[CentOS] LDAP Server Access Problem
Craig White
craigwhite at azapple.com
Mon Feb 22 06:23:13 UTC 2010
On Sun, 2010-02-21 at 22:48 -0700, Paul R. Ganci wrote:
> Hi All,
>
> I am at my wits end. I have a LDAP server setup on a machine (the names
> are changed to protect the innocent) example.mydomain.com running CentOS
> 5.4 and LDAP version 2.3.43-3. If I issue a ldapsearch command while
> logged onto the LDAP server host I get a valid response back. For
> example:
>
> > ldapsearch -x -LLL -H ldaps://example.mydomain.com:636 "(uid=joker)" \
> > sn uid
> dn: uid=joker,ou=People,dc=mydomain,dc=com
> uid: joker
> sn: Nicholson
>
> Everything works as expected. However if I try the same command from a
> remote machine remote.mydomain.com the command just hangs. I can not
> find a log entry anywhere that indicates something is wrong. I have
> checked the obvious things I can check. For example I know that port 636
> is open:
>
> > /etc/rc.d/init.d/iptables status | grep 636
> 110 ACCEPT tcp -- 0.0.0.0/0 208.139.195.124 state
> NEW,ESTABLISHED tcp dpt:636
> 111 ACCEPT udp -- 0.0.0.0/0 208.139.195.124 state
> NEW,ESTABLISHED udp dpt:636
>
> I have enabled access via /etc/hosts.allow:
> > cat /etc/hosts.allow | grep slapd
> slapd: ALL
>
> I can see the server running and listening on port 636:
> > netstat -l | grep ldaps
> tcp 0 0 *:ldaps *:* LISTEN
> tcp 0 0 *:ldaps *:* LISTEN
>
> > ps auxww | grep slapd
> ldap 21865 0.0 0.2 467976 5860 ? Ssl 19:54
> 0:02 /usr/sbin/slapd -h ldap:/// ldaps:/// -u ldap
>
> I am missing something very obvious. Can anyone offer any clues? Thanks.
----
ldap ssl is deprecated but should actually still work.
Do you actually have to specify the port number? I don't think so...
-H ldaps://example.mydomain.com
should be sufficient
The preferred method is TLS (via standard -h ldap://example.mydomain.com
uri notation)
Note that ldap 'client' applications like ldapsearch
use /etc/openldap/ldap.conf so I would suspect that the 'certificates'
used by the 2 machines are different.
add -d 256 (or even higher debug level) to the ldapsearch command for
debugging - I'm not going to hazard any actual guesses.
Craig
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the CentOS
mailing list