[CentOS] LDAP/iptables

Mon Sep 5 02:43:14 UTC 2005
Sean O'Connell <oconnell at soe.ucsd.edu>

On Sun, 2005-09-04 at 20:39 -0400, Thomas E Dukes wrote:
>  
> > -----Original Message-----
> > From: centos-bounces at centos.org 
> > [mailto:centos-bounces at centos.org] On Behalf Of Johnny Hughes
> > Sent: Sunday, September 04, 2005 11:16 AM
> > To: CentOS ML
> > Subject: Re: [CentOS] LDAP/iptables
> > 
> > On Sun, 2005-09-04 at 09:10 -0400, Thomas E Dukes wrote:
> > > Hello,
> > > 
> > > I am trying to get LDAP running.  So far, the server is 
> > running but I 
> > > cannot connect to port 389 or the server using webmin or 
> > phpldapadmin.  
> > > It could be my ISP has blocked this port but I'm not sure.  I have 
> > > tried to telnet to port 389 but it is refused.  All other 
> > services run fine.
> > > 
> > > I user the iptables ruleset found in the IP-Masquerade 
> > HowTo.  Below 
> > > is the ruleset I follow for opening ports for external access.  For 
> > > some reason it won't open 389.
> > > 
> > > $IPTABLES -A INPUT -i $EXTIF -m state --state 
> > NEW,ESTABLISHED,RELATED 
> > > \  -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
> > > 
> > > Where $EXTIF = eth0 and $EXTIP = my ipaddress
> > > 
> > > Does anyone know what I may be doing wrong?
> > > 
> > > TIA
> > > 
> > > 
> > 
> > If you are trying to connect from the outside from another PC 
> > ... and if the firewall and ldap are installed on the same 
> > PC, that should work to allow connection to port 389.
> > 
> > If you are trying to connect directly to port 389 from and 
> > internal IP, that probably won't work. (you will need to do 
> > something to PREROUTING chain to get the packets routed to the EXTIF)
> > 
> > BUT ... you shouldn't need to do either of those if you are 
> > also running webmin or phpmyadmin also on that machine ... if 
> > you listen on the internal IP at port 389 and not the external IP.
> > 
> > Does netstat -aptn show you listening on the internal / 
> > external /  or loopback ip on port 389 (or more than one of them).
> 
> Hello,
> 
> Running netstat -aptn shows nothing for port 389.  This doesn't make sense.

Is slapd (assuming you are using openldap) running?

ps -ef |grep slapd

(for example here is hte output from one of the centos boxes running
ldap).

ldap      9032     1  0 04:04 ?        00:00:00 /usr/sbin/slapd -u ldap
-h ldap:/// ldaps:///

(or pgrep -l slapd). You can also use service slapd status (though, this
isn't always 100% reliable).

The openldap server, outputs to syslog on local4 by default. It's
possible that there are errors or issues with
your /etc/openldap/slapd.conf that are causing slapd to fail to start.
You can edit /etc/syslog.conf and add a few lines like

local4.*		/var/log/ldap.log

Then run service syslog restart (or HUP syslogd) to pickup the changes.
Then try starting the ldap service and see what's being output to the
log file. You can also use the -d (debug) flag to run slapd in the
foreground with a fairly verbose output

slapd -d 5 -u ldap -h ldap:/// ldaps://// 2>&1 | tee >/tmp/ldap.out

To see what might be happening. I'd also recommend setting up the syslog
anyway to be able to see what's going on.

Sean