). You can also use service slapd status (though, this isn't always 100% reliable).
The openldap server, outputs to syslog on local4 by default. It's possible that there are errors or issues with your /etc/openldap/slapd.conf that are causing slapd to fail to start. You can edit /etc/syslog.conf and add a few lines like
local4.* /var/log/ldap.log
Then run service syslog restart (or HUP syslogd) to pickup the changes. Then try starting the ldap service and see what's being output to the log file. You can also use the -d (debug) flag to run slapd in the foreground with a fairly verbose output
slapd -d 5 -u ldap -h ldap:/// ldaps://// 2>&1 | tee >/tmp/ldap.out
To see what might be happening. I'd also recommend setting up the syslog anyway to be able to see what's going on.
Sean
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Sunday, September 04, 2005 10:43 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Sun, 2005-09-04 at 20:39 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Sunday, September 04, 2005 11:16 AM To: CentOS ML Subject: Re: [CentOS] LDAP/iptables
On Sun, 2005-09-04 at 09:10 -0400, Thomas E Dukes wrote:
Hello,
I am trying to get LDAP running. So far, the server is
running but I
cannot connect to port 389 or the server using webmin or
phpldapadmin.
It could be my ISP has blocked this port but I'm not
sure. I have
tried to telnet to port 389 but it is refused. All other
services run fine.
I user the iptables ruleset found in the IP-Masquerade
HowTo. Below
is the ruleset I follow for opening ports for external access. For some reason it won't open 389.
$IPTABLES -A INPUT -i $EXTIF -m state --state
NEW,ESTABLISHED,RELATED
\ -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
Where $EXTIF = eth0 and $EXTIP = my ipaddress
Does anyone know what I may be doing wrong?
TIA
If you are trying to connect from the outside from another PC ... and if the firewall and ldap are installed on the same PC, that should work to allow connection to port 389.
If you are trying to connect directly to port 389 from
and internal
IP, that probably won't work. (you will need to do something to PREROUTING chain to get the packets routed to the EXTIF)
BUT ... you shouldn't need to do either of those if you are also running webmin or phpmyadmin also on that machine ... if
you listen
on the internal IP at port 389 and not the external IP.
Does netstat -aptn show you listening on the internal /
external /
or loopback ip on port 389 (or more than one of them).
Hello,
Running netstat -aptn shows nothing for port 389. This
doesn't make sense.
Is slapd (assuming you are using openldap) running?
ps -ef |grep slapd
(for example here is hte output from one of the centos boxes running ldap).
ldap 9032 1 0 04:04 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldap:/// ldaps:///
Hello Sean,
Here's the output for ps -ef | grep slapd:
ldap 1928 1 0 00:03 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldap:/// root 15066 15003 0 07:29 tty1 00:00:00 grep slapd
(or pgrep -l slapd). You can also use service slapd status (though, this isn't always 100% reliable).
The openldap server, outputs to syslog on local4 by default. It's possible that there are errors or issues with your /etc/openldap/slapd.conf that are causing slapd to fail to start. You can edit /etc/syslog.conf and add a few lines like
local4.* /var/log/ldap.log
Then run service syslog restart (or HUP syslogd) to pickup the changes.
Here's the output to ldap.log after adding the above to syslog:
Sep 5 07:43:43 palmettodomains slapd[15571]: @(#) $OpenLDAP: slapd 2.2.13 (Apr 28 2005 19:30:08) $ buildsys@bob:/home/buildsys/rpmbuild/BUILD/openldap-2.2.13/openldap-2.2.13/b uild-servers/servers/slapd Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_db_init: Initializing BDB database
I think everthing is running but I can't connect to port 389.
Can you think of anything els?
Thanks!!
Eddie
Then try starting the ldap service and see what's being output to the log file. You can also use the -d (debug) flag to run slapd in the foreground with a fairly verbose output
slapd -d 5 -u ldap -h ldap:/// ldaps://// 2>&1 | tee >/tmp/ldap.out
To see what might be happening. I'd also recommend setting up the syslog anyway to be able to see what's going on.
Sean
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-09-05 at 08:06 -0400, Thomas E Dukes wrote:
Hello Sean,
Here's the output for ps -ef | grep slapd:
ldap 1928 1 0 00:03 ? 00:00:00 /usr/sbin/slapd -u ldap -h ldap:/// root 15066 15003 0 07:29 tty1 00:00:00 grep slapd
(or pgrep -l slapd). You can also use service slapd status (though, this isn't always 100% reliable).
The openldap server, outputs to syslog on local4 by default. It's possible that there are errors or issues with your /etc/openldap/slapd.conf that are causing slapd to fail to start. You can edit /etc/syslog.conf and add a few lines like
local4.* /var/log/ldap.log
Then run service syslog restart (or HUP syslogd) to pickup the changes.
Here's the output to ldap.log after adding the above to syslog:
Sep 5 07:43:43 palmettodomains slapd[15571]: @(#) $OpenLDAP: slapd 2.2.13 (Apr 28 2005 19:30:08) $ buildsys@bob:/home/buildsys/rpmbuild/BUILD/openldap-2.2.13/openldap-2.2.13/b uild-servers/servers/slapd Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_db_init: Initializing BDB database
I think everthing is running but I can't connect to port 389.
Can you think of anything els?
How are you trying to connect to the ldap service? Are you trying to connect via ldapsearch? or just telnet hostname 389 ?
If you do an
lsof -p 1928
(assuming slapd is still 1928 :) does it show it listening on any TCP ports?
Have you tried telnet localhost 389 (to rule out any firewall oddities)? If you just try the following it should at the very least connect and ask you for a password.
ldapsearch -v -v -H ldap://localhost
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 12:57 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 08:06 -0400, Thomas E Dukes wrote:
Hello Sean,
Here's the output for ps -ef | grep slapd:
ldap 1928 1 0 00:03 ? 00:00:00
/usr/sbin/slapd -u ldap -h
ldap:/// root 15066 15003 0 07:29 tty1 00:00:00 grep slapd
(or pgrep -l slapd). You can also use service slapd
status (though,
this isn't always 100% reliable).
The openldap server, outputs to syslog on local4 by default. It's possible that there are errors or issues with your /etc/openldap/slapd.conf that are causing slapd to fail to start. You can edit /etc/syslog.conf and add a few lines like
local4.* /var/log/ldap.log
Then run service syslog restart (or HUP syslogd) to pickup the changes.
Here's the output to ldap.log after adding the above to syslog:
Sep 5 07:43:43 palmettodomains slapd[15571]: @(#) $OpenLDAP: slapd 2.2.13 (Apr 28 2005 19:30:08) $
buildsys@bob:/home/buildsys/rpmbuild/BUILD/openldap-2.2.13/openldap-2.
2.13/b uild-servers/servers/slapd Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat Software: Berkeley DB 4.2.52: (December 3, 2003) Sep 5 07:43:43 palmettodomains slapd[15571]: bdb_db_init: Initializing BDB database
I think everthing is running but I can't connect to port 389.
Can you think of anything els?
How are you trying to connect to the ldap service? Are you trying to connect via ldapsearch? or just telnet hostname 389 ?
If you do an
lsof -p 1928
(assuming slapd is still 1928 :) does it show it listening on any TCP ports?
Hello Sean,
Here's the output from lsof -p 1928:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME slapd 1928 ldap cwd DIR 3,2 4096 2 / slapd 1928 ldap rtd DIR 3,2 4096 2 / slapd 1928 ldap txt REG 3,2 1290940 637712 /usr/sbin/slapd slapd 1928 ldap mem REG 3,2 221792 229136 /lib/libssl.so.0.9.7a slapd 1928 ldap mem REG 3,2 53654 229201 /lib/libcrypt-2.3.4.so slapd 1928 ldap mem REG 3,2 485961 277480 /lib/tls/i486/libpthread-2.3.4.so slapd 1928 ldap mem REG 3,2 28504 377263 /usr/lib/libwrap.so.0.7.6 slapd 1928 ldap mem REG 3,2 15216 571286 /usr/lib/sasl2/libcrammd5.so.2.0.19 slapd 1928 ldap mem REG 3,2 13392 571319 /usr/lib/sasl2/libplain.so.2.0.19 slapd 1928 ldap mem REG 3,2 998912 229121 /lib/libcrypto.so.0.9.7a slapd 1928 ldap mem REG 3,2 427444 377412 /usr/lib/libkrb5.so.3.2 slapd 1928 ldap mem REG 3,2 140140 378154 /usr/lib/libk5crypto.so.3.0 slapd 1928 ldap mem REG 3,2 230500 229168 /lib/libnss_nisplus-2.3.4.so slapd 1928 ldap mem REG 3,2 783456 571274 /usr/lib/sasl2/libsasldb.so.2.0.19 slapd 1928 ldap mem REG 3,2 21348 577260 /usr/lib/sasl2/libsql.so.2.0.19 slapd 1928 ldap mem REG 3,2 534768 277479 /lib/tls/i486/libm-2.3.4.so slapd 1928 ldap mem REG 3,2 82320 1910146 /usr/lib/libsasl2.so.2.0.19 slapd 1928 ldap mem REG 3,2 1046360 505949 /usr/lib/mysql/libmysqlclient.so.14.0.0 slapd 1928 ldap mem REG 3,2 58211 229158 /lib/libnss_dns-2.3.4.so slapd 1928 ldap mem REG 3,2 86532 377520 /usr/lib/libgssapi_krb5.so.2.2 slapd 1928 ldap mem REG 3,2 65580 378295 /usr/lib/libz.so.1.2.1.2 slapd 1928 ldap mem REG 3,2 13264 571315 /usr/lib/sasl2/liblogin.so.2.0.19 slapd 1928 ldap mem REG 3,2 411410 228487 /lib/libnsl-2.3.4.so slapd 1928 ldap mem REG 3,2 783484 572022 /usr/lib/tls/libslapd_db-4.2.so slapd 1928 ldap mem REG 3,2 519365 228485 /lib/ld-2.3.4.so slapd 1928 ldap mem REG 3,2 108396 228489 /lib/libdl-2.3.4.so slapd 1928 ldap mem REG 3,2 22292 577256 /usr/lib/sasl2/libgssapiv2.so.2.0.19 slapd 1928 ldap mem REG 3,2 113876 376534 /usr/lib/libpq.so.3.1 slapd 1928 ldap mem REG 3,2 42964 571290 /usr/lib/sasl2/libdigestmd5.so.2.0.19 slapd 1928 ldap mem REG 3,2 29104 577248 /usr/lib/sasl2/libntlm.so.2.0.19 slapd 1928 ldap mem REG 3,2 5620585 277447 /lib/tls/i486/libc-2.3.4.so slapd 1928 ldap mem REG 3,2 7168 229119 /lib/libcom_err.so.2.1 slapd 1928 ldap mem REG 3,2 264753 229144 /lib/libresolv-2.3.4.so slapd 1928 ldap mem REG 3,2 186343 229234 /lib/libnss_files-2.3.4.so slapd 1928 ldap mem REG 3,2 12852 571270 /usr/lib/sasl2/libanonymous.so.2.0.19 slapd 1928 ldap mem REG 3,2 16384 1731793 /var/lib/ldap/__db.001 slapd 1928 ldap 0u CHR 1,3 1401 /dev/null slapd 1928 ldap 1u CHR 1,3 1401 /dev/null slapd 1928 ldap 2u CHR 1,3 1401 /dev/null slapd 1928 ldap 3u unix 0xd7639b80 4289 socket slapd 1928 ldap 4r FIFO 0,7 4290 pipe slapd 1928 ldap 5w FIFO 0,7 4290 pipe slapd 1928 ldap 6u sock 0,4 4293 can't identify protocol slapd 1928 ldap 7u sock 0,4 4294 can't identify protocol
From the above, I don't see it listening to port 389, but I'm not really
sure what its telling me. :-)
Have you tried telnet localhost 389 (to rule out any firewall oddities)?
Yes, it won't connect to port 389. I also tried 25 and 110. I can telnet to these ports fine. I use the same ruleset to open those ports.
If you just try the following it should at the very least connect and ask you for a password.
ldapsearch -v -v -H ldap://localhost
When I run the above, I get:
ldap_initialize( ldap://localhost ) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Thanks again!!
Eddie
-- Sean
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-09-05 at 13:57 -0400, Thomas E Dukes wrote:
How are you trying to connect to the ldap service? Are you trying to connect via ldapsearch? or just telnet hostname 389 ?
If you do an
lsof -p 1928
(assuming slapd is still 1928 :) does it show it listening on any TCP ports?
Hello Sean,
Here's the output from lsof -p 1928:
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME slapd 1928 ldap cwd DIR 3,2 4096 2 / slapd 1928 ldap rtd DIR 3,2 4096 2 / slapd 1928 ldap txt REG 3,2 1290940 637712 /usr/sbin/slapd slapd 1928 ldap mem REG 3,2 221792 229136 /lib/libssl.so.0.9.7a slapd 1928 ldap mem REG 3,2 53654 229201 /lib/libcrypt-2.3.4.so slapd 1928 ldap mem REG 3,2 485961 277480 /lib/tls/i486/libpthread-2.3.4.so slapd 1928 ldap mem REG 3,2 28504 377263 /usr/lib/libwrap.so.0.7.6 slapd 1928 ldap mem REG 3,2 15216 571286 /usr/lib/sasl2/libcrammd5.so.2.0.19 slapd 1928 ldap mem REG 3,2 13392 571319 /usr/lib/sasl2/libplain.so.2.0.19 slapd 1928 ldap mem REG 3,2 998912 229121 /lib/libcrypto.so.0.9.7a slapd 1928 ldap mem REG 3,2 427444 377412 /usr/lib/libkrb5.so.3.2 slapd 1928 ldap mem REG 3,2 140140 378154 /usr/lib/libk5crypto.so.3.0 slapd 1928 ldap mem REG 3,2 230500 229168 /lib/libnss_nisplus-2.3.4.so slapd 1928 ldap mem REG 3,2 783456 571274 /usr/lib/sasl2/libsasldb.so.2.0.19 slapd 1928 ldap mem REG 3,2 21348 577260 /usr/lib/sasl2/libsql.so.2.0.19 slapd 1928 ldap mem REG 3,2 534768 277479 /lib/tls/i486/libm-2.3.4.so slapd 1928 ldap mem REG 3,2 82320 1910146 /usr/lib/libsasl2.so.2.0.19 slapd 1928 ldap mem REG 3,2 1046360 505949 /usr/lib/mysql/libmysqlclient.so.14.0.0 slapd 1928 ldap mem REG 3,2 58211 229158 /lib/libnss_dns-2.3.4.so slapd 1928 ldap mem REG 3,2 86532 377520 /usr/lib/libgssapi_krb5.so.2.2 slapd 1928 ldap mem REG 3,2 65580 378295 /usr/lib/libz.so.1.2.1.2 slapd 1928 ldap mem REG 3,2 13264 571315 /usr/lib/sasl2/liblogin.so.2.0.19 slapd 1928 ldap mem REG 3,2 411410 228487 /lib/libnsl-2.3.4.so slapd 1928 ldap mem REG 3,2 783484 572022 /usr/lib/tls/libslapd_db-4.2.so slapd 1928 ldap mem REG 3,2 519365 228485 /lib/ld-2.3.4.so slapd 1928 ldap mem REG 3,2 108396 228489 /lib/libdl-2.3.4.so slapd 1928 ldap mem REG 3,2 22292 577256 /usr/lib/sasl2/libgssapiv2.so.2.0.19 slapd 1928 ldap mem REG 3,2 113876 376534 /usr/lib/libpq.so.3.1 slapd 1928 ldap mem REG 3,2 42964 571290 /usr/lib/sasl2/libdigestmd5.so.2.0.19 slapd 1928 ldap mem REG 3,2 29104 577248 /usr/lib/sasl2/libntlm.so.2.0.19 slapd 1928 ldap mem REG 3,2 5620585 277447 /lib/tls/i486/libc-2.3.4.so slapd 1928 ldap mem REG 3,2 7168 229119 /lib/libcom_err.so.2.1 slapd 1928 ldap mem REG 3,2 264753 229144 /lib/libresolv-2.3.4.so slapd 1928 ldap mem REG 3,2 186343 229234 /lib/libnss_files-2.3.4.so slapd 1928 ldap mem REG 3,2 12852 571270 /usr/lib/sasl2/libanonymous.so.2.0.19 slapd 1928 ldap mem REG 3,2 16384 1731793 /var/lib/ldap/__db.001 slapd 1928 ldap 0u CHR 1,3 1401 /dev/null slapd 1928 ldap 1u CHR 1,3 1401 /dev/null slapd 1928 ldap 2u CHR 1,3 1401 /dev/null slapd 1928 ldap 3u unix 0xd7639b80 4289 socket slapd 1928 ldap 4r FIFO 0,7 4290 pipe slapd 1928 ldap 5w FIFO 0,7 4290 pipe slapd 1928 ldap 6u sock 0,4 4293 can't identify protocol slapd 1928 ldap 7u sock 0,4 4294 can't identify protocol
From the above, I don't see it listening to port 389, but I'm not really
sure what its telling me. :-)
Have you tried telnet localhost 389 (to rule out any firewall oddities)?
Yes, it won't connect to port 389. I also tried 25 and 110. I can telnet to these ports fine. I use the same ruleset to open those ports.
If you just try the following it should at the very least connect and ask you for a password.
ldapsearch -v -v -H ldap://localhost
When I run the above, I get:
ldap_initialize( ldap://localhost ) ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1)
Eddie-
It doesn't look like the slapd is opening up a TCP port. It only appears to have opened unix sockets. Running lsof on working slapd, I see the following in addition to stuff you reported:
slapd 2511 ldap 6u IPv6 7136316 TCP *:ldap (LISTEN) slapd 2511 ldap 7u IPv4 7136317 TCP *:ldap (LISTEN) slapd 2511 ldap 8u IPv6 7136320 TCP *:ldaps (LISTEN) slapd 2511 ldap 9u IPv4 7136321 TCP *:ldaps (LISTEN)
I think there might be an issue with your slapd.conf.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 2:37 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
Eddie-
It doesn't look like the slapd is opening up a TCP port. It only appears to have opened unix sockets. Running lsof on working slapd, I see the following in addition to stuff you reported:
slapd 2511 ldap 6u IPv6 7136316 TCP *:ldap (LISTEN) slapd 2511 ldap 7u IPv4 7136317 TCP *:ldap (LISTEN) slapd 2511 ldap 8u IPv6 7136320 TCP *:ldaps (LISTEN) slapd 2511 ldap 9u IPv4 7136321 TCP *:ldaps (LISTEN)
I think there might be an issue with your slapd.conf.
Sean,
I really appreciate your help with this!
Here's my slapd.conf:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd.pid argsfile /var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=palmettodomains,dc=com" #rootdn "cn=Manager,dc=palmetodomains,dc=com" rootdn "uid=root,cn=palmettodomains.com,cn=digest-md5,cn=auth" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw "{SHA}xqFH8zno0DblfNcUXu2A/6U3txQ="
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
sasl-regexp uid=(.*),cn=palmettodomains,cn=DIGEST-MD5,cn=auth uid=$1
It's pretty much the default config. Anything jump out at you?
What should be in ldap.conf? Everything is commented out by default.
Thanks!!
-- Sean
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-09-05 at 15:36 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 2:37 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
Eddie-
It doesn't look like the slapd is opening up a TCP port. It only appears to have opened unix sockets. Running lsof on working slapd, I see the following in addition to stuff you reported:
slapd 2511 ldap 6u IPv6 7136316 TCP *:ldap (LISTEN) slapd 2511 ldap 7u IPv4 7136317 TCP *:ldap (LISTEN) slapd 2511 ldap 8u IPv6 7136320 TCP *:ldaps (LISTEN) slapd 2511 ldap 9u IPv4 7136321 TCP *:ldaps (LISTEN)
I think there might be an issue with your slapd.conf.
Sean,
I really appreciate your help with this!
Here's my slapd.conf:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd.pid argsfile /var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=palmettodomains,dc=com" #rootdn "cn=Manager,dc=palmetodomains,dc=com" rootdn "uid=root,cn=palmettodomains.com,cn=digest-md5,cn=auth" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw "{SHA}xqFH8zno0DblfNcUXu2A/6U3txQ="
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
sasl-regexp uid=(.*),cn=palmettodomains,cn=DIGEST-MD5,cn=auth uid=$1
It's pretty much the default config. Anything jump out at you?
What should be in ldap.conf? Everything is commented out by default.
---- and how are you starting ldap ?
service ldap start?
Craig
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Craig White Sent: Monday, September 05, 2005 4:17 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 15:36 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 2:37 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
Eddie-
It doesn't look like the slapd is opening up a TCP port. It only appears to have opened unix sockets. Running lsof on
working slapd,
I see the following in addition to stuff you reported:
slapd 2511 ldap 6u IPv6 7136316 TCP *:ldap (LISTEN) slapd 2511 ldap 7u IPv4 7136317 TCP *:ldap (LISTEN) slapd 2511 ldap 8u IPv6 7136320 TCP *:ldaps (LISTEN) slapd 2511 ldap 9u IPv4 7136321 TCP *:ldaps (LISTEN)
I think there might be an issue with your slapd.conf.
Sean,
I really appreciate your help with this!
Here's my slapd.conf:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working
directory #
service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd.pid argsfile /var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by
changing to
# /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group
can read it.
Your client software # may balk at self-signed
certificates, however.
# TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
######################################################################
# # ldbm and/or bdb database definitions
######################################################################
#
database bdb suffix "dc=palmettodomains,dc=com" #rootdn "cn=Manager,dc=palmetodomains,dc=com" rootdn
"uid=root,cn=palmettodomains.com,cn=digest-md5,cn=auth"
# Cleartext passwords, especially for the rootdn, should #
be avoided.
See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw "{SHA}xqFH8zno0DblfNcUXu2A/6U3txQ="
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
sasl-regexp uid=(.*),cn=palmettodomains,cn=DIGEST-MD5,cn=auth uid=$1
It's pretty much the default config. Anything jump out at you?
What should be in ldap.conf? Everything is commented out
by default.
and how are you starting ldap ?
service ldap start?
Hello Craig,
Its started by the init scripts on boot. See something?
Thanks,
Eddie
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-09-05 at 16:49 -0400, Thomas E Dukes wrote:
and how are you starting ldap ?
service ldap start?
Hello Craig,
Its started by the init scripts on boot. See something?
---- # ps aux|grep ldap ldap 2578 0.0 0.9 272148 10164 ? Ssl Aug13 0:00 /usr/sbin/slapd -u ldap -h ldap:///
does it look something like this?
try
# service ldap restart
and see if it stops and starts
Craig
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Craig White Sent: Monday, September 05, 2005 5:51 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 16:49 -0400, Thomas E Dukes wrote:
and how are you starting ldap ?
service ldap start?
Hello Craig,
Its started by the init scripts on boot. See something?
# ps aux|grep ldap ldap 2578 0.0 0.9 272148 10164 ? Ssl Aug13 0:00 /usr/sbin/slapd -u ldap -h ldap:///
does it look something like this?
try
# service ldap restart
and see if it stops and starts
Hi Craig,
ldap is running. I seem not to be able to connect on port 389. I can't telnet there either.
Thanks
Craig
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-09-05 at 18:07 -0400, Thomas E Dukes wrote:
Hi Craig,
ldap is running. I seem not to be able to connect on port 389. I can't telnet there either.
Something is funny there. Have you tried backing out the sasl stuff in your slapd.conf and going with plain auth? I wonder if slapd does has some checks in it to not open up tcp unless it has a rootpw in the conf file. I would simplify things as much as possible and then add things back in.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 6:20 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 18:07 -0400, Thomas E Dukes wrote:
Hi Craig,
ldap is running. I seem not to be able to connect on port 389. I can't telnet there either.
Something is funny there. Have you tried backing out the sasl stuff in your slapd.conf and going with plain auth? I wonder if slapd does has some checks in it to not open up tcp unless it has a rootpw in the conf file. I would simplify things as much as possible and then add things back in.
Hi Sean,
No, I haven't done that. Sorry.
What do I need to change? How do I set it up with a plain password? I have already added several users using saslpasswd2 -c 'username'. I was just following the HowTo. :-(
Eddie
-- Sean
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-09-05 at 19:23 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 6:20 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 18:07 -0400, Thomas E Dukes wrote:
Hi Craig,
ldap is running. I seem not to be able to connect on port 389. I can't telnet there either.
Something is funny there. Have you tried backing out the sasl stuff in your slapd.conf and going with plain auth? I wonder if slapd does has some checks in it to not open up tcp unless it has a rootpw in the conf file. I would simplify things as much as possible and then add things back in.
Hi Sean,
No, I haven't done that. Sorry.
What do I need to change? How do I set it up with a plain password? I have already added several users using saslpasswd2 -c 'username'. I was just following the HowTo. :-(
Change the rootdn entry to not use sasl (iirc, there was a reasonable candidate that you had commented out) and add in a rootpw entry (needn't be encrypted for this exercise). Comment out the line about sasl-regexp.
Stop and restart ldap service. Does this make any difference?
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 7:32 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 19:23 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 6:20 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 18:07 -0400, Thomas E Dukes wrote:
Hi Craig,
ldap is running. I seem not to be able to connect on
port 389. I
can't telnet there either.
Something is funny there. Have you tried backing out the
sasl stuff
in your slapd.conf and going with plain auth? I wonder if
slapd does
has some checks in it to not open up tcp unless it has a
rootpw in
the conf file. I would simplify things as much as
possible and then
add things back in.
Hi Sean,
No, I haven't done that. Sorry.
What do I need to change? How do I set it up with a plain
password?
I have already added several users using saslpasswd2 -c
'username'. I
was just following the HowTo. :-(
Change the rootdn entry to not use sasl (iirc, there was a reasonable candidate that you had commented out) and add in a rootpw entry (needn't be encrypted for this exercise). Comment out the line about sasl-regexp.
Stop and restart ldap service. Does this make any difference?
Hello Sean,
I uncommented rootpw secret commented out the sasl reference. Still won't connect. :-(
I have been working on this for a week. Its beating the heck out of me.
Thanks for your help!!!!
-- Sean
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Mon, 2005-09-05 at 21:29 -0400, Thomas E Dukes wrote:
Hello Sean,
I uncommented rootpw secret commented out the sasl reference. Still won't connect. :-(
I have been working on this for a week. Its beating the heck out of me.
Thanks for your help!!!!
OK. I took the slapd.conf that you had posted earlier, and I was able to get it to work on a CentOS 4.1 box without too much trouble (clean up a typo in the rootdn name and a cut and paste issue). I had to comment out some stuff in /etc/openldap/ldap.conf. Something truly odd is going on there. The fact that ldap is starting but not creating tcp sockets is quite weird.
Have you tried rebooting? (I know, I know :) Sometimes system updates can cause subtle issues from time to time. Maybe something is goofy with the network on your machine. Have you been starting and stopping the network service? Can you ping localhost? I have seen some linux boxes (been a while, though) forget about how to talk to localhost and it caused all sorts of weird behavior.
As a shot in the dark, are you running with selinux enabled? It has caused many a subtle problem in which a configuration that should "just work" has failed to work. Try running setenforce 0 and then restarting ldap. I run my machines with selinux=0 on the kernel line in grub.conf
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Tuesday, September 06, 2005 1:14 AM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 21:29 -0400, Thomas E Dukes wrote:
Hello Sean,
I uncommented rootpw secret commented out the sasl reference. Still won't connect. :-(
I have been working on this for a week. Its beating the
heck out of me.
Thanks for your help!!!!
OK. I took the slapd.conf that you had posted earlier, and I was able to get it to work on a CentOS 4.1 box without too much trouble (clean up a typo in the rootdn name and a cut and paste issue). I had to comment out some stuff in /etc/openldap/ldap.conf. Something truly odd is going on there. The fact that ldap is starting but not creating tcp sockets is quite weird.
Hi Sean,
Ooops, I found the typo, too. Fixed it but still won't connect.
Have you tried rebooting? (I know, I know :) Sometimes system updates can cause subtle issues from time to time. Maybe something is goofy with the network on your machine. Have you been starting and stopping the network service? Can you ping localhost? I have seen some linux boxes (been a while, though) forget about how to talk to localhost and it caused all sorts of weird behavior.
Yes, I have rebooted but to no avail. Also, I can ping 'localhost', 'palmettodomains.com', '127.0.0.1' and '10.10.0.1'. I still can't figure why I can't telnet to one of those using port 389.
As a shot in the dark, are you running with selinux enabled? It has caused many a subtle problem in which a configuration that should "just work" has failed to work. Try running setenforce 0 and then restarting ldap. I run my machines with selinux=0 on the kernel line in grub.conf
No, I don't run selinux.
Thanks, again!!
-- Sean
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Tue, 2005-09-06 at 06:31 -0400, Thomas E Dukes wrote: <snip>
Ooops, I found the typo, too. Fixed it but still won't connect.
Have you tried rebooting? (I know, I know :) Sometimes system updates can cause subtle issues from time to time. Maybe something is goofy with the network on your machine. Have you been starting and stopping the network service? Can you ping localhost? I have seen some linux boxes (been a while, though) forget about how to talk to localhost and it caused all sorts of weird behavior.
Yes, I have rebooted but to no avail. Also, I can ping 'localhost', 'palmettodomains.com', '127.0.0.1' and '10.10.0.1'. I still can't figure why I can't telnet to one of those using port 389.
You can't connect to port 389 because you are not listening on port 389 :)
Until a netstat (or lsof) shows you are listening on port 389, you will not be able to connect to it.
As a shot in the dark, are you running with selinux enabled? It has caused many a subtle problem in which a configuration that should "just work" has failed to work. Try running setenforce 0 and then restarting ldap. I run my machines with selinux=0 on the kernel line in grub.conf
No, I don't run selinux.
Make doubly sure ... look at the file /etc/sysconfig/selinux and set the line:
SELINUX=Disabled
then reboot
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Tuesday, September 06, 2005 6:55 AM To: CentOS ML Subject: RE: [CentOS] LDAP/iptables
On Tue, 2005-09-06 at 06:31 -0400, Thomas E Dukes wrote:
<snip> > Ooops, I found the typo, too. Fixed it but still won't connect. > > > > > Have you tried rebooting? (I know, I know :) Sometimes system > > updates can cause subtle issues from time to time. Maybe something > > is goofy with the network on your machine. Have you been starting > > and stopping the network service? Can you ping localhost? I have > > seen some linux boxes (been a while, > > though) forget about how to talk to localhost and it caused all > > sorts of weird behavior. > > Yes, I have rebooted but to no avail. Also, I can ping 'localhost', > 'palmettodomains.com', '127.0.0.1' and '10.10.0.1'. I still can't > figure why I can't telnet to one of those using port 389. >
You can't connect to port 389 because you are not listening on port 389 :)
Until a netstat (or lsof) shows you are listening on port 389, you will not be able to connect to it.
As a shot in the dark, are you running with selinux enabled? It has caused many a subtle problem in which a configuration that should "just work" has failed to work. Try running
setenforce 0 and
then restarting ldap. I run my machines with selinux=0 on
the kernel
line in grub.conf
No, I don't run selinux.
Make doubly sure ... look at the file /etc/sysconfig/selinux and set the line:
SELINUX=Disabled
Hi Johnny,
Mine is located at /etc/selinux/config. It is set to disabled. Also, I have selinux=0 in my grub.conf.
I really appreciate everyones help on this.
Thanks!!
then reboot
I just experienced what sounds like your problem... My BDB file were corrupted, so to fix the issue I simply deleted everything in the data directory and then ran slapadd to restore and recreate the files. Immediately my LDAP server started working again. I hope this helps you. The only way I saw this was a problems was by running strace on slapd and watching where it hung.
--Jeff On Mon, 2005-09-05 at 22:13 -0700, Sean O'Connell wrote:
On Mon, 2005-09-05 at 21:29 -0400, Thomas E Dukes wrote:
Hello Sean,
I uncommented rootpw secret commented out the sasl reference. Still won't connect. :-(
I have been working on this for a week. Its beating the heck out of me.
Thanks for your help!!!!
OK. I took the slapd.conf that you had posted earlier, and I was able to get it to work on a CentOS 4.1 box without too much trouble (clean up a typo in the rootdn name and a cut and paste issue). I had to comment out some stuff in /etc/openldap/ldap.conf. Something truly odd is going on there. The fact that ldap is starting but not creating tcp sockets is quite weird.
Have you tried rebooting? (I know, I know :) Sometimes system updates can cause subtle issues from time to time. Maybe something is goofy with the network on your machine. Have you been starting and stopping the network service? Can you ping localhost? I have seen some linux boxes (been a while, though) forget about how to talk to localhost and it caused all sorts of weird behavior.
As a shot in the dark, are you running with selinux enabled? It has caused many a subtle problem in which a configuration that should "just work" has failed to work. Try running setenforce 0 and then restarting ldap. I run my machines with selinux=0 on the kernel line in grub.conf
Hello Jeffrey,
Sorry I didn't get back with you sooner but I have been out of town. I really appreciate the suggestion but I tried that a couple of times in the process of starting over.
I have tried setting ldap up several times in the past with about as much success. Guess I'll put it down for a while.
Thanks to everyone for all the help!!!!!
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Jeffrey D. Means Sent: Tuesday, September 06, 2005 3:02 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
I just experienced what sounds like your problem... My BDB file were corrupted, so to fix the issue I simply deleted everything in the data directory and then ran slapadd to restore and recreate the files. Immediately my LDAP server started working again. I hope this helps you. The only way I saw this was a problems was by running strace on slapd and watching where it hung.
--Jeff On Mon, 2005-09-05 at 22:13 -0700, Sean O'Connell wrote:
On Mon, 2005-09-05 at 21:29 -0400, Thomas E Dukes wrote:
Hello Sean,
I uncommented rootpw secret commented out the sasl reference. Still won't connect. :-(
I have been working on this for a week. Its beating the
heck out of me.
Thanks for your help!!!!
OK. I took the slapd.conf that you had posted earlier, and
I was able
to get it to work on a CentOS 4.1 box without too much
trouble (clean
up a typo in the rootdn name and a cut and paste issue). I had to comment out some stuff in /etc/openldap/ldap.conf.
Something truly odd
is going on there. The fact that ldap is starting but not
creating tcp
sockets is quite weird.
Have you tried rebooting? (I know, I know :) Sometimes
system updates
can cause subtle issues from time to time. Maybe something is goofy with the network on your machine. Have you been starting
and stopping
the network service? Can you ping localhost? I have seen some linux boxes (been a while, though) forget about how to talk to
localhost and
it caused all sorts of weird behavior.
As a shot in the dark, are you running with selinux enabled? It has caused many a subtle problem in which a configuration that should "just work" has failed to work. Try running setenforce 0 and then restarting ldap. I run my machines with selinux=0 on the
kernel line
in grub.conf
--
Jeffrey D. Means meaje@meanspc.com Owner / CIO for MeansPC http://www.meanspc.com/ Custom Web Development For Your Needs. (970)308-1298
- The stupidity of a stupid person is exercised in a
restricted field; the stupidity of an intelligent individual has a much broader diffusion, and far greater effect, aided as it is by the element of surprise.
- WTO + WIPO = DMCA? http://www.anti-dmca.org
- Fight Internet Censorship! http://www.eff.org = This is not
about Napster or DVDs. It's about your Freedom. http://www.anti-dmca.org
My Public PGP Key ID is: 0x81F00126 and available via: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x81F00126
On Mon, 2005-09-05 at 18:07 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Craig White Sent: Monday, September 05, 2005 5:51 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 16:49 -0400, Thomas E Dukes wrote:
and how are you starting ldap ?
service ldap start?
Hello Craig,
Its started by the init scripts on boot. See something?
# ps aux|grep ldap ldap 2578 0.0 0.9 272148 10164 ? Ssl Aug13 0:00 /usr/sbin/slapd -u ldap -h ldap:///
does it look something like this?
try
# service ldap restart
and see if it stops and starts
Hi Craig,
ldap is running. I seem not to be able to connect on port 389. I can't telnet there either.
I had told you to run:
netstat -aptn
(run this on the machine that is run the ldap service)
If you don't have something that looks like this under "local address":
x.x.x.x:389
then you are not listening for ldap connections on that machine
I had told you to run:
netstat -aptn
(run this on the machine that is run the ldap service)
If you don't have something that looks like this under "local address":
x.x.x.x:389
then you are not listening for ldap connections on that machine
He did. ldap is running but not opening up tcp ports. he did an output of lsof and it wasn't listening on any tcp sockets, which is odd. i think the problem is in his slapd.conf.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Johnny Hughes Sent: Monday, September 05, 2005 6:35 PM To: CentOS ML Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 18:07 -0400, Thomas E Dukes wrote:
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Craig White Sent: Monday, September 05, 2005 5:51 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
On Mon, 2005-09-05 at 16:49 -0400, Thomas E Dukes wrote:
and how are you starting ldap ?
service ldap start?
Hello Craig,
Its started by the init scripts on boot. See something?
# ps aux|grep ldap ldap 2578 0.0 0.9 272148 10164 ? Ssl Aug13 0:00 /usr/sbin/slapd -u ldap -h ldap:///
does it look something like this?
try
# service ldap restart
and see if it stops and starts
Hi Craig,
ldap is running. I seem not to be able to connect on port 389. I can't telnet there either.
I had told you to run:
netstat -aptn
(run this on the machine that is run the ldap service)
If you don't have something that looks like this under "local address":
x.x.x.x:389
then you are not listening for ldap connections on that machine
Hello Johnny,
Here's the output for netstat -aptn:
Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:20000 0.0.0.0:* LISTEN 2699/perl tcp 0 0 0.0.0.0:1 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:20034 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:32771 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:32772 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:40421 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:32773 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:901 0.0.0.0:* LISTEN 1988/xinetd tcp 0 0 0.0.0.0:32774 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:199 0.0.0.0:* LISTEN 1943/snmpd tcp 0 0 0.0.0.0:31337 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 2239/mysqld tcp 0 0 0.0.0.0:6667 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:11 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN 2421/smbd tcp 0 0 0.0.0.0:5742 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 127.0.0.1:3310 0.0.0.0:* LISTEN 2021/clamd tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 1988/xinetd tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:15 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN 2316/spamd -d -c -m tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN 2715/perl tcp 0 0 0.0.0.0:54320 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:2000 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:27665 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:1524 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN 2012/vsftpd tcp 0 0 151.213.91.157:53 0.0.0.0:* LISTEN 1963/named tcp 0 0 10.10.0.1:53 0.0.0.0:* LISTEN 1963/named tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1963/named tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN 2356/cupsd tcp 0 0 0.0.0.0:23 0.0.0.0:* LISTEN 1988/xinetd tcp 0 0 127.0.0.1:5335 0.0.0.0:* LISTEN 1865/mDNSResponder tcp 0 0 0.0.0.0:1080 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:12345 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 2275/sendmail: acce tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN 1963/named tcp 0 0 0.0.0.0:12346 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:635 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:49724 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:540 0.0.0.0:* LISTEN 2570/portsentry tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN 2421/smbd tcp 0 0 127.0.0.1:3306 127.0.0.1:32780 ESTABLISHED 2239/mysqld tcp 0 0 127.0.0.1:3306 127.0.0.1:32781 ESTABLISHED 2239/mysqld tcp 0 0 127.0.0.1:3306 127.0.0.1:32777 ESTABLISHED 2239/mysqld tcp 0 0 127.0.0.1:3306 127.0.0.1:32778 ESTABLISHED 2239/mysqld tcp 0 0 127.0.0.1:3306 127.0.0.1:32779 ESTABLISHED 2239/mysqld tcp 0 0 10.10.0.1:445 10.10.0.3:4257 ESTABLISHED 6402/smbd tcp 0 0 :::9090 :::* LISTEN 2653/java tcp 0 0 :::9091 :::* LISTEN 2653/java tcp 0 0 :::5222 :::* LISTEN 2653/java tcp 0 0 :::5223 :::* LISTEN 2653/java tcp 0 0 :::80 :::* LISTEN 2335/httpd tcp 0 0 :::5269 :::* LISTEN 2653/java tcp 0 0 :::22 :::* LISTEN 1975/sshd tcp 0 0 ::ffff:151.213.91.157:80 ::ffff:155.41.240.117:42062 TIME_WAIT - tcp 0 0 ::ffff:151.213.91.157:80 ::ffff:209.200.31.105:55453 TIME_WAIT - tcp 0 0 ::ffff:10.10.0.1:80 ::ffff:10.10.0.1:33000 TIME_WAIT - tcp 0 0 ::ffff:127.0.0.1:32780 ::ffff:127.0.0.1:3306 ESTABLISHED 2653/java tcp 0 0 ::ffff:127.0.0.1:32781 ::ffff:127.0.0.1:3306 ESTABLISHED 2653/java tcp 0 0 ::ffff:127.0.0.1:32778 ::ffff:127.0.0.1:3306 ESTABLISHED 2653/java tcp 0 0 ::ffff:127.0.0.1:32779 ::ffff:127.0.0.1:3306 ESTABLISHED 2653/java tcp 0 0 ::ffff:127.0.0.1:32777 ::ffff:127.0.0.1:3306 ESTABLISHED 2653/java tcp 0 0 ::ffff:151.213.91.157:80 ::ffff:65.54.188.21:12639 TIME_WAIT -
I don't see port 389. Any ideas?
Thanks!!!
On Mon, 2005-09-05 at 15:36 -0400, Thomas E Dukes wrote:
I really appreciate your help with this!
Here's my slapd.conf:
# # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema
# Allow LDAPv2 client connections. This is NOT the default. allow bind_v2
# Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org
pidfile /var/run/slapd.pid argsfile /var/run/slapd.args
# Load dynamic backend modules: # modulepath /usr/sbin/openldap # moduleload back_bdb.la # moduleload back_ldap.la # moduleload back_ldbm.la # moduleload back_passwd.la # moduleload back_shell.la
# The next three lines allow use of TLS for encrypting connections using a # dummy test certificate which you can generate by changing to # /usr/share/ssl/certs, running "make slapd.pem", and fixing permissions on # slapd.pem so that the ldap user or group can read it. Your client software # may balk at self-signed certificates, however. # TLSCACertificateFile /usr/share/ssl/certs/ca-bundle.crt # TLSCertificateFile /usr/share/ssl/certs/slapd.pem # TLSCertificateKeyFile /usr/share/ssl/certs/slapd.pem
# Sample security restrictions # Require integrity protection (prevent hijacking) # Require 112-bit (3DES or better) encryption for updates # Require 63-bit encryption for simple bind # security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy: # Root DSE: allow anyone to read it # Subschema (sub)entry DSE: allow anyone to read it # Other DSEs: # Allow self write access # Allow authenticated users read access # Allow anonymous users to authenticate # Directives needed to implement policy: # access to dn.base="" by * read # access to dn.base="cn=Subschema" by * read # access to * # by self write # by users read # by anonymous auth # # if no access controls are present, the default policy # allows anyone and everyone to read anything but restricts # updates to rootdn. (e.g., "access to * by * read") # # rootdn can always read and write EVERYTHING!
####################################################################### # ldbm and/or bdb database definitions #######################################################################
database bdb suffix "dc=palmettodomains,dc=com" #rootdn "cn=Manager,dc=palmetodomains,dc=com" rootdn "uid=root,cn=palmettodomains.com,cn=digest-md5,cn=auth" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw "{SHA}xqFH8zno0DblfNcUXu2A/6U3txQ="
# The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /var/lib/ldap
# Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database #replogfile /var/lib/ldap/openldap-master-replog #replica host=ldap-1.example.com:389 starttls=critical # bindmethod=sasl saslmech=GSSAPI # authcId=host/ldap-master.example.com@EXAMPLE.COM
sasl-regexp uid=(.*),cn=palmettodomains,cn=DIGEST-MD5,cn=auth uid=$1
It's pretty much the default config. Anything jump out at you?
What should be in ldap.conf? Everything is commented out by default.
You don't appear to have a rootpw, or did you remove it for reasons of protecting it. Oh, I also see you are using sasl. Is sasl-authd setup and running? It might help to start with a simplified setup: comment out the sasl-regexp line and add a rootpw and move the rootdn back to simple auth. Just to rule out any issues with sasl.
/etc/openldap/ldap.conf (not to be confused with /etc/ldap.conf which is for pam_ldap/nss_ldap from PADL) is for the any of the client applications or programs linked against the openldap libraries. You might need/want some things in ldap.conf depending on your setup. For instance, if you a self-signed certificate for ldaps, you'll want to include:
TLS_REQCERT allow
Good luck,
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Sean O'Connell Sent: Monday, September 05, 2005 4:27 PM To: CentOS mailing list Subject: RE: [CentOS] LDAP/iptables
You don't appear to have a rootpw, or did you remove it for reasons of protecting it. Oh, I also see you are using sasl. Is sasl-authd setup and running? It might help to start with a simplified setup: comment out the sasl-regexp line and add a rootpw and move the rootdn back to simple auth. Just to rule out any issues with sasl.
I was following the LDAP HowTo and first setup a password with slappasswd but was not able to login. Then as I read further and got to the sasl section I setup the password using sasalpasswd2. Then I could login.
I just don't think I have it setup to listen to TCP port 389 or I have a firewall issue.
Thanks!!
/etc/openldap/ldap.conf (not to be confused with /etc/ldap.conf which is for pam_ldap/nss_ldap from PADL) is for the any of the client applications or programs linked against the openldap libraries. You might need/want some things in ldap.conf depending on your setup. For instance, if you a self-signed certificate for ldaps, you'll want to include:
TLS_REQCERT allow
Good luck,
Sean
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Craig White -
Jeffrey D. Means -
Johnny Hughes -
Sean O'Connell -
Thomas E Dukes