[CentOS] LDAP/iptables

Mon Sep 5 12:06:36 UTC 2005
Thomas E Dukes <edukes at alltel.net>

 

> -----Original Message-----
> From: centos-bounces at centos.org 
> [mailto:centos-bounces at centos.org] On Behalf Of Sean O'Connell
> Sent: Sunday, September 04, 2005 10:43 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] LDAP/iptables
> 
> On Sun, 2005-09-04 at 20:39 -0400, Thomas E Dukes wrote:
> >  
> > > -----Original Message-----
> > > From: centos-bounces at centos.org
> > > [mailto:centos-bounces at centos.org] On Behalf Of Johnny Hughes
> > > Sent: Sunday, September 04, 2005 11:16 AM
> > > To: CentOS ML
> > > Subject: Re: [CentOS] LDAP/iptables
> > > 
> > > On Sun, 2005-09-04 at 09:10 -0400, Thomas E Dukes wrote:
> > > > Hello,
> > > > 
> > > > I am trying to get LDAP running.  So far, the server is
> > > running but I
> > > > cannot connect to port 389 or the server using webmin or
> > > phpldapadmin.  
> > > > It could be my ISP has blocked this port but I'm not 
> sure.  I have 
> > > > tried to telnet to port 389 but it is refused.  All other
> > > services run fine.
> > > > 
> > > > I user the iptables ruleset found in the IP-Masquerade
> > > HowTo.  Below
> > > > is the ruleset I follow for opening ports for external access.  
> > > > For some reason it won't open 389.
> > > > 
> > > > $IPTABLES -A INPUT -i $EXTIF -m state --state
> > > NEW,ESTABLISHED,RELATED
> > > > \  -p tcp -s $UNIVERSE -d $EXTIP --dport 389 -j ACCEPT
> > > > 
> > > > Where $EXTIF = eth0 and $EXTIP = my ipaddress
> > > > 
> > > > Does anyone know what I may be doing wrong?
> > > > 
> > > > TIA
> > > > 
> > > > 
> > > 
> > > If you are trying to connect from the outside from another PC ... 
> > > and if the firewall and ldap are installed on the same PC, that 
> > > should work to allow connection to port 389.
> > > 
> > > If you are trying to connect directly to port 389 from 
> and internal 
> > > IP, that probably won't work. (you will need to do something to 
> > > PREROUTING chain to get the packets routed to the EXTIF)
> > > 
> > > BUT ... you shouldn't need to do either of those if you are also 
> > > running webmin or phpmyadmin also on that machine ... if 
> you listen 
> > > on the internal IP at port 389 and not the external IP.
> > > 
> > > Does netstat -aptn show you listening on the internal / 
> external /  
> > > or loopback ip on port 389 (or more than one of them).
> > 
> > Hello,
> > 
> > Running netstat -aptn shows nothing for port 389.  This 
> doesn't make sense.
> 
> Is slapd (assuming you are using openldap) running?
> 
> ps -ef |grep slapd
> 
> (for example here is hte output from one of the centos boxes 
> running ldap).
> 
> ldap      9032     1  0 04:04 ?        00:00:00 
> /usr/sbin/slapd -u ldap
> -h ldap:/// ldaps:///

Hello Sean,

Here's the output for ps -ef | grep slapd:

ldap      1928     1  0 00:03 ?        00:00:00 /usr/sbin/slapd -u ldap -h
ldap:///
root     15066 15003  0 07:29 tty1     00:00:00 grep slapd
> 
> (or pgrep -l slapd). You can also use service slapd status 
> (though, this isn't always 100% reliable).
> 
> The openldap server, outputs to syslog on local4 by default. 
> It's possible that there are errors or issues with your 
> /etc/openldap/slapd.conf that are causing slapd to fail to start.
> You can edit /etc/syslog.conf and add a few lines like
> 
> local4.*		/var/log/ldap.log
> 
> Then run service syslog restart (or HUP syslogd) to pickup 
> the changes.

Here's the output to ldap.log after adding the above to syslog:

Sep  5 07:43:43 palmettodomains slapd[15571]: @(#) $OpenLDAP: slapd 2.2.13
(Apr 28 2005 19:30:08) $
buildsys at bob:/home/buildsys/rpmbuild/BUILD/openldap-2.2.13/openldap-2.2.13/b
uild-servers/servers/slapd 
Sep  5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat
Software: Berkeley DB 4.2.52: (December  3, 2003) 
Sep  5 07:43:43 palmettodomains slapd[15571]: bdb_initialize: Sleepycat
Software: Berkeley DB 4.2.52: (December  3, 2003) 
Sep  5 07:43:43 palmettodomains slapd[15571]: bdb_db_init: Initializing BDB
database 

I think everthing is running but I can't connect to port 389.

Can you think of anything els?

Thanks!!

Eddie


> Then try starting the ldap service and see what's being 
> output to the log file. You can also use the -d (debug) flag 
> to run slapd in the foreground with a fairly verbose output
> 
> slapd -d 5 -u ldap -h ldap:/// ldaps://// 2>&1 | tee >/tmp/ldap.out
> 
> To see what might be happening. I'd also recommend setting up 
> the syslog anyway to be able to see what's going on.
> 
> Sean
> 
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>